Understanding Cyber Insurance – 6 Things You Need to Know

Episode Resources:

• Resilience Cybersecurity & Data Privacy
• Traveler’s Cyber Insurance Policy
• Occurrence vs. Claims-Made Policy Terms – Law.com
• Cyber Insurance and Cybersecurity Policy: An Interconnected History – Lawfare
• Insurers Stake Out Their Ground for Covering State Cyber Attacks – Lawfare
• Cyber Insurers Clamp Down on Clients’ Self-Attestation of Security Controls – The EDGE
• Cyber Insurance Policies Grow Pricey Amid Rising Hacks, Lawsuits – Bloomberg Law

Episode Transcript

Brian: Hello and welcome to the Fearless Paranoia podcast where we demystify the complex and complicated world of cybersecurity to make it understandable to everybody. I am Brian focused cybersecurity attorney and I’m all you got this week, Ryan is out, engaging in some civic responsibility, actions. And so you’re gonna have to listen to me this week. But that’s okay, because we have a topic that I don’t think he has all that much interest in. But it’s something that I believe we need to discuss. So today, you just get me It’s episode three, what the hell does this even mean? Or a guide to cyber insurance.

This is a topic that is routinely brought up dealing with cybersecurity law, and is one that I think is incredibly misunderstood by most of the people who have to deal with it. And I think that mostly because most of the insurance people that I know who sell cyber insurance usually can’t correctly explain to me what it covers. So fortunately, my legal experience being a combination of cybersecurity and insurance puts me at a crossroads of two fields that are remarkably useful for this particular topic.

There are a few questions that I’m asked routinely about cyber liability insurance. And just to get out of the way, we’re probably gonna be using these terms fairly interchangeably throughout this podcast, cyber insurance, cyber liability insurance, cyberattack insurance,

I’ll try to keep it just a cyber insurance. But basically, they all mean the same thing. They mean insurance protecting you from attacks from and or about cyberspace. So the big questions that I get are, what is cyber insurance? Do I need cyber insurance? What are the important elements of an effective cyber insurance policy? And knowing all of that, what’s my best approach to actually getting the policy that makes sense, since you may be on different stages of this journey, determining whether and how to get cyber liability insurance?

We’ve broken up this episode into chapters, so you can jump forward to any sections to answer the questions that might be most pertinent to you. And you can find more information on those chapters by going to the post in our website, Fearless Paranoia.com. Before we get started on those questions, though, I want to remind everybody to subscribe to Fearless Paranoia in any one of your favorite podcasting apps or sites or subscription services. You can also sign up for updates and a new post through our website Fearless Paranoia.com and see additional information on cybersecurity tips and advice at resilience cybersecurity.com. All of that information can actually be accessed right through our website. Also, we want to make sure that our podcast is both timely and informative to you. So one of the best ways we can learn about what you need to know about is hearing directly from you. Go ahead and contact us through our website or through on Twitter, on Facebook, LinkedIn, send us requests of questions you would like to have us address in one of our podcasts.

So back to cyber insurance, it is actually kind of important to get out of the way, a few things that you need to know about insurance for this to make any sense. First, insurance is a contract. And since an insurance policy gives you certain rights, it’s important to know how you can enforce those rights here, we enforce them in court. So it’s a contract, no matter what you’ve heard about insurance law, and almost all states have some specific laws dealing with insurance, the vast majority of anything that will be determined about an insurance policy comes down to the fact that in almost all instances, the terms of the contract will be enforced. Okay, well, what does that mean? In order for a court to find that the specific terms of a contract will not apply in a specific instance, they need to find some ambiguities in the contract. If the terms are unambiguous, if they’re clearly defined or couldn’t be interpreted in multiple ways by rational reasonable people, they will almost always be upheld by the court. Even if it seems wrong, if it seems unfair, the terms of the contract are going to govern. Also, you are generally presumed to have read and understood any insurance policy.

The second big part about insurance generally, is that you get what you pay for there is almost always a reason that a policy is priced differently between different insurance companies, there can be a lot of reasons for it. But if you don’t know that reason, you need to be concerned.

