XeneX

View Original

Avoiding Cyber Insurance Denials- How to

In an unprecedented 2022 federal ruling, a U.S. District Court found in favor of a request from Travelers Property Casualty Company of America (Travelers) to rescind the cyber insurance policy of one of its customers.

Following a $1 million claim filed by International Control Services Inc. (ICS) in response to a ransomware attack, Travelers asked the court to absolve them of any responsibility to cover the loss.

The reason? Travelers alleged that ICS misrepresented their multifactor authentication (MFA) status when filling out the insurance application, nullifying the policy. While they did use MFA to protect their firewall, ICS wasn’t using it to protect their servers or other digital assets as they had stated in the application. Travelers claimed they would not have issued the policy had they known about the misrepresentations, and ICS agreed to have the court rescind the policy, forfeiting all coverage.

The ruling is a harsh reminder to be detailed and accurate when filling out a cyber insurance application. Easier said than done with applications increasing in length and complexity. Underwriting questions are more specific than ever, as are the requirements for coverage.

With cyberattacks on the rise, insurance carriers are starting to protect themselves against massive payouts, ensuring businesses have the right controls in place to minimize the likelihood of incidents. A false statement on your insurance application is just one of the many reasons you may be ineligible for coverage. Policies are filled with loopholes and hidden “gotchas” that can result in a rejected claim.

Avoiding denials of cyber insurance claims requires careful consideration and proactive measures to ensure compliance with policy terms and conditions. Here are some steps organizations can take to minimize the risk of denial:

  1. Understand Policy Coverage:

    • Thoroughly review and understand the terms, conditions, and exclusions of your cyber insurance policy. Ensure alignment between your organization's cybersecurity measures and the coverage provided by the policy.

  2. Risk Assessment and Mitigation:

    • Conduct comprehensive risk assessments to identify vulnerabilities and potential threats to your organization's data and systems. Implement appropriate cybersecurity measures to mitigate identified risks and adhere to any risk management requirements outlined in the insurance policy.

  3. Compliance with Security Standards:

    • Align your organization's cybersecurity practices with industry standards and regulatory requirements. Compliance with frameworks such as the NIST Cybersecurity Framework, GDPR, HIPAA, or PCI DSS can demonstrate a commitment to security and reduce the likelihood of denials.

  4. Incident Response Planning:

    • Develop and regularly update an incident response plan that outlines the steps to be taken in the event of a data breach or cyber incident. Ensure that your plan aligns with the requirements specified by your insurance policy and includes procedures for notifying the insurer promptly.

  5. Documentation and Record-Keeping:

    • Maintain detailed records of cybersecurity measures implemented, incident response activities, and any communication with your insurance provider. Proper documentation can support your claim in the event of an incident and help demonstrate compliance with policy requirements.

  6. Training and Awareness:

    • Provide regular cybersecurity training and awareness programs for employees to educate them about security best practices, phishing awareness, and incident reporting procedures. Employee awareness and vigilance can help prevent security incidents and strengthen your case in the event of a claim.

  7. Prompt Notification of Incidents:

    • In the event of a cybersecurity incident, notify your insurance provider as soon as possible, as delayed notification may result in claim denial. Follow the reporting procedures outlined in your policy and provide all necessary documentation and information promptly.

  8. Engage Legal and Technical Experts:

    • Consider engaging legal and technical experts experienced in cyber insurance claims to assist with policy interpretation, incident response, and claim preparation. Their expertise can help navigate the complexities of the claims process and maximize the likelihood of a successful claim outcome.

By taking proactive steps to align cybersecurity practices with insurance policy requirements, organizations can minimize the risk of denials and ensure adequate protection against cyber threats. Regular review and updates to cybersecurity measures and insurance coverage are essential to adapt to evolving risks and maintain comprehensive protection.