Tag Archives: cyber insurance

Cybersecurity Application Questions

When you renew or try to obtain cyber insurance, the questions have historically been pretty lame. But, in the face of large losses, insurance companies are STARTING to get serious. Here is a report from one company on what their insurance company asked at renewal time. This is from an actual application.

How would you answer these questions?

Do you perform regular backups and store them in a secure off-site location? Note the second part. Ransomers are targeting backups, if they can get to them.

Do you limit remote access to all computer systems by using two-factor authentication? Ignore, for the moment, that these folks can’t construct a well formed English sentence, they want to know whether you REQUIRE two-factor authentication for ALL remote access.

How many PII records are held on your network? Note they are are not asking how many are created each year, but how many are stored. Getting rid of old data reduces this number.

Do you provide periodic anti-fraud training to all employees? Everyone should be doing this, but are you? Lying on an application is likely grounds for not paying when there is a claim.

Are processes in place to request changes to bank account details including account numbers, telephone numbers or contact details? Unfortunately, this may be up to your bank, but you should find out what is available. Or, if this really awkward question means how do you authenticate your customers when they want to change their bank account, the task is up to you to deal with.

Are you using Office 365? Huge attack surface – enough said.

Can users access email through a web application on a non-corporate device? Start with your phone.

Do you STRICTLY enforce SPF on incoming email? Maybe 1% of companies do this because, they say, they might miss an email from a customer, so it is better to let all those phishing emails in.

Are your backups encrypted AND kept separate from your network, whether offline or with a specialist cloud service? Again, they are asking whether a hacker can wipe your backups before encrypting your systems.

Do you use endpoint protection in the network? What brand? What steps are you taking to protect your systems.

How long does it take to install critical high severity patches? Remember, it only takes hackers hours to weaponize them.

Do you have a SOC (Security Operations Center)? Most do not.

What steps are you taking to detect and prevent ransomware? It is costing the insurance company billions, so it is a reasonable question.

Some of the other questions include:

  • Have you implemented a hardened baseline configuration across servers, laptops, desktops, and managed mobile devices?
  • How do you implement local administrator rights?
  • Do you provide users with a password manager software?
  • Are end-of-life or out-of-support hardware and systems segregated from the rest of the network?

You probably have a good idea what the right answer is. If you need help getting there, contact us.

Credit: CSO Online

CCPA and Cyber Insurance

The law firm of Bryan Cave has done some interesting analysis.

On January 1, 2020, California became the first U.S. state to allow a breach victim to sue a company that was breached without having to prove they were damaged. The breach alone was proof of damage. The amount any one person can sue for is small – between $100 and $750, but when you multiply that by any reasonable number of victims – say 10,000 which by today’s standard is a small breach – and now you are talking money. In this example, between a million and 7.5 million dollars.

So what did Bryan Cave’s analysis show?

27 of the 84 breaches reported to the CA AG so far this year have resulted in litigation. There have been 34 actions filed referencing CCPA.

Of course a lot of this is garbage.

Some of the suits were filed for breaches that happened before CCPA went into effect. Some were filed before the 30 day cure period expired (although it is hard to cure a breach, the law says ya gotta let ’em try).

Some were filed for non-breach related CCPA violations. Note: the law does not allow for private rights of action in these cases.

Some of this could be attorneys practicing. Or testing the courts so see if they have read the law or want to create a law of their own. This part will pass.

Still 30% of the breaches reported to the AG have resulted in some form of legal action. This is up from 4-6 percent in previous years.

So what does this mean for a company with customers in California?

It means the economics of cyber security is changing and changing rather rapidly. This is, in my opinion, exactly what the framers of the ballot initiative (Alastair Mactaggart) that force AB 375 to be passed into law wanted.

Whether you agree with Alastair or not, you need to recognize that the economics of cybersecurity for companies that have customers in the world’s 5th or 6th largest economy has changed.

Likely it will continue to change.

