Lloyds<\/a> of London on coverage limitation, for example its insurance products will no longer cover the fallout of cyber-attacks exchanged between nation-states. Many insurers are also imposing stricter safeguarding requirements, which although helping to support increased levels of cyber security defences, this can also leave some organisations and especially SMB\u2019s exposed, as they are less able to meet the new minimum threshold limits.<\/p>\n\n\n\nThis makes knowing exactly what is covered<\/em> in any policy you have today, or are contemplating purchasing in the future, a business and technology imperative. Companies should know that cyber insurance policies and ransomware protection warranties do not cover every aspect of attacks and in most cases, there will be varying triggers, limits, conditions and coverages for different types of claims which can lead to denial or a reduced claim, creating an expectation and actualisation gap. Education and awareness here is key – you must be fully aware of what is not covered by your cyber insurance today, to avoid any surprises later. Roy May does a great job of covering exactly this point.<\/p>\n\n\n\nLet\u2019s explore some of the key issues in turn to support exactly that.<\/p>\n\n\n\n
- Third-Party Mistakes: <\/strong>Cyber insurance companies do not cover you if a cyber-attack takes place on any third-party system causing damage to your primary business. This third-party software or services can be your web hosting, email, cloud services, customer service management or any other significant online business relationship.<\/li>
- Losses Incurred During \u2018Waiting Period\u2019: <\/strong>The insurance world often has a time-based deductible referred to as a \u201cwaiting period.\u201d Only the losses that incur after the completion of the waiting duration are covered by insurance. This waiting period is usually around 10 to 12 hours. It means that if your network undergoes a cyberattack during the waiting period, you will not be able to claim money from your insurance.<\/li>
- Loss During Downtime: <\/strong>Losses incurred during the business interruption event are not covered by major policies. The downtime can cause harm to your business in many ways leading to loss of productivity and customers trust, loyalty and ultimately their business. No matter how much sales loss this downtime costs you, it will not be covered.<\/li>
- Reputation Damage: <\/strong>This is one of the most significant risks a company faces if a cyber-attack or data breach happens. Indeed, 1 in 3 customers are willing to leave a brand they love after just one bad experience, rising to over 90% after 2 or 3 poor experience interactions. (ADD CITE). Any attacks during special events like Cyber Mondays can do even more harm to the organization. As it is difficult to quantify such loss, cyber insurance companies do not cover them in their policy.<\/li>
- Bodily Injury or Property Damage: <\/strong>Cyber-attacks have tangible consequences. As the world moves towards IoT (Internet of everything), the connections between objects are increasing, and there are chances that it may lead to bodily injury or property damage. It can sound unusual but many production firms are nowadays running entirely on computers.<\/li><\/ul>\n\n\n\n
Everything right from collecting raw materials to shipping the final products happens through automated systems. In the scenario of a cyberattack taking place during any part of this process, it would lead to a catastrophe. If any company ends up in any such situation, cyber insurance will likely not cover the (extent of) the need.<\/p>\n\n\n\n
- New Hardware: <\/strong>Usually cyber insurance policy will not cover any property damage like hardware replacement and other equipment caused due to a cyber-attack. It becomes problematic when the hardware is corrupted to such an extent that it is impossible to fix it. The best way in such cases is to replace the hardware with something new, but the organization itself will have to pay for this.<\/li>
- Software Upgrades: <\/strong>The latest versions of the software are traditionally not covered by cyber insurance policies. In case of a cyber-attack, major cyber insurances will only help you restore the software to where it was before the attack took place.<\/li>
- Lost Equipment: <\/strong>Most cyber insurance policies do not cover any cybercrime that originated from a lost portable device like a company laptop or tablet. Few insurance policies include only encrypted devices in their policy, so all the devices used in the organization must have appropriate security patches.<\/li>
- Card Issuer Fines and Penalties: <\/strong>A key concern when dealing with a data breach is related to the penalties and potential fines imposed against a company by card issuers like MasterCard, Visa, etc, or indeed imposed against company directors under GDPR and similar regulations. These fines or penalties can reach a substantial amount of up to six figures. A few insurance companies exclude covering these types of fines which could lead to severe financial loss.<\/li>
- Specialised Attacks: <\/strong>Many insurance policies cover only the attacks that are committed by cybercriminals that seek personal profits, or collective profits when bad actors collaborate together for shared gain. They deny the coverage if the attack is carried out with a motive of terrorism or by a nation-state actor for political ends, an area where research shows increasing scale and volume of attacks to evade detection (Microsoft 2021)<\/li><\/ul>\n\n\n\n