How Cookie-Cutter Cyber Insurance Falls Short

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.darkreading.com/perimeter/how-cookie-cutter-cyber-insurance-falls-short/a/d-id/1316365

The growing exposure from data breaches and ransomware, along with the
tightening of federal and state privacy laws, is creating a tsunami of
risks and loss that few companies would have contemplated just a few years
ago. These are losses that can impact a wide range of organizations -- from
giant retailers to manufacturers and small and midsized businesses.

For information security teams working to stay ahead of the curve with the
best and most sophisticated cyber defense strategies, it’s a constant
battle. But in the face of a massive breach, like recent attacks against
Target, Home Depot, and JPMorgan Chase, companies are also starting to look
seriously to cyber insurance as the ultimate in infosec liability
protection. Whether cyber insurance is adequate to address these multiple
risks is another question.

What’s in your existing insurance?
A robust risk management assessment is the first step to uncover the
coverage gaps in your company’s insurance program. A general liability
policy is an industry standard, and it provides liability coverage for
bodily injury, property damage arising out of an insured’s operations,
products, or premises, as well as personal and advertising injury. However,
these policies were never intended to provide coverage for liability and
first-party notification expenses resulting from the disclosure of
personally identifiable, confidential corporate, or personal health
information. In fact, insurance carriers have recently begun adding
exclusionary endorsements to ensure that their policy language does not
provide coverage for any of these potential claims.

In response to this gap in coverage, the insurance industry developed cyber
liability policies. The structure of these policies mirrors a standard
business automobile policy in that they provide coverage for both
third-party liability claims against the insured and first-party claims the
insured make against their own policies. However, many off-the-shelf cyber
liability policies feature a variety of broad exclusions companies should
be aware of, including:

No coverage for breaches of protected information in paper files. Despite
the name, a cyber liability policy can and should cover breaches of
protected information on paper files in addition to electronic records, yet
some policies don’t.

No coverage for claims brought by the government or regulators. A large
exposure for most companies is the potential legal action brought by the
Office of Civil Rights, the Department of Health and Human Services, and
the Office of the Attorney General, among others. Failure to provide at
least defense cost coverage or coverage for fines and penalties can leave a
gap in protection.

No coverage for vicarious liability. When a company entrusts data to a
third-party vendor (e.g., a third-party processor or cloud provider) and
the breach occurs on the vendor’s system, you’d expect to be protected.
However, some cookie-cutter cyber liability policies won’t cover this.

No coverage if you fail to encrypt data. This exclusion forces encryption
of data or else no coverage is provided.

CISOs are well aware of the fact that it’s not a matter of if but when
their companies will be hacked, and to what degree. In an era of tightening
security budgets and heightened risk, it’s critically important to take a
hard look at whether current cyber liability policies can both help
companies get out of tough situations and keep them moving in the right
direction.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!