Will insurance companies, understanding that their risk profile has changed, start demanding better security if you want insurance? Don’t know, but they understand math. Either better security, higher premiums or no insurance

Will banks start demanding better security for companies who want loans. Certainly bad security increases loan risk?

Will investors start demanding better security for companies that they invest in? Some already have.

So what does this mean for companies?

Consider the new economics. Then consider your security profile. Finally consider what would happen if you were breached?

Credit: Bryan Cave

Cyber Insurance For Mere Mortals

We have been trained by the insurance industry that you buy insurance and if you have an event, you make a claim and get paid.

For the most part, with your auto insurance or your homeowners insurance, that is the way it works.

Rarely, but sometimes, you discover that you don’t have the right coverage (like not having flood insurance in New Orleans or not having earthquake insurance in California).

Insurance companies carve out exceptions to coverage to limit their liability and they would say, to make insurance more affordable.

But when it comes to cyber insurance, it is kind of like walking through a mine field with no mine detectors or maps.

Witness this:

AIG is being sued by a customer in New York because the client was suckered in by a series of business email compromise attacks where the customer lost almost $6 million.

AIG’s defense is that their policy doesn’t cover dishonest, fraudulent or criminal acts.

Isn’t that what most cyber insurance is designed to cover – crime?

AIG did provide legal fee coverage when their client was sued by its own client for losing its money.  That was covered until they figured out that this was related to crime.  But getting their $6 million back – that is not covered.

They say the language of the policy is:

alleging, arising out of, based upon or attributable to a dishonest, fraudulent, criminal or malicious act, error or omission or any knowing or intentional violation of the law…

Since we don’t have a copy of the actual insurance policy, so we don’t know if this is really a cyber risk policy or something else.

In another case, Zurich Insurance is refusing to reimburse Mondelez for costs related to the NotPetya attack a few years ago.  Mondelez, the company that owns Oreos, Ritz, Tang and many other brands, lost over $100 million as a result of the attack.

In the Mondelez case, they are trying to use an “all-risk property insurance policy” because, they say, NotPetya resulted in the failure of the Insured’s electronic data processing equipment.

In this case, Zurich says that they won’t pay [probably ‘cuz a hundred million dollars is a lot of money] because there is an exclusion for hostile or warlike action … by any government or sovereign power … or agent or authority [thereof].

It appears – but I can’t be certain – that in both of these cases, the companies didn’t have legitimate cyber risk insurance but rather were trying to claim coverage under other policies that might have some possible overlap.

That being said, cyber risk policies in almost every state are non-standard form policies meaning that the state insurance department doesn’t approve the language of the policy.

Cyber risk policies are also considered “excess-lines” insurance in most states with a big warning about that in the front of the policy.  This means that you cannot file a complaint with the state insurance commissioner if you don’t like how the insurance company is operating.

So does this mean that cyber insurance is worthless?

Not in my opinion.

It does mean that you should not try to claim coverage if you don’t have a cyber risk policy, although, I guess, you can try.

Most insurance companies will not pay cyber claims under other policies.   Their actuarial data just doesn’t allow for that.

I am not sure what to do about AIG’s claim that their policy doesn’t cover fraudulent or criminal actions.  Isn’t that a major reason why you buy insurance.  That seems kind of like if you had auto insurance and your car was stolen, the insurance company says we don’t cover it if someone steals your car.  BUT, if, for example, all you bought was liability insurance, then you really don’t have the right coverage and they won’t pay for your stolen car.

When it comes to lack of coverage due to hostile or war-like actions, well that is pretty nebulous.  I would say almost all hacking is hostile.  Is it done by a government or government agent?  Maybe, but much hacking is done by governments.

I have worked with clients to get insurers to remove, restate or restrict that war-like nonsense.

What does all this say?  When you buy cyber risk insurance – and I think you should do that – you need to have an expert on your side.  One you doesn’t earn a commission from writing the policy.

