Does your cyber insurance cover social engineering? Read the fine print

Some cyber insurance policies will pay only a small fraction of damages if an attacker used social engineering. Here's how to estimate the risk.

Cybersecurity insurance is quickly becoming a must-have risk offset for businesses of every size. Already one-third of U.S. businesses have cybersecurity insurance, and the market is expected to grow to $14 billion by 2022.

Insurance companies are making bank. In 2017, cybersecurity insurance carriers only paid out 32% of premiums, and this was a less than they paid out in the prior year (48%). The cost for most businesses is relatively low, usually just 1% to 3% of what businesses pay for other insurance coverages. Business leaders tell me that their cost for cybersecurity insurance ranges from $5,000 to $25,000 for multi-millions of dollars in coverage. It’s a small cost to pay for big coverage. Or is it?

What is a social engineering reduction clause?

I’m now hearing about big cybersecurity insurance policies that have “social engineering” reduction clauses. Essentially, if your organization experiences a cybersecurity incident, and it involves a social engineering attack vector, then the expected payout is reduced significantly from what is promised in the full policy. As an example, one city government told me they had a $50 million dollar cybersecurity insurance policy, but if a claim involved social engineering, then it only paid out a maximum of $200,000. (I’m assuming the deductible applies toward that figure as well.)

If your cybersecurity insurance policy includes such a clause, this is huge!

To continue reading this article register now

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!