Why your cyber insurance investment may not pay off

Applying due care to make sure your insurance investment pays off

cyber insurance

As I write this article, there are a growing number of companies around the country that are feeling more financially secure than they should. Their security comes from their purchase of cyber insurance to help covers any costs related to a data breach, an approach growing in popularity. I would suggest however that their security may be misplaced. Many companies will discover to their shock, that if they fail to take reasonable precautions, that their insurance investment will be worth the approximate value of the paper it is printed on. 

By way of disclaimer, this article is not intended to provide detailed information on cyber insurance. This is a complex topic, about which volumes could be written. Rather, my focus is on the making sure you understand what reasonable precautions you must take to make sure any such investment can stand up to scrutiny. 

In the insurance industry, the term used for these reasonable precautions is “due care.” This term sounds simple, but actually encompasses great legal complexity. Duhaime’s law dictionary defines due care as “the degree of care which a person of ordinary prudence would exercise under the same or similar circumstances.” The issue is that there is no official, recorded, formal definition of “person of ordinary prudence.”  The ordinary person is often not defined until a particular dispute is litigated, and the jury makes a decision.  

The challenge for companies purchasing cyber insurance is that all such policies require the insured to exercise “due care” in their exercise of day-to-day security procedures. In the event of a breach, the failure to achieve due care in the opinion of the insurance company may result in the denial of the claim. Such denial may then result in litigation, at which point both parties are subject to the whim of the jury. 

For larger companies seeking cyber insurance, the insurer usually conducts a fairly extensive analysis of the company’s internal policies and procedures prior to issuing the policy. This is necessary given the potential size of the claims. On the other hand, smaller companies can purchase such policies with little or no review of their level of protection, meaning that they may not discover their due care is insufficient until they have a claim denied. 

To further complicate matters, insurance companies do not share a common definition of due care. The White House publication "Cyber-Insurance and Impact on Cyber-Security" puts it well: "The exact tools and metrics used by a cyber-insurance carrier is proprietary to that carrier, and might differ from carrier to carrier." 

The industry is just beginning to see litigation related to cyber insurance coverage. A recent article in Legaltech News stated that "2015 will also be remembered as the year data breach coverage disputes under stand-alone cyber insurance policies began to leak into the courts." They cited one case, Continental Casualty Co. v. Cottage Health Systems, involving a dispute related to the policy's failure to follow minimum required practices exclusion. Much case law remains to be written, but so far, the courts have not sided with the insured in most cases. 

If you are considering cyber insurance, you are in my opinion doing the right thing. The cost of a data breach can be staggering, and many small and medium companies suffering one will not even survive. That being said, the purchase of a policy without establishing and following appropriate information security policies and procedures may well be a waste of money. Attorney Eran Kahana, a guest on episode 172 of the Down the Security Hole podcast, put is quite simply: "If you don't do security well, the courts will kill you." Since a strong security posture is necessary anyway to protect your business, the ability to meet the requirements for cyber insurance is just a bonus. 

The following are some of the general thing you will need to have in place prior to seeking insurance. It is important however to understand the specific requirements of a given policy, and it is wise to have your attorney and information security advisor look over your shoulder. 

A living information security policy

A written information security policy is considered the core element necessary to meet the requirements for cyber insurance (and something you should have anyway). This is your initial proof that you have evaluated your security precautions against industry best practices, legal requirements, and precedence. 

Adherence to an appropriate standard

A cyber insurance policy does not generally specify a particular standard that must be followed. That being said, I refer you back to the definition of due care shown above, particularly the phrase "a person of ordinary prudence." Using a recognized standard is a good way to establish ordinary prudence. The standards that would apply depend on your industry, and the nature of your business, but might include PCI DSS, HIPAA ISO 27001 and/or SSAE 16

Evidence that you follow your policies and standards

Just telling the insurance company or a court that you follow your published policy and the designated standard will not get you very far. You need logs and documentation to demonstrate that you are doing so. A key part of this documentation is your incident response policy, and documentation related to the handling of you incidents. In addition, if your policy calls for regular credential audits or log reviews (and it should), you should document these reviews, and save them forever. 

An understanding of what you are protecting

You will need to specify the amount of coverage you need, and doing this properly requires that you understand the value of what you have. The main areas of concern include the value of the data you possess, including the potential loss from litigation if customer data is stolen, and loss of revenue in the event that a security incident disrupts your operation. 

You should know that your reputation cannot be insured. It is vital therefore that you protect your information security to preserve your reputation, insurance notwithstanding. 

Bottom line -- cyber insurance is an increasingly important asset for businesses. That being said, you will only get out of the insurance process what you put into it. If you don't do your homework however, you will be wasting your money. 

Copyright © 2016 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)