Commentary ON THE PRICE OF BUSINESS SHOW, MEDIA PARTNER OF THIS SITE.
Recently, Mark Wiener spoke on the Price of Business.
Today I talk all about Cyber Liability Insurance. It sounds like a boring topic but rather it’s a vital topic for most businesses. If you think that your cyber insurance claim will be paid without questions and studying both the application you signed and your terms document, think again. your cyber liability insurer will assess if you took “due care” to protect your business from being compromised by a cyberattack.
First let’s start with the idea of what is due care. Merriam Webster defines due care as “the care that an ordinarily reasonable and prudent person would use under the same or similar circumstances” In my view, cyber liability insurance policy requirement for any business, however, you cannot just assume your insurer will cover any of the costs you incur following a security breach.
Your cyber liability insurance policy has detailed compliance information in the policy document, These are terms and conditions set by the insurer forcing you to comply with their minimum standards. It is why its important assess if you are compliant with the terms of your cyber insurance policy and ensure that any non-compliance issues are remediated.
Insurers are increasing their efforts to reduce payouts and protect their claim loss ratio.
Denial of cyber insurers claims is rapidly increasing. Cyber liability insurance companies (like most insurance companies) look at various aspects to deny entirely or minimize a payout.
Why Your Cyber Insurer May Deny Your Claim
- Policy Exclusions
The single greatest reason for claim denial is a policy exclusion. A security incidents that on the exclusion list can be found in the policy document. I recommend reading the document as well as speaking with your insurance broker. S/he can help you understand what exclusions exist.
- Lying on your Insurance application
The runner up for claim denial is related to information that question sheet that was completed about your technical and cyber posture. It is found out that you are lying on your application (for example if you are asked do all user accounts have multi-factor authentication enabled – and none do, or some do but some don’t) your claim is likely to be denied. You can also face cancellation of the policy or charged a higher risk premium. It is also possible that your company may be reported to the authorities, if it is determined it is “material misrepresentation”
- Poor Prevention Practices
Failure to do core prevention services, either documented that you are doing them or not even taking the time to build the policies as to how preventive maintenance is done in place, you may create a easy way for the insurance carrier to deny your claim. Most insurance policies lists data security practices that you must for your business.
- Failure to Document Preventative Measures
Documentation, documentation, documentation. I have seen claims get rejected because there was no tangible documentation that the preventative maintenance was completed. You need to keep accurate and updated documentation outside of the core network so it can be submitted when there is a claim.
- Coverage dates out of range for the Claim
Pay close attention to coverage start and end dates. There may or may not be associated retroactive dates for the policy. You need to pay attention to this detail. I promise you, your insurance carrier will..
Just a few months ago I saw a small company get a 1.7-million-dollar claim, because their environment was not protected like it said on the application signed by their controller. How does that qualify as risk mitigation?
It is far more costly to have a cyber incident then to put the core tools and processes in place to prevent one. Once incident can put you out of business.
It may seem overwhelming to comply with your cyber liability insurance policy’s terms but with the right support from professionals a plan can be made and you can do what needs to be done to reduce the risk for your company.,
My thoughts and recommendations
· Make sure you have the right coverage limits based on your exposure
· Make sure you read your contract details and get the appropriate help.
· Build processes and procedures to make sure your company is being vigilant.
· Setup regular automated compliance assessments to capture and create documentation
· Make sure you keep documentation of environment changes
Mark Wiener, CEO of BizCom Global https://bizcomglobal.com who provides a team of specialists that assist companies with Managed Cloud IT, Cybersecurity and technical compliance services for small and midsized companies.
Companies are not doing enough to protect themselves from ransomware and hacking threats. It is time for companies to get serious about cyber security!
Huge security breaches like Colonial Pipeline get the big headlines, but many small to medium size businesses are also getting hacked.
The reason? A company’s own employees unwittingly open the door to hackers!
Human errors and accidental losses lead to many data breaches, which can be especially fatal to small and medium size businesses.
They click items without thinking first, they release dangerous malware that has rightly been set into the spam folder, and they are lured by “phishing” attacks.
It is vital that businesses provide core tools and regular cyber training and emphasize the importance of comprehensive security to employees.
LISTEN TO THE INTERVIEW IN ITS ENTIRETY HERE