Why You Could Be Denied Cyber Insurance Policy Coverage

As you’re working toward achieving robust cybersecurity, the subject of cyber insurance is certain to enter the discussion. Maybe you’ve already delved into this topic, seeing as cyber insurance has become an essential cornerstone of every information security program. Many overriding factors will affect your ability to obtain and retain the type of coverage you need at a reasonable rate—and a successful approach is tied closely to a comprehensive cybersecurity posture. 

Why You Could Be Denied Cyber Insurance Policy Coverage

Coverage Denials and Claims Rise

With cyber threats like ransomware continuing to track upward and the supply chain and third-party vendors under direct attack, the cyber insurance market is on high alert and their risk model for coverage is changing. According to one insurance provider, price increases, coinsurance, and sub limits on coverages will continue through 2021. Some insurers have pulled back on their coverage altogether, and pricing has increased anywhere from 40 to 60%.

With this sea of change comes a dose of reality: premiums are much higher, and coverage may be reduced or denied altogether. Claims have become more complex and in addition to addressing ransomware payments it must now consider IT forensics, legal costs, business interruption and funds for data restoration. Businesses will find themselves, their risk profiles, and those of their customers under close scrutiny, with detailed assessments and other documentation necessary to be considered for coverage. 

The New Reality of Insurance

A 2021 Coalition Cyber Insurance Claims Report shows that social engineering incidents were up 51% over the first half of 2020. According to the report, it will be more difficult to qualify for cyber insurance and the implementation of many common cybersecurity controls will be required as a condition of coverage. 

While it’s up to the underwriters, there are steps to take so you’re less likely to be denied during the cyber insurance underwriting process. Be prepared to prove your cybersecurity program, which should include assessments, testing, policies, training, detection, and response, is in line with your potential risk. You’ll also likely be responsible for providing detailed data, questionnaires, and other information to insurance companies. 

Want to know how cyber insurance got so complicated and how to keep up with the evolving threat landscape? Register for our upcoming webinar The Perfect Storm for Cyber Insurance: How did it get so complicated?

No Insurance is Risky Business

Operating without cybersecurity insurance is not an option and organizations need to protect themselves from a multitude of legal consequences. While the costs are becoming increasingly expensive for both insurer and the insured, doing nothing to prepare has far-reaching implications. The cost of not being insured can result in loss of business continuity, profitability, health and safety and ongoing reputation within the community.

Some common reasons your claim could be denied include:

  • Failure to maintain or follow an ongoing program or minimum standards.
  • Discrepancies, errors, omissions or ambiguity in completing the initial risk questionnaire.
  • In the event of an attack, the initial compromise occurred before the cyber policy was purchased.
  • Ransomware perpetrated by organizations deemed nation-state actors may be considered acts of war.
  • Conducting your own initial forensic discovery—many cyber insurance providers have their own incident response teams or preferred vendors for investigation. Discuss incident response requirements before you have an actual cyber event.

Plan, Prep, and Execute 

Businesses with cybersecurity insurance need to ensure that their coverage is sufficient and addresses their most significant potential risks—and specifically the clients they serve. Remember that there are basically two kinds of insurancefirst-party coverage covers direct losses to the insured, while third-party coverage extends to losses suffered by others based on their relationship to the insured. 

Coverage is never 100% complete, and these and other costs may not be included:

  • Downtime/business interruption resulting in loss of sales and profitability, as well as the potential for losses to occur in the event of a cyber-attack during the “waiting period” for policy enforcement. 
  • Costs to improve technology systems, such as new hardware, software, upgrades and security hardening for systems or applications.
  • Third-party or misconfiguration mistakes—for example a breach arising from cloud misconfiguration or administrative error configuring cloud-hosted web services.

In this ever-evolving cybersecurity landscape, insurers are asking much more of their clients in terms of staff training and technological safeguards. Some may avoid government and critical infrastructure markets altogether. In addition, there’s now a philosophical question to address: Do these targeted policies actually create incentives for attacks and ransoms because they know governments have insurance policies and can pony up large payments? Yes, say some experts, but not having insurance is a risk government and other high-profile users simply cannot take.

Best Practices to Avoid a No-Go on Insurance

Cyber insurance is a critical risk mitigation measure—but it can’t stand alone. If you’re newly investigating cyber insurance, be prepared to provide lots of details about your business, who your customers are and your established policies and procedures. Determine your risk with full transparency, set a baseline and conduct a thorough due-diligence on the policies available and what they specifically cover.  

Organizations without internal security teams may be more vulnerable to sophisticated cyber threats and need guidance and tools to build and manage a comprehensive cybersecurity program. Cybersecurity is a posture—an ongoing process that aligns throughout your organization and seeks regular improvement to address current threats and attack vectors. While we can’t guarantee that you won’t have challenges to obtaining coverage along the way, Defendify’s platform provides continuous cybersecurity to align with an insurance provider’s expectations.

Cyber Insurance Coverage for IT Providers

MSPs and technology providers are now being targeted—as attacks to the supply chain magnify and spread throughout the vendor and customer base. Operating without insurance isn’t an option any longer, especially with the potential for legal action in the balance. 

How you provide services should be part of your plan of action—and new strategies may be necessary. For example, this may mean replacing tools (such as those for remote monitoring) deemed vulnerable, deploying, and training the team on a new application or platform across the entire company.  

Some elements of your Incident Response Plan (IRP) may also have to change in order to have a policy in place. And if you have an IRP or Detection Response without actual training, implementation and continuous improvement, you could actually be creating additional vulnerabilities.

There may be software that’s deemed particularly risky, so MSPs and technology providers need to stay current with emerging threats—or subject themselves to added risk and the potential for cyber insurance denial.

More Cyber Insurance Readiness Resources:

Upcoming Webinar on November 30th: The Perfect Storm for Cyber Insurance: How did it get so complicated?

Blog: Getting Cyber Insurance Policy Coverage: Where to Start

Video: Understanding Cybersecurity Insurance

Webinar: The Legal Side of Cybersecurity: How Growing Businesses Can Protect Themselves

Blog: The Legal Side of Cybersecurity: How MSPs and Integrators Can Protect Themselves

Your cart