Three, insurance companies will always look for reasons to deny any claim that you make. First, before anyone says anything, they need to do this. They’re supposed to do this. If fraudulent claims went unchallenged by insurance companies, insurance itself would be unaffordable. So this is what they do. This is their job, they have to make sure you’re submitting a valid claim. That being said, make sure that your application contains 100% accurate information because almost every single insurance policy you will ever sign can be canceled retroactive to its initial starting date if you lied in your application about a material term.

Fourth the older the specific insurance market, the more predictable the insurance will be more mature insurance areas are much more consistent from company to company over a whole range of topics. They are more regulated. For example, most of the terms that are contained in your car insurance are the same from company to company because they’re actually required by statute or by regulation. They don’t have a choice they’ll have more industry standard policies and terms like construction in the business industry where they get together and essentially have an independent organization draft model policy terms, there always been more court decisions to provide guidance in a dispute. The newer the area of insurance, the less you get of all of those things, regulation, industry standards and guidance from prior court decisions bearing all that in mind, cyber insurance is effectively brand new. There’s no regulation, there’s very, very little in the way of industry practices, and there’s hardly any case law to provide any guidance on what to expect in a conflict.

Okay, so then knowing that what is cyber insurance? Well, there are a lot of different insurance available to business today, you got a general liability insurance, a lot of premises liability directors and officers liability errors and omissions insurance. All of these provide insurance to protect a business. In the event someone does something accidentally or on purpose, it brings liability on the company. They’re also more specialized insurance markets, like for example, kidnapping, and Ransom insurance.

None of these were created with cyberattacks in mind and the specific types of risks that businesses now face from cyberattacks. Additionally, insurance companies didn’t may have in the past provided limited coverage for what you would call cyberattack related things in their general liability policies have been over time adding exclusions and endorsements that tend to eliminate the cyberattack and cyber liability related protections from their general policies making the purchase of a specific and separate cyber liability insurance policy essential.

Alright, so what does it actually cover? Insurance coverage can primarily be broken down into two essential types of insurance coverage, first party and third party. Generally speaking, a claim is a first party claim if you’ve been injured and are getting money directly from the insurance company. The claim is a third party claim if someone else has been injured, and they blame you and are essentially collecting from your insurance company.

The best example I can give is if you’re in a car accident, you rear end somebody your car is damaged, but the driver of the other car is hurt. So you need to get your car repaired. You take your car in, they bill your insurance company. That is a first party claim. That is your injury paid directly to you by the insurance company. The injured driver of the other car sues you for their neck injury and gets paid by your insurance company. That is your insurance company paying a third party.

You have to make a big distinction between those two: first party and third party and in cybersecurity the typical first party coverage you’re talking about goes beyond merely paying you back for injury you may have suffered. In fact, probably the single best reason to get cyber liability insurance for your company is because of the additional things and benefits that you get as part of your first party benefits. These benefits include things like forensic investigation after a suspected or confirmed cyberattack, and oftentimes data restoration data breach notification compliance, credit and fraud monitoring, which seems sort of like third party damages, because you’re paying someone else for their reported injury. But it’s considered first party in this context, I know there’s gonna be a lot of stuff like this, I apologize. Public relations and reputation management, business interruption costs and expenses and related legal fees that you’ve had to pay to deal with all of this stuff.

Typical third party coverage in cyber insurance is much more similar to what you would normally expect protecting you against things like litigation and investigations. But as I discussed before, it’s much more general and broad in scope as it has to protect you against civil litigation from injured customers and clients, potential class action litigation related to business practices, and even regulatory investigations, all types of damages that can be caused by someone making an unauthorized intrusion into your computer systems, causing you financial and physical damage and shutting down your business.

Now, that’s what it can cover. What it does cover is just as I’ve mentioned before, what the policy terms say it covers and it excludes what the policy terms say it excludes.

So I want to move on to the next question. This is probably the question that I get the most, but to me, it always feels like the question that people asked me know the answer to: do I need it? I mean, on a basic level, yes. Okay. If you’ve got a business, you’re talking about a huge potential area of liability that is not covered by any other insurance policy. But still, at the end of the day, it probably depends a little bit on your business, and ultimately, it always seems to come down to money. Do you think you can afford it? Well, aside from what I think would be the obvious question is can you afford not to do it? Which you already know what my answer to that question is.

