How Your Risk Affects Cyber Liability Insurance

If you think that your cybersecurity insurance claim will be cleared with no questions asked, think again. While reviewing your claim, your cyber insurance provider will assess whether you took “due care” to protect your business from being compromised by a cyberattack. While having a cyber liability insurance policy is non-negotiable today, you cannot be fully assured that your insurer will cover any of the costs you incur following a security breach.

Hidden in the fine print of your cyber insurance policy document are certain terms and conditions set by the insurer that you must be compliant with. That’s why it is important for you to thoroughly review the terms of your cyber insurance policy and ensure that any risks that could lead to non-compliance are remediated.

Let’s take a look at some of the common reasons why cyber insurers deny claims, what impact claim denials can have, and how the right support can help you ensure your cyber insurance claim isn’t denied due to non-compliance.

Top 6 Reasons Why Your Cyber Insurer May Deny Your Claim

Besides their efforts to minimize payouts and boost their loss ratio (the ratio of premiums to payouts), cyber liability insurance companies look at various other aspects to deny a payout or only pay out to a certain extent. Here are six of the most common reasons why your cyber insurer may either deny your claim completely or a sizeable portion of it.

1. Policy Exclusions. Policy exclusions can easily be considered the biggest reason for claim denials. Applying for a claim for a security incident that falls in the list of exclusions, often mentioned in the fine print of the policy document, could prove to be a futile exercise.
2. Poor Prevention Practices. By not having enough prevention practices in place, you could be handing the insurance company an easy reason to deny your claim. Your insurance policy will list data security practices that you must implement in your business network.
3. Failure to Document Preventative Measures. Your insurer will want to see tangible evidence in the form of documentation regarding the preventative measures you have taken to ward off cyber threats. To avoid any hassles, you need to have thorough, accurate, and updated documentation at all times.
4. When a Third-Party Stakeholder Is at Fault. Your network’s security isn’t just your responsibility. It’s the responsibility of your third-party stakeholders as well. A security lapse in a third-party vendor’s network could result in the claim being denied by the insurer. Even if the claim isn’t denied, it’s highly likely that the insurer will scrutinize the matter in depth, which could make it a long, drawn-out process.
5. Accidental Errors and Omissions. Accidental errors and omissions in the documentation you share with the insurer could prove detrimental to the approval of your claim. The documented evidence should encompass everything you have done to abide by the terms put forth by the insurer.
6. When Coverage Doesn’t Extend Beyond the Interruption Timeframe. Cyber liability insurance plans vary, so you must pay close attention to coverage timeframes. This could be the difference between having all your losses covered versus just a small percentage of them.

The Possible Impact of a Claim Denial

A claim denial can derail a business’ strategy to recover the costs incurred following a security incident. Here are two instances when businesses were denied payouts:

The Peculiar Case of the NotPetya Attacks | Security Boulevard

Researchers at the Cyentia Institute reviewed the 100 largest cybersecurity incidents over the last five years. The report accounted for $18 billion in losses, and discovered that the NotPetya ransomware accounted for 20% of losses. Despite that, pharmaceutical giant Merck and food company Mondelez International are still in the process of claiming their losses respectively. Through high-profile lawsuits, the insurers cited the “war and terrorism” exclusion to deny the claims, due to the US government indicting six Russian military personnel for the attacks in October 2020.

When a Canadian Not-For-Profit Was Denied a Payout

In May 2021 Canadian not-for-profit organization: Family and Children’s Services of Lanark, Leeds and Grenville (FCSLLG), failed to seek CAD$75 million in damages. This incident involved an unidentified hacker who stole confidential reports and leaked them on two Facebook pages. FCSLLG initiated a third-party claim against Laridae. Laridae had been hired to revise its website by FCSLLG. Despite holding two policies with the Co-operators, the Co-operators denied coverage under both policies based on data exclusions. The policies excluded any loss “arising out of the distribution or display of data by means of an internet website.”

These incidents should serve as a reminder for your business to understand where threats are most likely to emerge. This will ensure that potential losses are included in your cyber insurance policy. While some businesses are able to continue functioning as usual, you must ask yourself if your business can survive a major setback like a cyberattack.

Navigating Compliance for Cyber Insurance Liability

While it may seem overwhelming at the start, complying with your cyber insurance liability policy’s terms is possible. When you have the right support, you can receive help with:

• Understanding the contracts in detail so that you are fully aware of what your policy does and does not cover.
• Regularly automating compliance assessments to hand you a thorough and accurate analysis of your business's compliance, including the policy’s terms and areas that need remediation.
• Remediation services that ensure all compliance risks are remediated correctly and at the right time.
• Compliance-specific documentation that’s free of human error. These policy-specific documents ensure your business can produce evidence of due care.
• Purchasing a cyber insurance policy that offers the right type of coverage at the right price.

We can help your organization comply with or acquire a viable cybersecurity insurance policy that you can trust. To learn more, contact us today for a consultation