• United States




Why your cyber insurance investment may not pay off

Jan 07, 20166 mins
Internet SecuritySecurity

Applying due care to make sure your insurance investment pays off

cyber insurance
Credit: Thinkstock

As I write this article, there are a growing number of companies around the country that are feeling more financially secure than they should. Their security comes from their purchase of cyber insurance to help covers any costs related to a data breach, an approach growing in popularity. I would suggest however that their security may be misplaced. Many companies will discover to their shock, that if they fail to take reasonable precautions, that their insurance investment will be worth the approximate value of the paper it is printed on. 

By way of disclaimer, this article is not intended to provide detailed information on cyber insurance. This is a complex topic, about which volumes could be written. Rather, my focus is on the making sure you understand what reasonable precautions you must take to make sure any such investment can stand up to scrutiny. 

In the insurance industry, the term used for these reasonable precautions is “due care.” This term sounds simple, but actually encompasses great legal complexity. Duhaime’s law dictionary defines due care as “the degree of care which a person of ordinary prudence would exercise under the same or similar circumstances.” The issue is that there is no official, recorded, formal definition of “person of ordinary prudence.”  The ordinary person is often not defined until a particular dispute is litigated, and the jury makes a decision.  

The challenge for companies purchasing cyber insurance is that all such policies require the insured to exercise “due care” in their exercise of day-to-day security procedures. In the event of a breach, the failure to achieve due care in the opinion of the insurance company may result in the denial of the claim. Such denial may then result in litigation, at which point both parties are subject to the whim of the jury. 

For larger companies seeking cyber insurance, the insurer usually conducts a fairly extensive analysis of the company’s internal policies and procedures prior to issuing the policy. This is necessary given the potential size of the claims. On the other hand, smaller companies can purchase such policies with little or no review of their level of protection, meaning that they may not discover their due care is insufficient until they have a claim denied. 

To further complicate matters, insurance companies do not share a common definition of due care. The White House publication “Cyber-Insurance and Impact on Cyber-Security” puts it well: “The exact tools and metrics used by a cyber-insurance carrier is proprietary to that carrier, and might differ from carrier to carrier.” 

The industry is just beginning to see litigation related to cyber insurance coverage. A recent article in Legaltech News stated that “2015 will also be remembered as the year data breach coverage disputes under stand-alone cyber insurance policies began to leak into the courts.” They cited one case, Continental Casualty Co. v. Cottage Health Systems, involving a dispute related to the policy’s failure to follow minimum required practices exclusion. Much case law remains to be written, but so far, the courts have not sided with the insured in most cases. 

If you are considering cyber insurance, you are in my opinion doing the right thing. The cost of a data breach can be staggering, and many small and medium companies suffering one will not even survive. That being said, the purchase of a policy without establishing and following appropriate information security policies and procedures may well be a waste of money. Attorney Eran Kahana, a guest on episode 172 of the Down the Security Hole podcast, put is quite simply: “If you don’t do security well, the courts will kill you.” Since a strong security posture is necessary anyway to protect your business, the ability to meet the requirements for cyber insurance is just a bonus. 

The following are some of the general thing you will need to have in place prior to seeking insurance. It is important however to understand the specific requirements of a given policy, and it is wise to have your attorney and information security advisor look over your shoulder. 

A living information security policy

A written information security policy is considered the core element necessary to meet the requirements for cyber insurance (and something you should have anyway). This is your initial proof that you have evaluated your security precautions against industry best practices, legal requirements, and precedence. 

Adherence to an appropriate standard

A cyber insurance policy does not generally specify a particular standard that must be followed. That being said, I refer you back to the definition of due care shown above, particularly the phrase “a person of ordinary prudence.” Using a recognized standard is a good way to establish ordinary prudence. The standards that would apply depend on your industry, and the nature of your business, but might include PCI DSS, HIPAA ISO 27001 and/or SSAE 16

Evidence that you follow your policies and standards

Just telling the insurance company or a court that you follow your published policy and the designated standard will not get you very far. You need logs and documentation to demonstrate that you are doing so. A key part of this documentation is your incident response policy, and documentation related to the handling of you incidents. In addition, if your policy calls for regular credential audits or log reviews (and it should), you should document these reviews, and save them forever. 

An understanding of what you are protecting

You will need to specify the amount of coverage you need, and doing this properly requires that you understand the value of what you have. The main areas of concern include the value of the data you possess, including the potential loss from litigation if customer data is stolen, and loss of revenue in the event that a security incident disrupts your operation. 

You should know that your reputation cannot be insured. It is vital therefore that you protect your information security to preserve your reputation, insurance notwithstanding. 

Bottom line — cyber insurance is an increasingly important asset for businesses. That being said, you will only get out of the insurance process what you put into it. If you don’t do your homework however, you will be wasting your money. 


Robert C. Covington, the "Go To Guy" for small and medium business security and compliance, is the founder and president of Mr. Covington has B.S. in Computer Science from the University of Miami, with over 30 years of experience in the technology sector, much of it at the senior management level. His functional experience includes major technology implementations, small and large-scale telecom implementation and support, and operations management, with emphasis on high-volume, mission critical environments. His expertise includes compliance, risk management, disaster recovery, information security and IT governance.

Mr. Covington began his Atlanta career with Digital Communications Associates (DCA), a large hardware/software manufacturer, in 1984. He worked at DCA for over 10 years, rising to the position of Director of MIS Operations. He managed the operation of a large 24x7 production data center, as well as the company’s product development data center and centralized test lab.

Mr. Covington also served as the Director of Information Technology for Innotrac, which was at the time one of the fastest growing companies in Atlanta, specializing in product fulfillment. Mr. Covington managed the IT function during a period when it grew from 5 employees to 55, and oversaw a complete replacement of the company’s systems, and the implementation of a world-class call center operation in less than 60 days.

Later, Mr. Covington was the Vice President of Information Systems for Teletrack, a national credit bureau, where he was responsible for information systems and operations, managing the replacement of the company’s complete software and database platform, and the addition of a redundant data center. Under Mr. Covington, the systems and related operations achieved SAS 70 Type II status, and received a high audit rating from the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency.

Mr. Covington also served as Director of Information Technology at PowerPlan, a software company providing software for asset-intensive industries such as utilities and mining concerns, and integrating with ERP systems including SAP, Oracle Financials, and Lawson. During his tenure, he redesigned PowerPlan's IT infrastructure using a local/cloud hybrid model, implemented IT governance based on ITIT and COBIT, and managed the development of a new corporate headquarters.

Most recently, Mr. Covington, concerned about the growing risks facing small and medium business, and their lack of access to an experienced CIO, formed togoCIO, an organization focused on providing simple and affordable risk management and information security services.

Mr. Covington currently serves on the board of Act Together Ministries, a non-profit organization focused on helping disadvantaged children, and helping to strengthen families. He also leads technical ministries at ChristChurch Presbyterian. In his spare time, he enjoys hiking and biking.

The opinions expressed in this blog are those of Robert C. Covington and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author