I’ll leave you on this subject with if you can afford it, you need to have it provided that the insurance you have is suited to your needs and will provide actual coverage in the real life circumstances you will experience. There are certain things that you simply can’t do as a small business that cyber insurance is going to help you do like recover from an attack make sure that you got your breach notification stuff covered provide ransomware negotiation and potentially even delivery of cryptocurrency that you’re just not going to functionally be able to do yourself.

Brian:   You’re listening to the Fearless Paranoia podcast, we’re here to help make the complex language of cybersecurity understandable. So if there are topics or issues that you’d like Ryan and I to break down in an episode, send us an email at info@fearlessparanoia.com or reach out to us on Facebook or Twitter. For more information about today’s episode, be sure to check out Fearless Paranoia.com We’ll find a post for this episode containing links to all the sources research information that we have cited to you. And also check out our older posts and podcasts as well as additional helpful resources for learning about cybersecurity. Now, back to the show.

Moving on to the more McCall the more Fearless Paranoia based section of this questions. What are you looking for? What do I need to demystify about cyber insurance that’s going to actually help you do what you need to do? Well, as far as it goes, here’s where it gets harder, a lot harder. Finding the right policy for your business can be incredibly complicated and comes down to the details of the policy.

For the sake of clarity on that issue. I’m going to be referring to a cyber insurance policy from traveler’s insurance. This traveler’s insurance policy is effective from April 2022 through April 23. It is currently the subject of litigation in a federal court case, the details of which you can find in the post for this episode on Fearless Paranoia.com. It has been actively enforced large policy with numerous options selected giving us a lot to look at the policy, which includes a few changes and endorsements. It is 48 pages long.

Remember from before what I said about insurance policies, it is a contract. And if you’re seeking to enforce or protect your rights visa vie that insurance contract, it will be interpreted by the courts pursuant to the terms contained therein. If it’s defined in the contract, that definition is binding. Well, this contract includes 74 separate definitions. 74. And what’s amazing to me about reading through all of these is they actually contain terms that are defined elsewhere within the definition section of this very policy. 29 of the 74 definitions actually contain three or more terms that are themselves terms defined by this policy, five definitions actually contain eight or more, and there’s one that contains 14. This is acceptable, according to the courts, when it comes to insurance policies, because they’ve identified a complex issue where they want the definition to be very specific. It’s not necessarily intended to be difficult and dense. But it certainly ends up being that way, even for people like me who deal with these policies on a regular basis.

So when reading these policies, you have to remember that they’re modular in nature, and therefore even the defined terms and the provided coverage that are listed in plain English within the policy itself have to be read in context, because the definition may apply differently, depending on which modular portions of the policy are in effect.

So what are the key things to look for when you’re dealing with these insurance policies? First, limits. Okay, that’s basic, that’s any insurance policy. You need to look at what the limits are. But a lot of insurance policies now include an aggregate limit, but will include sub limits. For example, you may have $100,000, collision coverage, but only $20,000 would go to repairing your car, okay? That’s a sub limit. Collision can pay for other things, things you ran into, but only $20,000 pay for your car.

Cyber insurance actually seems more in my opinion to be a collection of sub limits than a general policy with certain restrictions. For example, the limits applicable in this travelers policy, there is an aggregate limit of $1 million. That’s fine. The privacy and security agreement and the technology errors and omissions agreement, which are part of the liability collection have limits of $1 million. But under the same liability section, regulatory proceedings has a limit of $500,000 and media is blank, which means it was not selected. The limits for business interruption loss are $500,000. But the limits for funds transfer fraud and social engineering fraud, which are the types of fraud most commonly linked to fraudulent wire transfers are only $100,000.

You need to make sure that you understand what the various limits are and what your deductible or in the case of this policy retention are that you’re gonna have to pay before the insurance company pays anything at all.

The second thing you definitely need to know when you’re getting any kind of insurance policy, but it’s especially important in the cyber insurance policy, is whether you have a “claims made” or “occurrence” policy. A “claims made” policy means that the claim has to be reported to the insurance company during the policy terms or and most of them have a an extended period of time afterwards, often 90 days for making those claims. Doesn’t matter when the matter occurred. But the claim has to occur during the policy period. An “occurrence” based policy means that all that’s necessary is for the damage or the event or the loss to have occurred during the policy. You can make the claim a year after the policy is expired, but if it occurred during the policy, the insurance will still apply.

