Cybersecurity Insurance: Will Your Claim Be Denied?
Key Points:
- Cybersecurity insurance is an important tool to help protect businesses from the financial costs of a data breach. Still, it’s important to understand your policy’s limitations and ensure you have the right coverage.
- Not every cyberattack will be covered by insurance; in some cases, claims may be denied.
- It’s important to keep up-to-date with regulation changes, work with your insurance broker or provider to ensure you have the right coverage, and understand the terms of your policy.
- Proactive risk management practices are also important, as is having a plan in place in case of a data breach.
If you believe that every cybersecurity insurance claim will be approved, you may be surprised to learn that many claims are denied. When your insurance provider reviews your claim, they will assess your due diligence in maintaining cybersecurity for your organization. Your claim may be denied if it is determined that you could have prevented the data breach or incident. While having cybersecurity insurance is a must-have for businesses, there is no guarantee that your claim will be approved.
Why Is It Important to Comply With Cybersecurity Insurance?
You likely agreed to certain terms and conditions when you signed your insurance policy. One of these was likely a duty to take reasonable care to protect your property from loss or damage. This means you must take reasonable steps to protect your business from a data breach or cyber attack. If you have not taken reasonable steps to protect your business, your insurance company may deny your claim. This is why it is so important to have strong cybersecurity measures and keep up with the latest cyber threats.
Why Are Some Cybersecurity Insurance Claims Denied?
As we mentioned, one of the reasons claims are denied is a failure to take reasonable steps to protect your business. However, there are other reasons claims may be denied as well. Some insurers will only cover certain types of cyberattacks or data breaches. For example, they may not cover phishing attacks or social engineering. Check with your insurer to see what is and is not covered under your policy.
There are several reasons why cybersecurity insurance claims are denied. Here are some of the most common:
You Did Not Have Adequate Cybersecurity Measures in Place
Your claim might be denied if you did not have adequate cybersecurity measures in place at the time of the data breach or incident. Your insurance provider will want to see that you took reasonable steps to protect your data and systems. This includes things like having a firewall, using strong passwords, and having up-to-date anti-virus software.
You Failed to Take Reasonable Steps to Prevent the Data Breach or Incident
Even if you had cybersecurity measures in place, your claim may still be denied if it is determined that you could have prevented the data breach or incident. For example, your claim may be denied if you failed to patch a known security vulnerability.
You Did Not Notify Your Insurance Provider Promptly
If you did not notify your insurance provider of the data breach or incident promptly, your claim might be denied. It is important to contact your insurer as soon as possible to begin the claims process.
Your Policy Has Exclusions
Some cybersecurity insurance policies have exclusions that may prevent your claim from being approved. For example, many policies exclude claims from certain cyberattacks, such as ransomware. Review your policy carefully to see if any exclusions could apply to your claim.
You Did Not Cooperate With the Investigation
Your claim might be denied if you did not cooperate with the insurance company’s investigation into the data breach or incident. The insurance company will want to interview you and review your records to determine what happened.
You Made Material Misrepresentations in Your Application
Your claim might be denied if you made material misrepresentations on your insurance application. For example, your claim may be denied if you failed to disclose a previous data breach or incident. Be sure to disclose all relevant information on your insurance application to avoid denying your claim.
The Incident Occurred Outside the Policy Period
Your claim might be denied if the incident occurred outside of the policy period. For example, if your policy has a one-year term and the incident occurred two years after the policy was purchased, your claim will be denied.
What Are the Impacts of a Cybersecurity Insurance Claim Denial?
If your cybersecurity insurance claim is denied, you may be left to pay for the damages out of pocket. This can be a significant financial burden, especially for small businesses. In addition, a denial can damage your reputation and leave you vulnerable to future attacks. If you are denied coverage, you can appeal the decision. Many insurance companies have an appeals process that you can follow.
Here are two real-life examples of companies that had their claims denied:
P.F. Chang’s China Bistro vs. Federal Ins. Co
Computer hackers stole nearly 60,000 credit and debit card numbers from P.F. Chang’s China Bistro restaurants in 2014. P.F. Chang’s had a cybersecurity insurance policy with Federal Insurance Company. Federal reimbursed Chang’s for nearly $1.7 million in costs under the policy, including conducting the investigation and legal fees. However, Bank of America Merchant Services(BAMS), Chang’s merchant services provider, imposed assessment fees totaling $1.9 million.
A federal district court ruled that Chang’s had no cyber protection company for the assessment fees. The court found that the insurance policy’s “Privacy Injury” coverage did not apply to the claim because the policy’s definition of “Privacy Injury” required the compromised confidential records at issue to be the claimants. In this case, the payment card information taken in the breach belonged to Chang’s customers and the card-issuing banks, not the acquiring bank that sought reimbursement.
The policy also did not include Payment Card Industry coverage, a coverage option for restaurants, retailers, and other businesses that handle debit or credit card information. Without this coverage, Chang’s was not insured for the amounts assessed by the card company.
Family and Children’s Services of Lanark, Leeds and Grenville vs. Co-operators
According to FCSLLG(a Canadian not-for-profit organization), an unidentified hacker accessed the organization’s website and stole sensitive information in 2016. The stolen data was later shared on multiple Facebook pages. As a result, a class proceeding was filed against FCSLLG, seeking damages of $75 million. FCSLLG filed a claim against the company it hired to revamp its website.
FCSLLG had two policies with Co-operators during the breach, but Co-operators denied coverage for both policies. Co-operators also denied coverage to the third party. The policy excluded any loss from the distribution or display of data utilizing an internet website.
These are only two examples of many companies that have had their cybersecurity insurance claims denied. As you can see, even with insurance, there is no guarantee that you will be covered in a cyberattack. It is important to carefully read your policy and ensure that you are aware of any exclusions.
How to Navigate Compliance for Cybersecurity Insurance
While it may seem daunting to keep up with all the different compliance regulations, there are a few key steps you can take to make it easier:
- Keep up-to-date with regulation changes. This can be done by signing up for newsletters or following industry news sources.
- Work with your insurance broker or provider to ensure you have the right coverage.
- Make sure you understand the terms and conditions of your policy.
- Be proactive in your risk management practices. This includes having strong security measures and being aware of the latest threats.
- Have a plan in place in case of a data breach. This should include who to contact and what steps to take.
Cybersecurity insurance is an important tool to help protect businesses from the financial costs of a data breach. However, it’s important to understand your policy’s limitations and ensure you have the right coverage in place. Cybersecurity insurance is not a cure-all, and it’s important to complement your policy with strong risk management practices.