Cyber Insurance Isn't Enough! You Need Managed Compliance Too

If you think that your cyber insurance claim will be easily cleared, think again!

Although having a cyber liability insurance policy is non-negotiable today, you cannot be fully assured that your insurer will cover any costs following a security breach. But why is that?

While reviewing your claim, your cyber insurance provider will assess whether you took “due care” to protect your business from being compromised by a cyberattack. Hidden in the fine print of your cyber insurance policy document are certain terms and conditions set by the insurer with which you must be compliant. That’s why it is important for you to assess whether you are compliant with the terms of your cyber insurance policy and ensure that any risks that could lead to non-compliance are eliminated.

Let’s take a look at some of the common reasons why cyber insurers deny claims, what impact claim denials can have, and how the right support can help ensure your cyber insurance claim isn’t denied due to non-compliance.

Top 6 Reasons Why Your Cyber Insurer May Deny Your Claim

Besides their efforts to minimize payouts and boost the loss ratio (the ratio of premiums to payouts), cyber liability insurance companies look at various other aspects to deny a payout or pay only to a certain extent.

Here are six of the most common reasons why your cyber insurer may either deny your claim completely or a sizeable portion of it:

1. Policy Exclusions: Policy exclusions can easily be considered the biggest reason for claim denials. Applying for a claim for a security incident that falls in the list of exclusions could prove to be a futile exercise. These exclusions are often mentioned in the fine print of the policy document. 
2. Poor Prevention Practices: By not having enough prevention practices in place, you could be handing the insurance company an easy reason to deny your claim. Your insurance policy lists data security practices that you must implement in your organizations’ network. Make sure you know what they are and have them in place.
3. Failure to Document Preventative Measures: Your insurer will want to see tangible evidence, in the form of documentation, regarding the preventative measures you have undertaken to ward off cyberthreats. To avoid any hassles, you need to have thorough, accurate, and updated documentation… at all times!
4. When a Third-Party Stakeholder is at Fault: Your network’s security isn’t just your responsibility… it’s the responsibility of your third-party stakeholders as well. A security lapse in a third-party vendor network could result in the claim being denied by the insurer. Even if the claim is not denied, it’s highly likely that the insurer will scrutinize the matter in depth, which could make it a long, drawn-out process.
5. Accidental Errors and Omissions: Accidental errors and omissions in the documentation you share with the insurer could prove detrimental to the approval of your claim. The documented evidence should encompass everything you have done to abide by the terms laid out by your insurer.
6. When Coverage Doesn’t Extend Beyond the Interruption Timeframe: Cyber liability insurance plans vary, so you must pay close attention to coverage timeframes. This could be the difference between getting all your losses covered versus just a small percentage of them.

What is the Possible Impact of a Claim Denial?

A claim denial can completely derail an organization’s strategy to recover the costs incurred following a security incident. Here are two instances in which organizations were denied payouts:

The Peculiar Case of the NotPetya Attacks

Researchers at the Cyentia Institute reviewed the 100 largest cybersecurity incidents over the last five years, which accounted for $18 billion in losses. They discovered that the NotPetya ransomware accounted for 20% of losses. Despite that, the pharmaceutical giant, Merck, and multinational food company, Mondelez International, are still in the process of claiming $1.3 billion and $100 million respectively through high-profile lawsuits. In both proceedings, the insurers cited the “war and terrorism” exclusion to deny the claims because in October 2020 the U.S. government indicted six Russian military personnel for the attacks.

When a Canadian Not-For-Profit Was Denied a Payout

In a case settled in May 2021, Family and Children’s Services of Lanark, Leeds, and Grenville (FCSLLG), a Canadian not-for-profit organization, failed to seek $75 million in damages. The security incident involved an unidentified hacker who stole confidential reports and leaked them on two Facebook pages. FCSLLG initiated a third-party claim against Laridae, a company it had hired to revise its website. Despite holding two policies with the co-operators at the time of the hack, the co-operators denied coverage under both policies based on data exclusions. The policies excluded any loss “arising out of the distribution or display of data by means of an internet website.”

Can Your Organization Survive a Major Financial Setback?

Both of these incidents should serve as a stark reminder for your organization to completely understand where threats are most likely to emerge and ensure that potential losses are included in your cyber insurance policy. While certain businesses may be able to continue functioning as usual, due to their financial prowess, you must ask yourself: can your organization survive a major financial setback?

Navigating Managed Compliance for Cyber Liability Insurance

While it may seem overwhelming at first, complying with your cyber liability insurance policy’s terms isn’t daunting when you have the right support. By leveraging Managed Compliance from Data Networks, we can help you with:

• Understanding the contracts in detail so that you are fully aware of what your policy covers and what it does not cover.
• Regular automated compliance assessments that will hand you a thorough and accurate analysis of your organization’s compliance with the policy’s terms and areas that need remediation.
• Remediation recommendations for activities that can help ensure that compliance risks are remediated the right way and at the right time.
• Compliance-specific documentation that’s free of human error, fine-grained and policy-specific to ensure your organization can produce evidence of due care.
• Purchasing a cyber insurance policy that offers the right type of coverage at the right price.

Why Choose Managed Compliance?

Managed Compliance takes the chaos out of compliance! Not only can Data Networks help your organization acquire or comply with a viable cyber liability insurance policy that’s trusted by others in your industry, but we also offer Managed Compliance. To learn how Managed Compliance from Data Networks can help you demonstrate “due care” with your CLI requirements, contact us to continue the conversation!

You can also check out our online resources and download the Managed Compliance for CLI fact sheet.