Cyber Security is certainly a hot topic and insurance companies are taking advantage of this current environment. Even a couple of years ago Insurance companies just did not really understand how to formulate a comprehensive insurance coverage plan for business. They would cover the loss of personally identifiable information, security breaches and loss of information, wire fraud was covered in some cases and Ransomware was not.
They have now gotten much more mature in their product offerings. A good policy will now typically cover:
- Unauthorized release of information which you are obligated to keep private
- Invasion of privacy and or copyright, trademark violations (Including social media posts)
- Computer security incidents/breaches that resulting loss of alteration of data and or transmission of malicious code, denial of services, etc.
- Defense costs in any regulatory proceedings involving violations of privacy laws. Either Federal or State.
- 1st and 2nd party coverage. Meaning monetary reimbursement to the Insured for out of pocket costs for experts to recover/restore systems. The 2nd party coverage would be reimbursement of funds necessary to attempt to make whole those who may have had their personal information lost or stolen. These may include notification services and credit monitoring services.
- GDPR privacy violations are also covered in some cases
- Cyber Extortion. Ransomware and the attempt to extort a company by holding their information and/or data hostage by use of encryption vulnerabilities.
While insurance companies have caught up to the needs of business in respect to these types of coverages; it is now important that businesses understand these changes and understand how they need to conduct themselves with respect to the new policies. These insurance policy updates come with requirements to which your business must adhere. In the event of a breach, insurance companies may deny your claim if you are not following their specific guidelines for policy compliance.
These requirements fall into three areas depending on whom may be your insurance provider.
- Accuracy of your Application
- Process and Policy
- Exclusions you need to beware
Accuracy of Your Application
Many of these policies will exclude any benefits should the application contain any errors, omissions or factually incorrect data. Examples are shown below.
“By acceptance of this Policy, “You” agree that the statements contained in the “Application”, any application for coverage of which this Policy is a renewal, and any supplemental materials submitted therewith, are “Your” agreements and representations, that they shall be deemed material to the risk assumed by “Us”, and that this Policy is issued in reliance upon the truth thereof. The misrepresentation or non-disclosure of any matter by “You” or “Your” agent in the “Application”, any application for coverage of which this Policy is a renewal, or any supplemental materials submitted therewith will render the Policy null and void and relieve “Us” from all liability under the Policy if the misrepresentation or non-disclosure: is stated in the Policy, any endorsement or the application; and was made with the actual intent to deceive, or materially affected either “Our” acceptance of the risk or the hazard “We” assumed.”
Here is another example:
Representations and Severability
The Insurer has relied on the statements made and information in the Application and the accuracy and completeness of such statements and information. Such statements and information are the basis for the Insurer’s issuance of this policy, are incorporated into and constitute a part of this policy, and such statements and information have induced the Insurer to issue this policy.
If the Application contains any misrepresentation or any inaccurate or incomplete information or statement, and such misrepresentation or inaccurate or incomplete information or statement either was made with the intent to deceive, or materially affected either the acceptance of the risk or the hazard assumed by the Insurer under this policy, then no coverage will be provided under this policy for any Claims based upon or arising out of the facts that were the subject of such misrepresentation or inaccurate or incomplete information or statement, nor for covered events arising out of or in connection with the facts that were the subject of such misrepresentation or inaccurate or incomplete information or statement, with respect to:
1) any Individual Insured who knew, as of the date the Application was signed, of the facts that were the subject of the misrepresentation or inaccurate or incomplete information or statement, whether or not such Individual Insured knew the Application contained the misrepresentation or inaccurate or incomplete information or statement;
2) or any Insured Entity, if any Control Group Insured of such Insured entity knew, as of the date the Application was signed, of the facts that were the subject of the misrepresentation or inaccurate or incomplete information or statement, whether or not such Control Group Insured knew the Application contained the misrepresentation or inaccurate or incomplete information or statement.
Process & Policy
In many cases, You will be expected to designate a control group, or a control group will be defined for you in some cases by the insurance company and may include board members, executive officers, Chief Technology Officers, Chief Information Officers, Risk Managers and General Counsel or their functional equivalents, the “Control Group”. These Control Group members then have specific responsibilities.
