Make sure you’re covered for the gray areas—that’s the warning from insurance attorney Scott Godes, who talked to TechRepublic recently about the chasm between cyberpolicies and traditional crime coverage.
Uninsured losses resulting from social engineering are an all-too-common plight of American businesses, said Godes, a partner in the Washington., D.C. office of Barnes & Thornburg, where he co-chairs the data security and privacy practice.
For example, the P.F. Chang’s restaurant chain got hacked for 60,000 customer credit card numbers, and then got stuck with a nearly $2 million bill to a payment processing company that its cyberinsurance policy from the Chubb insurance company didn’t cover, Godes observed.
Some insurance companies are trying to fill the middle ground. One example is Willis Towers Watson, an insurance brokerage that recently announced its CyFi plan—that’s short for cyberinsurance and fidelity, vice president Peter Foster explained.
Fidelity bond is insurance-speak for a crime policy involving the theft of money. A client of Foster’s in the financial field nearly lost a large sum when one of their corporate officers was asked to surreptitiously transfer money online, which inspired Willis to expedite its product offering, he said. That wouldn’t have been covered in a standard cyberinsurance policy.
“They managed to stop it in time, but it’s what got them concerned,” Foster said. “Because [CyFi] is a gap filler, it is considered primary coverage to fill that gap and will also serve excess over the crime policy and the cyber policy,” he said.
“Such gaps may include losses arising from social engineering; theft of confidential information; a narrow definition of computer systems; mechanical failures or errors in program designs; and cyberterrorism,” Willis’ announcement stated. Willis plans to make the policy available to other industries, not just the financial field, Foster added. Lloyd’s and U.S. Underwriters are the companies behind the policy, he said.
Godes said Willis’ new plan goes further than others have to date. “Cyberinsurance in particular has kept me busy since 2008,” he said. “You would be hard-pressed to find stock cyberinsurance that covers money lost by being wired around from social engineering fraud.”
SEE: 5 things to know about terrorism insurance (CBS News)
There are other caveats that companies shopping for cyberinsurance should beware, Godes added. Those include coverage limits due to regulatory actions; lack of coverage for the cost of call monitoring, credit monitoring, and forensic investigations; and denial of coverage if a hack began before the coverage term. Another aspect to consider is cybercoverage for an attack on your company that results in hurting other companies, such as the recent distributed denial-of-service attack on domain name system provider Dyn.
However, “It’s still an evolving market. Ultimately the policies as we see them today have only been around a few years,” Godes noted. “Ask a lot of questions as you’re buying. That’s probably point number one. Ask questions about why and how this policy you’re thinking about buying is well-suited to your company and your company’s risk. What might be important to one entity might be completely unimportant to another.“