Key Points:
If you believe that every cybersecurity insurance claim will be approved, you may be surprised to learn that many claims are denied. When your insurance provider reviews your claim, they will assess your due diligence in maintaining cybersecurity for your organization. Your claim may be denied if it is determined that you could have prevented the data breach or incident. While having cybersecurity insurance is a must-have for businesses, there is no guarantee that your claim will be approved.
You likely agreed to certain terms and conditions when you signed your insurance policy. One of these was likely a duty to take reasonable care to protect your property from loss or damage. This means you must take reasonable steps to protect your business from a data breach or cyber attack. If you have not taken reasonable steps to protect your business, your insurance company may deny your claim. This is why it is so important to have strong cybersecurity measures and keep up with the latest cyber threats.
As we mentioned, one of the reasons claims are denied is a failure to take reasonable steps to protect your business. However, there are other reasons claims may be denied as well. Some insurers will only cover certain types of cyberattacks or data breaches. For example, they may not cover phishing attacks or social engineering. Check with your insurer to see what is and is not covered under your policy.
There are several reasons why cybersecurity insurance claims are denied. Here are some of the most common:
Your claim might be denied if you did not have adequate cybersecurity measures in place at the time of the data breach or incident. Your insurance provider will want to see that you took reasonable steps to protect your data and systems. This includes things like having a firewall, using strong passwords, and having up-to-date anti-virus software.
Even if you had cybersecurity measures in place, your claim may still be denied if it is determined that you could have prevented the data breach or incident. For example, your claim may be denied if you failed to patch a known security vulnerability.
If you did not notify your insurance provider of the data breach or incident promptly, your claim might be denied. It is important to contact your insurer as soon as possible to begin the claims process.
Some cybersecurity insurance policies have exclusions that may prevent your claim from being approved. For example, many policies exclude claims from certain cyberattacks, such as ransomware. Review your policy carefully to see if any exclusions could apply to your claim.
Your claim might be denied if you did not cooperate with the insurance company’s investigation into the data breach or incident. The insurance company will want to interview you and review your records to determine what happened.
Your claim might be denied if you made material misrepresentations on your insurance application. For example, your claim may be denied if you failed to disclose a previous data breach or incident. Be sure to disclose all relevant information on your insurance application to avoid denying your claim.
Your claim might be denied if the incident occurred outside of the policy period. For example, if your policy has a one-year term and the incident occurred two years after the policy was purchased, your claim will be denied.
If your cybersecurity insurance claim is denied, you may be left to pay for the damages out of pocket. This can be a significant financial burden, especially for small businesses. In addition, a denial can damage your reputation and leave you vulnerable to future attacks. If you are denied coverage, you can appeal the decision. Many insurance companies have an appeals process that you can follow.
Here are two real-life examples of companies that had their claims denied:
Computer hackers stole nearly 60,000 credit and debit card numbers from P.F. Chang’s China Bistro restaurants in 2014. P.F. Chang’s had a cybersecurity insurance policy with Federal Insurance Company. Federal reimbursed Chang’s for nearly $1.7 million in costs under the policy, including conducting the investigation and legal fees. However, Bank of America Merchant Services(BAMS), Chang’s merchant services provider, imposed assessment fees totaling $1.9 million.
A federal district court ruled that Chang’s had no cyber protection company for the assessment fees. The court found that the insurance policy’s “Privacy Injury” coverage did not apply to the claim because the policy’s definition of “Privacy Injury” required the compromised confidential records at issue to be the claimants. In this case, the payment card information taken in the breach belonged to Chang’s customers and the card-issuing banks, not the acquiring bank that sought reimbursement.
The policy also did not include Payment Card Industry coverage, a coverage option for restaurants, retailers, and other businesses that handle debit or credit card information. Without this coverage, Chang’s was not insured for the amounts assessed by the card company.
According to FCSLLG(a Canadian not-for-profit organization), an unidentified hacker accessed the organization’s website and stole sensitive information in 2016. The stolen data was later shared on multiple Facebook pages. As a result, a class proceeding was filed against FCSLLG, seeking damages of $75 million. FCSLLG filed a claim against the company it hired to revamp its website.
FCSLLG had two policies with Co-operators during the breach, but Co-operators denied coverage for both policies. Co-operators also denied coverage to the third party. The policy excluded any loss from the distribution or display of data utilizing an internet website.
These are only two examples of many companies that have had their cybersecurity insurance claims denied. As you can see, even with insurance, there is no guarantee that you will be covered in a cyberattack. It is important to carefully read your policy and ensure that you are aware of any exclusions.
While it may seem daunting to keep up with all the different compliance regulations, there are a few key steps you can take to make it easier:
Cybersecurity insurance is an important tool to help protect businesses from the financial costs of a data breach. However, it’s important to understand your policy’s limitations and ensure you have the right coverage in place. Cybersecurity insurance is not a cure-all, and it’s important to complement your policy with strong risk management practices.