Cyber-insurance – caveat emptor

Insurance against cyberattack can be a valuable investment, but only if managed with care.

Cybersecurity insurance can be a valid risk mitigation tool, but private fund firms must ensure terms and conditions meet expectations before they purchase a policy, according to an expert.

Particular attention should be paid to both the excess – the amount a firm pays in the event of a claim – and the level of loss that must be incurred before a policy pays out.

“Cybersecurity insurance is not beneficial in the case of a ransomware attack because many policies won’t pay out until an attack has cost a firm $500,000. This is much more than the average ransom demanded from both small and large businesses that are victims of an attack,” Israel Barak, CISO at Cybereason, told pfm.

Ransoms tend to range from $1,000-$10,000 for small businesses, while large businesses could have to pay around $100,000-$150,000, he said.

There are also circumstances in which policies may be invalidated. Some include a provision that a firm cannot advertise it is insured against cyberattack, and there have been cases where an insurer has refused to pay out because the policy holder has failed to maintain security measures it claimed to have in place in its application for coverage.

It is advisable for risk managers and IT personnel, with the assistance of cybersecurity experts, to actively engage in preparing the responses to cyber-insurance application questionnaires and risk self-assessments, one lawyer said.

“Cyber-insurance application process and its relation to policy conditions and exclusions must be managed with care, not only to avoid potential misstatements and omissions, but also to close off potential opportunities for the insurer to engage in ‘post-loss underwriting’; that is, after receiving notice of a loss, to search for inaccurate application responses – even those innocently made, and even those unrelated to the loss – to support a denial of coverage,” John Buchanan, partner at Covington, said in a client note.