Cyber Liability Policy Exclusions
Why you may not be as covered as you think.
Cyber liability insurance is hopefully not your first line of defense against cyberattacks but may be your last. The hidden problem is that most cyber liability insurance policies have exclusions that may result in your claim being denied. You are not alone if you find that you are not prepared or are unaware of these policy exclusions. We frequently hear from companies that turn down simple security procedures, hardware, and software because the company is “covered by a cyberliability policy.” Given the inevitability that every company will experience a breach, a hijacking, or an exposure, those that consider themselves covered may experience an awful truth at the worst possible time.
Policy exclusions can fall under several categories and this list is by no means exhaustive. Almost every new cyberattack causes a re-evaluation of risk resulting in a continuous process of tightening coverage. As a reminder, always read your policy and exclusions as each policy may be different.
Failure to Maintain
Not properly maintaining and securing your IT infrastructure will often result in an exclusion for failing to follow minimum required practices. This can also be referred to as a negligence exclusion. These types of exclusions can appear in warranty statements and are blanket exclusions, but can also show up in specific clauses. Lack of adequate security controls, failure to meet regulatory compliance standards, failure to comply with professional rules of conduct, and failure to maintain documented processes could also be indicators of negligence or the failure to follow minimum required practices. All of these can result in an exclusion of coverage.
Regulatory Fines
Fines levied by regulatory agencies for failure to comply with regulatory requirements are another exclusion in most policies. If you are handling patient data and are not HIPAA compliant, or you fail to meet GDPR requirements and are assessed a fine, you’ll likely end up paying for it yourself.
Fee Coverage
Most policies exclude coverage for loss “based upon, arising from, or in consequence of any…liability assumed by any insured under any contract or agreement,” and for “any costs or expenses incurred to perform any obligation assumed by, on behalf of, or with the consent of any insured.” So, PCI compliance fines and the contractual costs charged by the credit card processors due to your data breach will be your responsibility.
Self-Assessment
Most cyber liability policies require the completion of a “risk control self-assessment.” Make sure to answer everything truthfully and accurately. Insurers may use policy conditions to avoid coverage and they will use your misrepresentations in the risk control self-assessment as a means to do so. It would be like misrepresenting that a sprinkler was installed in a home before a fire. Just because you have antivirus software installed, does not mean that you have taken all measures sufficient to prevent a cyber-attack.
Ransomware
Even if your policy covers ransomware, it likely will not cover your lost income, reputational damage, and lost clients; each of which can put you out of business. When you are attacked with ransomware, it can affect business operations for weeks or months. Some policies require that you negotiate the ransom amount. That takes time and extends the interruption to your business. Typical exclusions to a ransomware policy may include damages to third parties and contractual penalties (as discussed above), business interruption, the value of intellectual property stolen, and the costs to remediate the security vulnerabilities.
Cloud
If you are using any cloud services like Microsoft’s Office 365 or Google’s G-Suite, make sure your coverage extends to those services as well. Definitions of your computer systems may not extend into the cloud. Microsoft and Google limit their exposure. If your cyber liability does not reach your cloud services, your breach may not be covered at all.
Pre-Breach
Just because you have not been breached yet, does not prevent you from being sued if a vulnerability is found in your system. In one of the more famous cases, a law firm was sued for a vulnerability found in its system. Without an actual breach triggering coverage, the insurer denied coverage based on the grounds that a breach was a prerequisite to claim coverage. This just hammers home the idea that you need to be taking the appropriate steps to secure your network and data immediately.
Acts of War
What happens when the breach is caused by an agent of the state? We will find out soon, but while we wait you should know that multi-billion dollar pharmaceutical company Merck was denied coverage for $1.3B damage due to a cyberattack that its insurers are calling an act of war and thus excluded from coverage. Merck’s damage was due to the NotPetya virus, which according to Western intelligence agencies, was a creation of the GRU, Russia’s military intelligence agency. It is probably not a great idea to base your hopes for coverage on the off chance that the hacker is only a criminal that wants to steal all of your electronic data.
Fraudulent Transfer/Phishing
Many policies also have exit points that allow for denial of coverage. Many have been demonstrated in previous lawsuits. Some of those exit points have been:
Money stolen from the insured that was transferred voluntarily by a person with the authority to transfer the funds. The claim was denied because the person wiring the funds transferred the funds based on a fraudulent email they received.
Money stolen when an employee failed to follow the company’s internal security controls.
Client funds stolen that were not a direct loss from the company. Credentials obtained in a breach were used to steal client funds not directly controlled by the company.
Money stolen over the phone that did not require the use of a computer.
All these policy caveats to get to a simple point. If you are relying on your cyber liability insurance policy to cover your losses for a data breach, theft, ransom, loss of profit, or indirect losses instead of tightening your security, it will likely end poorly for you.