You also need a broker who understands cyber risk insurance.  One question I always tell clients to ask their broker is how many millions of dollars of cyber risk insurance like the type we are looking for did you write last year.  Or how many policies did you write.  And do not let them include general liability that has a useless cyber rider. 

If they wrote 1,000 or 5,000 policies last year and wrote 20 cyber policies, how much of an expert do you think they are about those 20 policies.

Their world revolves around commissions.  If they made $1,000 in commission from cyber policies and $100,000 from other insurance, where do you think their attention is going to be.

Get the right policy from the right broker underwritten by the right insurer.

P.S., if you need help, contact us and we will connect you with some great brokers.

Source:  Cyberscoop



Why Cyber Insurance is Important to Small Businesses

While the breaches at Target, the IRS, Chipolte and others made the news during 2017, small business breaches were up over 40% between 2015 and 2016 and doesn’t show any signs of letting up.

Given that, here are some reasons why small businesses should have cyber risk insurance.

#1 – Small businesses do not have as sophisticated defenses as large businesses.  As a result, small businesses are an easier target for the bad guys.  Small businesses do not have a full time cyber security team and often outsource IT completely with no one really directing that outside vendor unless something breaks.

#2 – Small businesses collect large amounts of personal data from their customers.  While business owners may disagree with this, the reality says that there is a lot of data.  There is also a lot of internal sensitive data like company credit card and personnel information.  When customer or internal sensitive data is taken, general liability insurance will not cover either the expenses or the losses.  Small businesses also do not have the sophisticated applications that large businesses use to protect that sensitive data.

#3 – Often, after breaches come and go, what follows is lawsuits.  While lawsuits may ultimately be dismissed, the costs involved in defending your company are expensive and the lawsuits are distracting, so, in many cases, companies choose to settle.  Recently, Avmed settled for $3.1 million, Schnucks for $2.1 million and Vendini settled for $3 million.  While such a settlement would be petty cash to Target, it is a large check to write for a small business.  In addition to writing the settlement check, the company also has to pay for their defense and, in many cases, the other side’s offense.  That is a lot of money for small businesses.

#4 – The only things certain are death …. and cyber breaches … to paraphrase an old expression.  While the exact numbers are debatable, the source article for this post says that more than half of small and medium businesses are out of business within six months of a successful attack.  If a small business cannot recover from a ransomware attack, it could be toast.  Lets say that number is wrong and it is only 25% that fail after a cyber attack – that would be devastating to the owners and the employees.  And even if the company stays in business, its ability to operate may be seriously impacted as a result of the distraction, expenses, customer defections and legal costs.

Right now cyber insurance is reasonably priced. Not free, but usually affordable.  And, for companies that practice good cyber security practices, the rates are often lower than for companies that do not have an active cyber security program.

Could your company afford to write a million dollar check after a cyber breach?

In addition, the insurance companies offer preventative services for free and cyber incident response services from a variety of vendors at negotiated rates.


Information for this post came from NoPa$$iveIncome .

Insurers Say Cancer Center “On Its Own”

I wrote about 21st Century Oncology in March (see post here) when the FBI came knocking on their door.  The result?  2.2 million records compromised.  At that time they said that they likely did not have enough insurance to cover the costs of the breach.

Fast forward six months.

Law360 is reporting that Charter Oak Fire Insurance and Travelers Property Casualty Co. have asked a Florida court to rule that they have no duty to defend.

There are currently 17 class action suits pending.  If these insurance companies are found to have a duty to defend 21st Century Oncology, they will spend millions doing that.  Maybe tens of millions.

This incident was a cyber breach.  These insurance policies do not appear to be cyber policies.  Given that 21st Century has already said that they are concerned that they do not have enough insurance that they are likely at grasping at straws.

Part of the reason that these lawsuits have been filed is that the plaintiffs say that 21st Century should have notified them sooner.

The breach happened, they say, around Oct. 3, 2015.

The FBI  told them about the breach on Nov. 13th.

