Cyber insurance may not offer the protection you expect. In a case that has far-reaching implications for all policyholders, leading cyber insurance providers challenged a New Jersey court ruling ordering them to pay damages for the 2017 “NotPetya” attack that led to $1.4 billion in losses for pharmaceutical company Merck & Co, The Wall Street Journal reports.
Insurers claim that the attack is not covered because it was an act of war committed by a foreign adversary. U.S. government officials attributed NotPetya, a Windows ransomware attack that encrypts operating systems and data, on the Russian government. Insurance companies believe this triggers the “war exclusion” common to many types of insurance policies that blocks claims resulting from military action. Though written to cover damage from bullets and bombs, cyber insurance underwriters now seek to apply that exclusion to damage from state-sponsored cyber attacks.
Should insurers prevail, businesses of all sizes could find themselves without protection for any cyber attack attributed to a foreign government.
Read the Fine Print on Your Cyber Insurance Policy
Few insurance buyers take the time to fully read their policies, and fewer inquire about the extra coverage, which comes at a higher cost, that protects against uncommon risks. This can leave businesses vulnerable if they file a claim in the wake of a cyber attack.
Foreign adversaries may be the least of your cyber worries, but you should understand that a cyber policy is not guaranteed protection, but a relationship between your business and your insurer that demands certain actions on your part to keep the policy in effect. These inevitably include the following:
- You will take reasonable steps to secure your cyber infrastructure. This includes setting up secure systems, maintaining security certificates and updating software regularly to apply security patches. A recent attack that brought down servers worldwide took place because some users did not apply a security patch issued in February 2021. Those who failed to apply the patch could have their insurance claims denied.
- You will limit access to your systems to essential personnel. This includes password security as well as role-based authorizations. As a rule, employees should only have access to the systems and data they need to do their jobs. Shared passwords, poor password security or unchecked access to data could leave you paying out of pocket if you suffer a data breach.
- You will take steps to protect customer data. This includes how you collect data, how you transmit it online, how you store it and how long you retain it. Best practices vary depending on the type of data collected, with the strongest protections required for sensitive personal data such as credit card numbers and financial information.
- You will verify security with all third-party providers. This requires you to understand the security practices of your vendors and, in some cases, to get regular statements from them attesting to their cyber security. Vendors include your phone company, your Internet service provider, web hosts and software vendors. Expect a request for cyber security documentation from all vendors if you ever need to file a claim.
- You will train your employees in cyber security awareness and phishing protection. This requires annual or semiannual in-depth training on recognizing and stopping social engineering and phishing attacks. Your policy may mandate training within a certain period of time for all new employees, as well as regular refresher courses.
Know What Your Insurer Expects of You
If sitting down to untangle the language in your cyber policy is too daunting, speak to your insurance agent and ask for a full list of your responsibilities and the agent’s recommendations. Recognize that things like training and software updates are in your control, while natural disasters and acts of war are not. Insurance policies protect against everyday risks, not exceptional ones, but that protection is only available if you do your part to comply with your policy’s requirements.
A hack or data breach is stressful enough without worrying over whether your insurance policy covers the damage.
Protect Now provides Cyber, Social and Individual (CSI) Protection Certification, a cyber awareness training program that changes employee attitudes toward security by making data protection personal. This affordable program was built to serve businesses that have significant public interactions and need to protect their clients’ personal data. Learn more by calling us at 1-800-658-8311 or contacting us online.