What Isn't Covered by Cyber Insurance?

Imagine it's a sunny Saturday afternoon and you're driving your car to meet up with some longtime friends for lunch. You're just a few minutes away from the restaurant when all of the sudden a car comes barreling into your passenger-side peripheral and -- BAM -- collides with the side of your car. Your once pristine and reliable car is now only capable of limping to the side of the road. Thankfully, your car is fully insured, and you can bring it to a shop to get it fixed without any major cost to you.

Car insurance makes sense. Most states even require that you have it. It is also straightforward what is covered by your car insurance if a claim is submitted. Meanwhile, cybersecurity insurance often feels like more of a daunting beast that is just as complex as the attacks that warrant it. Even worse, the line between what is and isn't covered by your insurance policy is often times less clear.

Cybersecurity insurance is a phenomenon that has sprinted its way to the forefront of many cybersecurity programs and incident response considerations. Despite its growing familiarity with headlines and commonality in cybersecurity incident response efforts, cybersecurity insurance still often feels like a veiled concept to most organizations. As a result, we are going to discuss what cybersecurity insurance is, what to look for within your policy, and what is not typically covered by most policies so you can feel more prepared if you need to submit a claim.

What is cybersecurity insurance?

At its most basic level, cybersecurity insurance works like any other type of insurance, in that you pay a premium to help prevent losses if something destructive occurs. Instead of damage to a product you own (e.g., your car), cybersecurity insurance helps protect your organization against the many costs that can be incurred because of a cybersecurity incident. These costs vary in type and amount in each situation, but commonly include costs associated with legal, forensic and recovery efforts.

 What should you look for within your policy?

It is recommended that you regularly review your cybersecurity insurance policy internally and with the organization’s cyber insurance broker to ensure the necessary members of your organization are familiar with your policy's coverage, limits and deductible. Awareness of these basic policy components will help your organization make informed decisions when you anticipate filing an insurance claim. A little deeper into your policy, you should look for additional cues related to coverage of specific cybersecurity impacts such as threat actor ransom demand payments, business interruption costs and third-party liability coverage in the event someone takes legal action against you as a result of the cybersecurity incident.

In addition, it is recommended your organization reviews your cybersecurity insurance policy for things such as:

• Expectations the insurance carrier sets for your organization (e.g. recurring vulnerability scans, implementation of multifactor authentication, monitored endpoint detection and response solutions, configured backups, etc.)
• Inaccuracies or changes to your disclosures and selections within your insurance policy application (e.g. if certain cybersecurity initiatives or controls have since been removed or new environments added.)
• Acceptable timeframes for restoration efforts and business interruption costs.
• Communication expectations with the insurance carrier and level of detail required for a claim.
• Restrictions related to your organization's involvement in the response/recovery efforts.

Your organization should strive to be proactive by understanding your policy's coverage, being aware of your main points of contact at the insurance carrier and being familiar with the correct process for submitting an insurance claim.

What is covered vs not covered?

The goal of cybersecurity insurance is to help reduce the financial burden as a result of the incident and get your organization back to normal operations. This generally includes coverage for efforts associated with the reasonable response to, and recovery from, a cybersecurity incident (e.g. a ransomware attack). Your policy can often cover costs associated with interruptions to your business operations, the cost of forensically investigating the incident, legal fees associated with establishing legal privilege, providing legal guidance and performing data breach notifications, as well as possible impact to your organization's reputation.

However, cybersecurity insurance from a claims perspective is not intended to improve your organization's cybersecurity posture or environment during recovery efforts, compared to its pre-incident state. A cybersecurity insurance claim is not a chance to expand your IT budget and fill security gaps that previously existed.

The impact characteristics of each incident will vary slightly, which often adds an additional layer of complexity when determining what is appropriate and reasonable or not. To put it in everyday terms, let's go back to the car analogy and imagine that your car got into an accident. After the accident, your autobody shop would work to identify and fix the damage to get your car back to how you had it before the accident. If determined reasonable, these costs would then be covered by your insurance claim. However, any costs that are not related to the car accident in question would not be covered by the insurance claim. For example, your insurance would not pay to fix the pre-existing damage on the other side of your car or pay to have the entire car repainted to a different color.

When working internally or with a third-party incident response vendor to respond and recover from a cybersecurity incident, your organization should always consider if the effort/cost would be considered an upgrade to the environment, is unreasonable in nature, or is an extra/unnecessary expense. These three buckets can then be applied across potential costs that may pop up with hardware costs, software costs and engaged services.

• Upgrades: Purchases that result in an improvement to the organization's cybersecurity environment or posture, compared to their pre-incident state.
• Unreasonable Costs: Purchases which exceed conventional standards within the industry from a level of effort, timeframe, or cost perspective.
• Extra Expense/Unnecessary Costs: Purchases that are not required to effectively respond to the incident and recover to normal operations.

The below table breaks down considerations and high-level examples for each of these buckets.

‍

‍

How can you best prepare for submitting a claim?

With awareness of the above coverage limitations, it can be difficult to navigate the complexities of submitting a successful claim with the lowest risk of denial. For that reason, it is recommended that your organization's approach to response and recovery decisions is carefully documented to ensure the intricacies of the incident are adequately captured. As part of the documentation process, consider doing the following:

• ‍Establish a timeline: When did your organization first feel the impact from the incident? When were different vendors brought in to assist you? When were your organization’s business-critical operations restored? Important milestones like these can provide valuable context for the incident response efforts and are therefore of large interest to claims adjusters during the review of your cybersecurity insurance claim. As such, the proactive creation of an incident narrative and high-level timeline can help expedite the claim review process. ‍
• Organizing proof of loss: Cybersecurity insurance carriers understand there can be many reasonable and necessary costs when handling a cybersecurity incident. However, it is also very easy for non-covered items to unintentionally slip in. Ambiguous claims require detailed review by the claims adjuster, often warranting multiple inquiry rounds with the insured, internal peer review within the insurer, and consultation with outside technical experts. These activities may delay final determination by months, or, in some cases, even years. Your organization can help minimize delays in the claim review process by organizing invoices into applicable buckets based on their relevance in the response / recovery efforts (e.g., forensics, legal, hardware purchase, software purchase, etc.) prior to their submission. Parallel to this classification, it can be advantageous to briefly describe the purpose of each claimed item and how it relates to the incident response/recovery efforts.‍
• Self-designate improvements: Understand that even though a cyber incident may have motivated certain purchases, the goal of the claim is only to help you respond to the incident and restore to normal operations. Review invoices you intended to include in the claim and self-reflect if any of the components were inspired by the incident, but not truly necessary. As an example, imagine you had a pre-existing quote for purchasing more data storage space before the incident occurred. If you learn you need additional storage space for data restoration efforts following the incident, you may be motivated to execute the quote ahead of your original roadmap timeline. However, it is unlikely that this purchase would be fully covered by your policy given typical remediation approaches and the pre-incident circumstances.

We understand that traversing the cybersecurity insurance claim process can be tricky part of incident response. MOXFIVE is committed to helping guide organizations through all aspects of the incident response process, including navigating insurance claims before and after a claim has been submitted.