CYBER INSURANCE should protect SMBs (and the MSPs servicing them) from the financial effects of a data breach, but insurers can deny claims for a variety of reasons. That’s why it’s important to pay attention to the details.
Benjamin Dynkin, co-founder and co-CEO of Great Neck, N.Y.-based managed security provider Atlas Cybersecurity, says he is seeing “a lot more creative rejections on a large scale.” Dynkin, who is also co-executive director of the American Cybersecurity Institute, encourages businesses to “work with a broker that understands these things.”
Most commonly, insurance claims are denied due to inaccuracies in the policyholder’s self-reporting surveys. “Whether through lack of knowledge or because they quickly filled out a form, it’s easy for a company to overstate how they protect themselves,” Dynkin says. “When the information on that form doesn’t line up with what’s really happening, that’s grounds for rejection.”
In addition to remaining compliant with the security terms of coverage, Dynkin says SMBs must understand exactly what’s covered.
“Essentially what we’ve seen in the cyber-insurance security landscape is a tension between traditional notions of cyberattacks versus what [would] be a process failure,” Dynkin explains, offering the example of a fraudulent email resulting in a compromise.
The insurance company will call this an internal process failure, he says. “They’ll say, ‘This has nothing to do with cyberattacks; they just tricked you.’”
“Make sure your broker won’t just slap together something told to them by their underwriter,” Dynkin advises. “Get walked through it.”
Moreover, there are new questions of coverage arising all the time, Dynkin says. For example, the June 2017 cyberattack NotPetya caused damage globally, and in a Feb. 2018 assessment from the U.K.’s National Cyber Security Centre, Britain determined “the Russian military was almost certainly responsible for the ‘NotPetya’ cyber attack.”
According to Dynkin, this declaration had an interesting policy implication: namely, the “act of war exception.” Some insurers claimed “acts of war” were not covered under standing cyber-insurance policies.
“Nation states are getting more and more active in the space,” Dynkin says, asking, “If that becomes a more common thing, does that get exempted?”
Aside from whether a claim will be covered is the question of how much a policyholder will get. Dynkin advises SMBs to plan for business interruption, the costs of which are easy to underestimate.
“There are very serious considerations around this,” he warns. “If you sub-limit the wrong way, that may not be enough. Make sure you’re adequately covered for your business.”