Cyber insurance providers are challenging a court ruling that ordered them to pay damages for the 2017 NotPetya attack on pharmaceutical company Merck & Co., which resulted in $1.4 billion in losses.
Insurers argue that policies should not cover cyberattack losses due to the “war exclusion” clause that blocks claims resulting from military action. If the insurers win, businesses may become more vulnerable to cyber-attacks attributed to foreign governments.
In January of this year, I noted that Lloyd’s of London Ltd. would require all its insurer groups to exclude catastrophic state-backed hacks from stand-alone cyber insurance policies. By March 31, policies will include clauses that exclude losses resulting from war, whether declared or not, unless a policy contains a separate war exclusion. This change reflects the insurance industry’s approach to cyberattacks.
Here are some tips to help you prepare if cyber companies win.
Review your policy
It is crucial for businesses to carefully review their cyber insurance policies and comprehend their coverage, as well as any extra coverage that is available at a higher cost. Policyholders must take specific actions, such as securing their cyber infrastructure, limiting system access to essential personnel, protecting customer data, verifying security with third-party providers, and training employees in cyber security awareness and phishing prevention.
Know your obligations
In cases where the language of a cyber insurance policy is unclear, businesses should consult with their insurance agent and ask for a comprehensive list of their obligations and the agent’s suggestions. Remember, insurers safeguard against common risks, not uncommon ones, and adhering to policy requirements is crucial for coverage to be applicable.
Businesses must take practical measures like implementing secure systems, maintaining security certificates, and regularly updating software to apply security patches. Failing to do so may lead to the denial of insurance claims.
Protecting company data
Protecting customer data is another essential requirement, including how data is collected, transmitted online, and stored and how long they keep it. Best practices vary depending on the type of data collected, with sensitive personal data requiring the strongest protections.
Businesses must verify the security practices of all third-party providers, including phone companies, internet service providers, web hosts, and software vendors. All vendors may request cybersecurity documentation in the event of a claim.
Employee training
Businesses must provide annual or in-depth training to employees on cyber security awareness and phishing protection. Some policies may even require training for all new employees within a specific period and regular refresher courses. Compliance with these requirements is essential for businesses to maintain cyber insurance coverage.
With our comprehensive suite of cybersecurity solutions, including threat detection and response, risk management, and compliance services, you can rest easy knowing that your assets are in good hands. We take a proactive approach to insurance, stay ahead of the latest threats, and provide ongoing monitoring and support to secure your systems and data.
If you’re interested, please reach out to us for a no-obligation consultation at www.CyberSecurityMadeEasy.com
