Cyber Insurance Coverage Comes in All Shapes and Sizes

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.dailybusinessreview.com/id=1202719554127/Cyber-Insurance-Coverage-Comes-in-All-Shapes-and-Sizes?slreturn=20150204195905

Target, Home Depot, Sony, Anthem. All of these companies have been victims
of very public cybersecurity breaches. Given what we know about those
breaches, how can any other company know that it is safe from a cyber
attack? No firewall appears to be unbreachable and no security system
impenetrable.

No company is big or small or traditional enough to avoid such exposure, as
long as the business receives or transmits data or uses computer networks.
And, the harm from such attacks is not just bad publicity and possible job
losses for those whose files are hacked, but there are very real, and
substantial, costs that are incurred by companies when they suffer such
attacks.

For instance, there is the forensic costs required to investigate, detect
and repair the breach. There is the potential lost income to the extent a
part or all of the business is shut down for any significant period of
time. And, there is the cost to remedy the damages to third-party customers
and employees. There also may be substantial liability to those third
parties as well as potential exposure of the company's directors and
officers if there are claims that not enough was done to protect the
company from such exposures.

One response obviously is to engage in computer security experts to attempt
to protect against such attacks. That, however, may not be enough and the
attacks may still be successful. The next line of defense is to make sure
that the company has sufficient insurance to protect against the
potentially substantial costs of such an attack.

But, what kind of insurance should a company get? Unfortunately, there is
not a simple answer to that question and, just like with network security
experts, it is necessary to consult sophisticated insurance coverage
experts on this issue in order to make sure a company has the correct
coverage.

Cyber insurance coverage definitely is not a one-size-fits-all commodity.
At last look, there were more than 50 companies offering standalone cyber
insurance policies.

Those policies are not all identical. In addition, many traditional, legacy
policies may provide coverage for at least some of the exposures created by
cyber security risks, to the extent such coverages are not excluded by
recently added endorsements given the insurers' concern about such
exposures.

Each company needs to carefully evaluate what kind of insurance it needs to
protect against the types of exposures it faces. And, unfortunately, not
only are all of these policies different from each other, many of the
policies, themselves, contain significant potential barriers to the kinds
of coverage that companies truly will need.

Coverage Issues

Some of the issues to consider include:

Does the coverage to be provided protect against claims arising out of
bodily injury or property damage (for example, caused by a cyber attack on
a factory or transportation device, such as a train, plane or automobile,
or on the traffic signals or water system operated by a municipality) or
are they limited to expenses and costs responding to the breach itself?

Does the policy cover forensic expenses, which can be very considerable in
terms of identifying the cause of the breach and determining the identity
of persons impacted?

Does the policy provide coverage for business interruption loss, including
extra expense incurred to operate in the interim and how is such
interruption defined? For instance, what if the service has just been
severely degraded, but there is still some functionality?

What is the retroactive date for such coverage? How far back can the attack
have taken place and there would still be coverage? For instance, many
breaches may have been caused by the insertion of malware that took place
long before the inception of the policy, but the actual harm was not
discovered until much later. And, how does the policy even determine how
the breach was caused if it is not easy to isolate and identify a cause?

What if the policy contains a "due diligence" requirement regarding the
security of a company's network and systems? Will a carrier deny coverage
if the network is breached, anyway? If so, does all such coverage become
illusory?

Finally, does the insurance policy cover only claims arising from the theft
of third parties' confidential information, such as bank accounts and
personal health information, but does it also cover the loss to a company's
own confidential information, such as what happened with the Sony attack,
in which its own reputation may have been damaged as well?

The conclusion is that companies need cyber insurance coverage and also
need to be very careful that they are getting what they actually need.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!