21st Century notified patients of the breach on Mar. 4, 2016, at the request, they say, of the FBI to delay notification.  I am not familiar with Florida law, but most states have an exemption from prompt notification when law enforcement requests it.  Assuming this is the case in Florida and assuming the FBI did ask for the delay, I don’t think this part of the case has much of a chance of succeeding.  However, I am not a lawyer and I certainly don’t pretend to be able to predict what juries will do.

I assume that the 17 pending class actions have a lot more claims in them that they will have to defend against.

The company’s 10-Q for the first quarter of 2016 said that they are “highly leveraged”, with over $1 billion of long term debt and are experiencing losses from operations.  Given the financial challenges that they will have to deal with over the next several years, this is not a great situation.  They have not revealed how much coverage they have.  I don’t think I would buy their stock right now.

For other companies, this is a great opportunity to look at the risks that they face and the coverages that they have and determine if they are aligned with each other.

Many companies have a $1 million or $3 million cyber liability policy.  For small companies, this is probably fine.  For a company with 800 physicians and 140 facilities, how much coverage is appropriate – In a highly regulated, highly targeted industry?  How much coverage could they buy at any price?

And, you can count on the fact that come renewal time, either they won’t be able to renew, the retained liability (deductibles) will be through the roof or the premium will be out of sight.  We already saw this with Anthem after their breach.

I suspect that their troubles are only beginning.

My recommendation is (a) plan now, (b) have enough coverage and (c) make cyber risk mitigation a priority.

Information for this post came from Law360 (registration required).

Failure To Follow Minimum Required Practices

I  have written several times about the fight between Cottage Health System and Columbia Casualty, a division of CNA Insurance.

In 2013 Cottage’s systems were breached and the private information of thousands of patients was publicly disclosed.  Their insurance company paid $4.125 million for costs related to the breach, including a class action lawsuit.

That is the end of the good news.  Last year Columbia filed suit against Cottage demanding their money back.  They cited a number of reasons.

First, they said that Cottage failed to follow  minimum required practices, which is a coverage exclusion in the policy.  Columbia said that Cottage’s failure “to continuously implement the procedures and risk controls identified in the Insured’s application means that they don’t need to cover Cottage’s losses.

Translated from the original legalese, this means that Cottage claimed that they had implemented certain security policies and operational procedures when they completed their insurance application and in fact, they did not.  Or, they did have those policies and procedures, but they did not actively follow them.

Some of the things that Columbia said that Cottage claimed they did but did not include:

  • Replace factory default passwords
  • Regularly patch their systems
  • Exercise due diligence over its information security management vendor’s safeguards

Columbia says that even if the hospital did not intend to lie, the “misrepresentation or omission of material fact” is enough, under the terms of the policy, to cancel the policy.  So, they are saying, not only do they not want to pay, but they want to cancel the policy all together.

Let’s separate this into two conversations.

First, if Cottage Health really did not change default passwords, promptly patch their systems, or have an effective vendor management program, then they are (a) pretty typical and (b) lucky that it only cost them $4 million to recover.  Those are pretty basic things that everyone better be doing,

On the other hand, and this is much more important, it points to the complexity of cyber risk insurance.

How many people, especially in a relatively small business, would understand what failure to follow minimum required practices means.  As I understand, the term was not further defined in the policy.

Although the article in National Law Review says the lawsuit was recently filed, it was actually filed over a year ago.  Hopefully that does not point to a long editorial cycle on the web site’s part.  Last I  heard, the complaint has been withdrawn and the two parties are trying to work out a compromise out of court.

However this turns out, it is unlikely that Cottage will be receiving any more checks from Columbia as the costs of this breach may continue and in fact, they may have to find a new insurance company.

Trying to find a new insurance company after this “dispute” with their current insurance company has been plastered all over the news may not be easy.

The watch word here is BEWARE!  The world of cyber risk insurance is somewhat like the Wild Wild West.  It is definitely the world of buyer beware.

Information for this post came from National Law Review.