Read Your Cybersecurity Insurance Policy and Coverage
The business of malware has become operationalized such that a majority of instances are to generate revenue for the attacker(s) via ransomware, harvesting credentials, exfiltrate data, and other data. To gain access to the items of value, the attackers have to compromise the system in some form. These breaches have an immediate impact on the affected party. The entity may need to forward the usual notification based on the number of records or other attributes of the breach. With these, the type of data affected must also be taken into consideration.
The activities are not free. There is not an altruistic group that has a task list and diligently works through the list. There are direct costs involved with the items completed by the staff and fees to third parties for professional services. If this were not to be cost enough, there are also the indirect costs to the entity. There would be the short-term loss of rapport with the community manifesting itself with lower revenues, business partners in the industry not returning phone calls as they manage their fall-out through association as much as possible.
To alleviate the issue to a certain extent, firms have looked to a new tool to manage the risk. Over the last few years, the insurance companies have met the challenge created by then environment with a newer form of insurance. This new policy or rider is written specifically for breaches. As the businesses have started to note the potential costs associated with a breach, the breach insurance started to be noticed to a greater extent, which led to more businesses purchasing this coverage. This, at first glance, appears to be fantastic. There was a need for insurance when a breach occurred, and the insurance companies created this now insurance vehicle for coverage. The implementation likewise seemingly would not be an issue due to the presumption the business, if it were to have an issue, a claim would just need to be filed, much like if there were to be storm damage with a residence.
Although this is the method on how this should work, with the insurance being novel at this point, not all the policies are created equal and the business may have the incorrect policy to begin with. The insurance companies are still molding the policies and language therein. The insurance company’s senior management is still making the decision on what will be covered in certain events. Too often the business owners and executives read through the policy and do not ask the correct questions for clarity and understanding. Too few questions are resolved with ambiguities, generally to both parties. This business may mistakenly believe the business is fully insured, when it may only be partially or not all insured.
Such a case recently occurred with the Rosen Hotels & Resorts. Rosen had the opportunity or teachable moment with recovering from a breach in 2016. This oversight ended up costing Rosen at least $2.4M. These expenses were primarily from Visa and Mastercard ($1M each), American Express ($128,830), attorney fees ($50k), notification expenses ($40k), fees to third party crisis-management firm ($15k), and to a data forensics firm ($150k). These costs have not been static and are expected to increase. This is relative to cyber-insurance in that Rosen naturally filed a claim for the expenses with the St. Paul Fire & Marine. All was thought to be well, until the claim was denied.
The rationale for the decline was the correct policy was not purchased. The insurance policy purchased was a commercial general liability policy. St. Paul Fire & Marine was not commenting on any liability or negligence.
It was notable also that the breach occurred from an extended September 2, 2014 to February 18, 2016. The focal point was the credit card payment system. There was an unauthorized malware that secured the data from the magnetic strips on the credit cards.
This was a teachable moment. The source of the breach is merely conjecture at this junction. This could be from the same source as other significant breaches (e.g. Target, US Navy, etc.). The client and insurance carrier need to build a relationship. The client needs to read through the policy and/or rider to fully understand what is covered and what is not. The client needs to ask as many questions as needed. The insurance carrier agent’s job was to answer these questions to the client’s full and complete satisfaction. If these are not answered so everyone has the requisite understanding, other carriers should be explored.
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.