Blog / Cyber Insurance Coverage is Changing
Understanding your policy is more important than ever.
Whether you view insurance as a scourge on society, a mere annoyance, or even an actually valuable service, cyber insurance as a concept is relatively new even by insurance standards. Cyber insurance was first offered by Lloyds of London back in 2000 (possibly inspired by the Y2K bug) and became more widely available by the mid-2000s.
Remember that insurance isn’t just about being able to replace an insured item; much of it is about assuming reasonable degrees of risk. It’s not so much about what you insure (like Bruce Springsteen’s voice), as it is about properly weighing the costs of insurance against the risks of going uninsured. This can be especially hard in cyber insurance because it’s new and standards aren’t entirely set. For example, I regularly help client’s complete cyber insurance applications and of all the forms I’ve seen, none have been similar. There are some common themes to be sure, but they are all very different.
Of course, at this stage in the evolution of a product, change’s aren’t unexpected. Recently I wrote how Lloyds updated their exclusion clauses for cyber insurance, so since insurance organizations keep adjusting the rules it’s important to stay up-to-date.
To that end I’d like to bring your attention to this article. To summarize, an organization made a $600,000 USD cyber insurance claim after a successful cyber attack (and it wasn’t even ransomware). The incident was caused by a socially engineered attack that resulted in a Business Email Compromise (BEC). The policy maximum was $1 million, so a $600,000 claim should have been fine, but a clause limited payouts for socially engineered attack to just 10% or $100,000.
Unsurprisingly this was a nasty shock for the claimant. Depending on the size of the business, what effectively amounts to a $500,000 loss could be catastrophic and even result in bankruptcy.
Compare this situation with how other insurance is handled, where negligence limits most payouts as well. It’s one thing to get your door smashed in during a robbery; it’s something else if you leave your door unlocked and security system turned off. It looks like insurance companies moving to treat socially engineered attacks in a similar way in their cyber insurance policies. Since cyber insurance is still an evolving product it’s important to make sure you are aware of what is covered, and the clauses that limit your coverage. Make sure you read those contracts carefully, and of course, if you’d like help with your cyber insurance applications, don’t hesitate to contact your TRINUS account manager today.
Today’s Shakespeare comes from The Taming of the Shrew: “No profit grows where no pleasure is taken.”
Be kind, courtesy your friendly neighbourhood cyber-man.