The uptake of Cyber insurance policies has grown rapidly due to the constant threat of hacking and cyber-attacks on an organization’s database. It is vital to know what the cyber policy covers while buying a policy and claiming the same. All insurance policies have some or other exclusion and since cyber insurance is relatively new, asserting what it excludes is difficult.
Some common exclusions of cyber risk insurance are:
- Patent, software and copyright infringement:
Patents, software, and copyright are covered by intellectual property insurance policy, and not by a cyber policy. In some cases, however, a detailed written cyber policy can cover the defense cost copyright infringement claims. But such claims should be a result of actions by a non-management employee or an outside third party.
- Wars and invasions:
Most cyber policies exclude the damages resulting from the war, invasions or insurrections.
- Failure in security measures:
When an organization claims for the cyber risk insurance policy, it will be handed number of questions regarding the steps taken to safeguard the data. If the Insurer finds that the firm has failed to implement all the security measures, the claim will be denied. Not all policies available in the market may have this exclusion. But if one does, the organization must be vigilant enough to follow all the required security measures.
- Bodily injury and damage:
When a vital business data is breached, it does not mean that the person is directly physically injured because of it and hence the claim is excluded. However, some policies do cover the emotional distress and anguish caused by such events.
- Loss of electronic device:
When an employee loses a company-issued portable electronic device, the coverage for the same is excluded from the insurance.
- Vicarious liability:
When an organization passes the data to a third-party vendor, and the breach occurs at the vendor’s system, the claim may be denied.
- Government Entity or Public Authority:
Any recommendations or orders from government authority or public authority are excluded.
- Specific Network Interruption Condition:
If data is lost due to any technical or network interruptions, it may be excluded.
Saleonline, an online shopping website had been in online business since past 5 years. It had a good amount of traffic on its website daily. Revenue figures showed year-on-year growth for this online firm.
However, an inside rogue employee got access to personal information of thousands of customers including their address and credit card details. Salonline had obtained a cyber risk insurance policy which protected it against:
- The costs of notifying the thousands of customers whose data had been stolen.
- The costs of credit monitoring for the affected customers. This ensured that they suffered minimal losses after the information theft.
- The costs of representing and defending the online business against the legal action that was brought against them.
Due to the security breach of the website, the sales of this online shopping website slumped in the coming months. The online business claimed for the loss due to reduced sales.
However, the claim was denied by the insurer, stating that loss of future revenue is not covered in cyber risk insurance policy.
A car-component manufacturing company had obtained a Cyber risk insurance policy to safeguard itself against cyber-crimes and malware. Since the business was mostly into manufacturing segment, management paid less importance to software updates. Because of which the system had become outdated.
One day, an employee of this manufacturing company clicked on a malicious link in an email. A malware was downloaded onto the company server, encrypting all information. The company telephoned its insurance provider for assistance. When the IT forensic investigators came to assess the problem, they found that the system was poorly maintained with no malware protection. This resulted in the claim being denied by the insurance company.
[cta id=”984″ vid=”3″]