If you think that your cyber insurance claim will be cleared with no questions asked, think again. Insurance claim denial has risen. While reviewing your claim, your cyber insurance provider will assess whether you took “due care” to protect your business from being compromised by a cyberattack. While having a cyber liability insurance policy is non-negotiable today, you cannot be fully assured that your insurer will cover any of the costs you incur following a security breach.
Hidden in the fine print of your cyber insurance policy document are certain terms and conditions set by the insurer that you must be compliant with. That’s why it is important for you to assess whether you are compliant with the terms of your cyber insurance policy and ensure that any risks that could lead to non-compliance are remediated.
Let’s take a look at some of the common reasons for cyber insurance claim denials, what impacts the denials can have and how the right support can help you ensure your cyber insurance claim isn’t denied due to non-compliance.
Visit Part 4/4
What is Driving Compliance?
Insurers want to minimize payouts and boost the loss ratio (the ratio of premiums to payouts). They have lost money in recent years. Your cyber insurer may either deny your claim completely or a sizeable portion of it.
The biggest reason for claim denials is policy exclusions. These security incident exclusions are often in the “fine print”. Applying for a claim that falls in the list of exclusions that are could prove to be a futile exercise.
Your insurance policy lists data security practices that you must implement in your business’ network. Not having basic prevention practices in place is an easy reason to deny your claim.
Your insurer will want to see tangible evidence. They want documentation of the preventative measures you have undertaken to ward off cyberthreats. To avoid any hassles, you need to have thorough, accurate and updated documentation at all times.
Your network’s security isn’t just your responsibility. It’s the responsibility of your third-party stakeholders as well. A security lapse in a third-party vendor’s network could result in the claim being denied by the insurer. Even if the claim isn’t denied, it’s highly likely that the insurer will scrutinize the matter in depth, which could make it a long, drawn-out process.
Accidental errors and omissions in the documentation you share with the insurer could prove detrimental to the approval of your claim. The documented evidence should encompass everything you have done to abide by the terms put forth by the insurer.
Cyber liability insurance plans vary, so you must pay close attention to coverage timeframes. You want to get all your losses covered versus just a small percentage of them.
A claim denial can derail a business’ strategy to recover the costs incurred following a security incident.
The Peculiar Case of the NotPetya Attacks1
Researchers at the Cyentia Institute reviewed the 100 largest cybersecurity incidents over the last five years. These accounted for US$18 billion in losses, and discovered that the NotPetya ransomware accounted for 20% of losses. Despite that, the pharmaceutical giant Merck and multinational food company Mondelez International are still in the process of claiming $1.3 billion and $100 million respectively through high-profile lawsuits. In October 2020 the U.S. government indicted six Russian military personnel for the attacks. Since then, the insurers cited the “war and terrorism” exclusion to deny these claims.
When a Canadian Not-For-Profit Was Denied a Payout2
In a case settled in May 2021, Family and Children’s Services of Lanark, Leeds and Grenville (FCSLLG), a Canadian not-for-profit organization, failed to seek $75 million in damages. The security incident involved an unidentified hacker who stole confidential reports and leaked them on two Facebook pages. FCSLLG initiated a third-party claim against Laridae, a company it had hired to revise its website. Despite holding two policies with the Co-operators at the time of the hack, the Co-operators denied coverage under both policies based on data exclusions. The policies excluded any loss “arising out of the distribution or display of data by means of an internet website.”
These incidents should serve as a glaring reminder for your business. You must completely understand from where threats are most likely to emerge. Also, ensure the inclusion of potential losses in your cyber insurance policy. Some businesses may be able to continue functioning as usual due to their financial prowess. Can YOUR business can survive a major financial setback if your insurance claim is denied?
All this may seem overwhelming at the outset. Having the right support eases complying with your cyber liability insurance policy’s terms. By leveraging our compliance process automation platform, we can help you with:
We can help your organization comply with the requirements of a cyber liability insurance policy.
To learn more, contact us today for a consultation.
Sources:
1. Security Boulevard
2. Pallett Valo LLP
619 Main St
Vincennes, IN 47591
812.726.4500