Cyber insurance is increasingly being mis-sold or misunderstood – what to look out for?

Cyber insurance is increasingly being mis-sold or misunderstood, often due to vague policy language, exclusions, or assumptions about coverage.

Here's a breakdown of the key issues and what to look for to ensure you're fully protected.

🚨 Common Issues with Cyber Insurance

1. Silent Cyber Risk
• Many traditional policies (e.g., property or liability) don’t explicitly mention cyber risks, yet may be assumed to cover them.
• This leads to coverage disputes when claims arise from cyber incidents like ransomware or data breaches.
• Example: The NotPetya attack led to billions in losses and lawsuits over denied claims due to unclear policy wording
2. Lack of Standardisation
• Cyber insurance is still a relatively new product, and policy language varies widely between insurers.
• This makes it hard to compare policies or know exactly what’s covered.
3. Post-Loss Underwriting
• Insurers may deny claims by alleging that the insured misrepresented their cybersecurity practices during the application process.
• Example: Failure to disclose lack of multi-factor authentication or outdated software can void coverage
4. Minimum Security Standards Exclusions
• Some policies include clauses that exclude coverage if the insured fails to maintain certain cybersecurity practices (e.g., regular patching, backups, employee training).
5. Mis-selling or Bundling
• Cyber coverage may be bundled into broader policies without clear explanation of limits, exclusions, or what triggers coverage.
• This can give a false sense of security.

✅ What to Look for in a Cyber Insurance Policy

1. Clear Definitions
• Ensure the policy clearly defines terms like cyberattack, data breach, ransomware, and business interruption.
2. Explicit Coverage
• Look for named perils and explicit inclusions for:
• Ransomware and extortion;
• Data breach response costs;
• Business interruption;
• Regulatory fines and legal costs; and
• Third-party liability.
3. No Ambiguous Exclusions
• Watch for exclusions related to:
• Acts of war or terrorism (which may include state-sponsored cyberattacks);
• Failure to maintain security standards; and
• Social engineering or phishing (often excluded unless specifically added).
4. Application Accuracy
• Ensure your application is thorough and accurate, especially regarding:
• Security protocols;
• Incident response plans; and
• Use of encryption and MFA.
5. Incident Response Support
• Good policies include access to cybersecurity experts, legal counsel, and PR support in the event of a breach.
6. Regular Reviews
• Cyber threats evolve quickly—review your policy annually to ensure it reflects your current risk profile and IT environment.

References

Silent Cyber Will Sabotage Your Insurance Policy if You Don't Watch Out. Here's What Risk Managers Should Keep Top of Mind : Risk & Insurance

Pressure points in cyber insurance policies revealed in litigation | Cyber insurance claims | Perspectives | Reed Smith LLP