6 things to check in your cyber insurance policy fine print
Cyber insurance premiums are stabilizing, but coverage is narrowing. From AI risks to nation-state attacks, here's what your policy might no longer cover.
Cybersecurity insurance has never been a "must-have" purchase for enterprises, with many still forgoing any form of coverage. Others, however, have found it attractive as a way to hedge against the failure of their cybersecurity investments.
Cyber insurance can help an enterprise cover incident-related costs, such as fines for allowing personally identifiable information to leak or new laptops to replace those bricked by ransomware. In addition to financial support, some insurers can provide incident response assistance, ranging from expert technical advice and regulatory compliance guidance to crisis-specific public relations support.
But, as with other forms of insurance, cybersecurity insurers are ready and willing to disallow claims. And, for many years, they raised rates rapidly as they realized the true extent of enterprise vulnerabilities and saw how quickly the universe of threats evolved.
In the last couple years, the rise in premiums has slowed and even sometimes reversed itself -- if certain conditions are met. Typically, insurers require enterprises to have in place cybersecurity measures that should be baseline practices in all enterprises but, sadly, still are not. That includes controls such as the following:
Comprehensive use of MFA.
Deployment of endpoint detection and response.
Adoption of write-once, immutable storage for backups.
In addition to requiring companies to practice cyber hygiene and properly deploy key security technology, insurers can require that potential clients create internal policies covering a wide range of standard cyber risks -- e.g., requiring the disabling of former employees' accounts as soon as they leave the organization. Insurers will also want audit-based evidence of ongoing, uniform enforcement of those policies -- e.g., that accounts are actually being disabled every time a staff member is fired or quits. If a breach occurs because the organization failed to follow the policy and did not immediately disable an employee's account upon termination -- thus allowing him or her to access systems and data -- the insurance company will likely dispute any claim.
Devil in the details
While coverage is not getting steadily more expensive, the scope of coverage is getting more sharply defined and often narrower. Enterprises that do not carefully review policy changes during renewal, or that are only now getting into the market, might find their coverage is not what they were counting on or hoping for.
Enterprises that do not carefully review policy changes during renewal, or that are only now getting into the market, might find their coverage is not what they were counting on or hoping for.
John BurkeResearch analyst and CTO, Nemertes Research
Things to look for when reviewing a cyber insurance policy's fine print include the following:
1. Patching latency
Insurers sometimes require IT staff to install patches for known vulnerabilities within a specified window of their release. They can even include a policy requirement that an enterprise's third-party service providers meet a similar threshold. Failing to patch in a timely way, or engaging service providers that fail to, can lead to insurers rejecting related claims.
2. Third-party risk
Insurers will often only insure against problems with an organization's suppliers and service providers that it explicitly names in its policy. For example, an enterprise using CRMs-R-us.com for its customer relationship management platform must list that provider in the policy if it wants business-affecting outages there to be covered. If CRMs-R-us.com uses an IaaS provider such as AWS or Azure for its infrastructure needs, and the root cause of a problem was an outage there, the enterprise's policy likely also has to name that third party to get coverage.
3. Systemic event risks
Some insurers are rewriting policies to exclude coverage for attacks or outages that affect a large segment of the economy or a specific industry. In other policies, insurers are not eliminating coverage but instead reducing the potential payouts for such events -- known as imposing a sublimit.
4. Nation-state activity
Insurers have long refused to pay out for incidents that they can trace back to an adversarial national government -- in the early days, even invoking standard force majeure clauses that would protect them against having to pay out in the case of a military invasion. Over the last decade or more, insurers have expanded the exclusions relating to nation-state involvement. For example, they now might explicitly exclude from coverage breaches originating with non-state actors, such as criminal gangs, if the non-state actor is known to be -- or even simply understood to be, by the FBI or other competent authority -- operating under the direction of a state actor.
5. User behavior requirements
Insurers have been instrumental in pushing enterprises to aggressively train users to guard against common cyberthreats. Now, however, they are increasingly likely to require that users demonstrate cybersecurity awareness and proactively avoid attacks. For example, before it will pay out on phishing-related claims, an insurer might demand proof that users attempted out-of-band verification to mitigate the risk of phishing-related fraud. Suppose an accounting staffer receives an email invoice that appears to come from a reputable supplier but is actually a phishing attempt. To pay out on any related claim, the insurer might require proof that a staffer called the supplier to confirm the email actually came from the supposed sender.
6. AI risk
Assume policies won't cover AI-related damages unless explicitly included. Enterprises need to specify, in detail, what they want covered and -- based on how they use AI -- should consider including incidents such as the following:
Data leakage through external AI, including both leakage through prompting and leakage of training data.
Data leakage from in-house AI, including both leakage through prompting and leakage of training data.
Damages due to AI-driven automation -- e.g., of network infrastructure operations.
Enterprises should also expect insurers to expand their governance requirements to include AI-specific policies and to exclude coverage for any unsanctioned use of AI. Let's say, for example, a media company's AI policy allows creative staff to use a large language model (LLM) AI to generate advertising copy, but it does not allow any other teams to use the LLM. The company should expect no coverage for a network outage caused by an automation script generated by network operations staff using that same LLM. The company might, however, expect coverage for outages caused by the AI built into its network infrastructure provider's management tools -- assuming it allows that use in its AI governance policy and explicitly calls out that platform in the insurance policy.
Constant vigilance
Cybersecurity insurance can be a good investment, but it is all too easy for an organization to find itself with less coverage than it needed and expected, as insurers seek to insulate themselves from excessive financial risks. CIOs and CISOs should collaborate closely with risk management and legal staff to ensure the organization not only understands what it is getting in a cyber insurance policy, but also gets what it needs -- whether in a first-time policy or the renewal of an existing one.
John Burke is CTO and a research analyst at Nemertes Research. Burke joined Nemertes in 2005 with nearly two decades of technology experience. He has worked at all levels of IT, including as an end-user support specialist, programmer, system administrator, database specialist, network administrator, network architect and systems architect.