Examples are shown below:
“However, such insurance as afforded by this provision shall not cover a “Claim” against “Your Organization”, or an “Event”, if a member of the “Control Group” failed to give notice as required by Section IX.A.1.if such “Claim” or “Event” arises from “Wrongful Acts”, acts, errors or omissions that were also known to another then current member of the “Control Group”.”
“Reporting of Claims and Events
It is a condition precedent to coverage under this policy that:
1) as soon as any Control Group Insured becomes aware of any Claim, the Insured must notify the Insurer in writing as soon as practicable, but in no event later than 30 days after the end of the Policy Period;
2) as soon as any Control Group Insured becomes aware of any Enterprise Security Event, the Insured must immediately notify the Insurer in writing, but in no event later than 30 days after the Enterprise Security Event occurs; and
3) as soon as any Control Group Insured becomes aware of any Extortion Threat, the Insured must immediately notify the Insurer in writing but in no event later than 30 days after the Extortion Threat first occurs. This notice must contain known details concerning the person or entity making the Extortion Threat, and all reasonably obtainable information concerning the time, place and other details of the Extortion Threat.”
You must be aware, prepared, and have these procedures documented and make all personnel in the Control Group aware of their responsibilities.
Exclusions You Need to Know About
You need to understand all the exclusions in your policy so that you can avoid not being covered.
Some examples of exclusions to Cyber Insurance policies are below:
This policy does not cover any amounts due to, in connection with or arising out of, or Claims based upon or arising out of:
Unlawful Use of Information
based upon or arising out of any unlawful or unauthorized:
1) collection or acquisition personal information; or
2) use of personal information to send unsolicited communications, faxes or emails, or any, failure to comply with legal requirements or obligations relating to a person’s consent to the acquisition, collection, or use of personal information.
Does this mean you aren’t covered if a 3rd party used your stolen data, which may result in a lawsuit? Good question to ask your insurance representative.
It is a condition precedent to coverage for such PCI-DSS Fines that the Named Insured must have accurately validated, not more than 12 months prior to the occurrence of the Enterprise Security Event giving rise to the Claim, to the applicable credit/debit card company that it was in compliance with the Payment Card Industry Agreement’s data security standards.
solely with respect to an Enterprise Security Event Claim, the Insured’s failure to:
a. timely disclose an incident described in 1. and 2. above in violation of a Privacy Regulation;
i. prohibiting any Insured from disclosing, sharing, or selling Protected Personal Information;
ii. requiring the Insured to provide access to and correct inaccurate or incomplete Protected Personal Information; and
iii. requiring compliance with procedures to prevent the theft or loss of Protected Personal Information
Action Against the Insurer
No action will lie against the Insurer unless, as a condition precedent thereto, there has been full compliance with all of the terms of this policy by all Insureds, nor until the amount of the Insured’s obligation to pay will have been fully determined either by judgment or award against the Insured after trial or arbitration or by written agreement among the Insureds, the claimant and the Insurer.
No person or organization will have any right under this policy to join the Insurer as a party to any action against the Insured to determine the Insured’s liability, nor will the Insurer be impleaded by the Insured or the Insured’s legal representative.
While I certainly believe these Cyber Security policies are necessary, they require a whole new level of attention. This is no longer a hands-off process. You must become familiar with the requirements of compliance, assign the appropriate resources to manage this new coverage and have your infrastructure well configured and supported to be able to handle the issues surrounding these new insurance policies.
Systech is now working to simplify and clarify compliance and reporting for our Customers so that compliance with these Cyber Security policies can be easily achieved. We do this by using our Audit Guru software.
How Systech’s Audit Guru Can Automate Cyber Insurance Policy Compliance
We now provide a solution to easy the burden of maintaining compliance with your Cyber Insurance policy. Our turn-key software solution allows automated data gathering and validation, smart checklists that are based directly on your company’s unique Cyber Liability Insurance Policy, and we can help answer the technical questions and fix any technical issues that may be required with your policy.
If you want to learn more check out our datasheet or contact firstname.lastname@example.org to setup an discussion.