I need to take a moment here before we proceed to discuss the difference between claims made and occurrence policies to discuss a type of policy that I’ve actually never had to deal with before but was the subject of a recent decision by the Washington State Supreme Court who referred to the policy as In a non-retroactive claims made policy, essentially it was a combination of a claims made policy with an occurrence policy. This insurance policy actually required both to occur during a policy period. And bizarrely enough, that policy period was not retroactive or continuing in the event that the insurance was renewed. So if you bought a one year insurance policy, it would only cover events that both occurred, and for which a claim was made against the insured, within that one year.

Even if you renew the insurance for the next year, this would be an insurable event that occurred on the second to last day of your policy period would only be covered by the insurance company. If a claim was made in writing about that particular event within the next 48 hours. 

Why am I bringing this up? Well, because of all the things that you need to make sure to pay attention to in a cyber liability policy, you really need to make sure that you’re looking at the details that the information that would only apply to this type of policy, the stuff that is really difficult to understand unless you are familiar cybersecurity. But don’t overlook some of these critical things. This type of hybrid policy that the court referred to as non-retroactive claims made should never be signed by anybody. This policy is absolutely not insurance. It provides what the court in that case defined as illusory coverage because you claim to have insurance, but you’re likely not to be insured if anything happens.

So be absolutely certain when you sign these policies that you understand what type of policy is between claims made or occurrence. And if it’s any kind of combination, reject the policy immediately. Do not sign it, it is not in your interest. Just if you see this reject it.

You also need to find out whether or not the policy has any requirements that you operate and maintain certain internal company policies. Among the ways that insurance companies have been avoiding responsibility for claims in the cyber insurance realm is by pointing out that the company may have perfectly adequate privacy policies, but may not follow them.

They may collect data they’re not supposed to have, in violation of law. All of these things are bases for insurance companies to deny claims. You need to make sure that you understand what your policy says about those things. What must you do, and what must you avoid doing, in order for the insurance to apply? 

How do they handle ransomware? It’s the biggest cybersecurity issue you’re likely to face as a small business. And it’s the one that is becoming a bigger and bigger question mark as the the money being spent on this stuff goes up and up. Are they going to allow you to pay a ransom to a hacker who’s locked up or hijacked your data? 

What rights do they have to recover expenses they’ve made on your behalf? When an insurance company gets a claim, one of the first things they do is determine whether there’s coverage. Oftentimes you’ll receive something called a reservation of rights letter. That’s basically them saying that, hey, look, we’ve looked into this policy, and we’ve looked into this claim, and we’re not sure that the policy actually provides coverage. But under the law, when we’re not sure, we still have to provide your defense until we can determine whether or not the policy does provide coverage. 

Well, guess what: if they don’t end up having to provide coverage, oftentimes, they can go back after you and collect the money they spent on that defense, it will be in the policy, you need to know that because it’s going to determine whether or not you file claims in areas that are questionable, because let’s face it, the last thing you want to find out after learning that a million dollar loss that you had to take because of a cyberattack was not protected by insurance is then getting $100,000 bill from your insurance company for the legal PR and it helped that they provided while they were determining whether or not the policy applied.

You also want to know about whether they provide payments of fines from regulators or administrative agencies and other punitive awards including things like unfair and deceptive trade practices if your company is found not to be in compliance with the law. Most of these policies will claim that they cover regulatory fines and penalties, but they will also include provisions like the Travelers policy, the insurer will not pay loss arising out of the collection of confidential information in violation of the law. The insurer will not pay a loss under the technology errors and omissions insuring agreement arising out of any actual or alleged unfair or deceptive trade practices, unfair competition, or actual or alleged violation of any other consumer protection law committed by or on behalf of an insured. That might seem like a really rare occurrence. But guess what, almost anything related to a consumer’s personal information could be considered a violation of a consumer protection or an unfair competition law if you didn’t do things absolutely by the book. So even though this policy provides coverage for all of those different ways that confidential information to be leaked, if it turns out you were accidentally collecting data outside of the parameters of your privacy policy, or beyond what was allowed for that particular jurisdiction, your insurance policy may not apply.

The insurance company has a duty to provide you had legal defense, various policies, we’ll deal with this differently and you want to know whether or not you can select counsel, which is usually classified as reimbursement, or whether the law firm and other representations can only be selected by the insurance company. Having the right to choose your own law firm, even if it’s with the approval of the insurance company can be a very valuable tool. Also, does the insurance company have the right to settle any claims be the regulatory or private litigation without your consent in some cases, and for example, in the Travelers policy, the travelers cannot settle any case without the written consent of the insured. However, that is not the case in most cyber policies and in a lot of insurance policies in general, because the insurance company wants to be able to settle a claim when they can. It can be very damaging to you in those cases when it comes out that previous similar litigation has been settled whether you had a say in it or not.

Lastly, on this section is the question about acts of war. This is a really detailed subject suffice to say that it’s really unclear whether any of the acts of war provisions as they’re currently drafted are very effective. However, the insurance industry is working feverishly to amend those provisions. But in a coming episode, we will be discussing this type of exemption.

Brian:   You’re listening to the Fearless Paranoia podcast for more information on keeping yourself your family and your company protected against cyber threats, check out the Resilience Cybersecurity and Data Privacy blog. If you’re enjoying this podcast, please like and subscribe using any of your favorite podcast platforms.

Finally, what I want to talk about is what’s the best approach in dealing with cyber insurance policies. As we said earlier, policies are now modular. I mean, they’re their little components that you put together to get the whole thing. It’s not really one policy where you have little add ons anymore. The policy itself is made up of various components that you pick and you choose. The Travelers policy itself is very instructive. Here. There’s several different insuring agreements that make up this insurance policy. And you can choose which of these agreements is part of your overall policy. And also bear in mind, each one of them is optional, and they also oftentimes have separate limits, for example, the liability insuring agreements here as the privacy and security Media Technology errors and omissions and regulatory proceedings. The breach response insuring agreements includes privacy notification, computer and legal experts, betterments, cyber extortion, data restoration, public relations, the Cybercrime insuring agreement includes computer fraud, funds transfer fraud, social engineering fraud, and telecom fraud and the business loss insurance agreement includes business interruption dependent business interruption and reputation harm.

Now, those are just the ones that are included in the main policy. It doesn’t even include the special endorsements that international control services paid to have added to this policy which are dependent business interruption system failure protection, vendor client payment fraud, which kind of fills a very conspicuous gap in the whole wire transfer fraud discussion also includes a bricked equipment endorsement, because apparently, this policy doesn’t provide coverage for technology equipment that is rendered useless by a cyberattack.

So what do you need to bear in mind? Well, you’re essentially checking boxes a big deal here is you need to check all the boxes that your company needs, but you also need to know what it means to leave boxes unchecked. One example from earlier as you may have checked the box for regulatory proceedings that includes payment of fines and fees assessed by regulatory agencies. But because you left another box unchecked, it might not cover anything related to regulatory proceedings and investigations, where the allegations include that your company collected personal data outside of what was legally permissible, there’s a huge, huge gap in coverage, that if you’re not going to sign up for you, at the very least need to know about. You have to know what you’re leaving blank, not just what you’re signing up. 

For most critically, make sure you know and understand all of your options before paying for insurance that doesn’t suit your needs. Cyber insurance is now expensive. 10 years ago, cyber insurance was remarkably cheap, and not that difficult to get. But the world has changed. Cyber insurance is getting more expensive, and it is increasing in cost every year. The reason why people still sign up for it, though, is because the cost of a data breach keeps going up, the number of companies affected keep going up. And this isn’t going to stop anytime soon. So you need to know what you’re getting. And making sure that when you are spending your company’s money on something like insurance, that you’re insuring things that you need to protect and not wasting your money on stuff you don’t.

Okay, hopefully we’ll be returning to a slightly more interesting discussion of cool hacker lingo and important cybersecurity issues affecting your company. More specifically, next week. When we come back with our next episode and Ryan will be returning I assure you, I promise you thanks for tuning in this week to Fearless Paranoia, our discussion about insurance policies and What in God’s name all this 48 pages of gibberish actually means don’t forget to like and subscribe wherever you can sign up for our automatic updating a post on Fearless Paranoia and sign up to receive this podcast on any of your favorite podcasting and subscription apps. Thank you and see you next time.