While insurance companies and corporate boards of directors debate the benefits and drawbacks to buying yet more insurance – this time cyber liability insurance – the biggest gotcha that companies will face might well lie in the dictionary rather than in the policies themselves.
Winn Schwartau, a serial founder of data security companies and currently CEO of The Security Awareness Company, said at SC Congress Chicago that the proverbial devil in the details lies in how insurance companies define words such as “war” and “control.” If a cyber attack is an act of war, he ponders, does the insurance company have the right to exclude that attack because acts of war are generally not covered by insurance? If a company is breached because a malware-infested USB drive used by an attacker on a corporate network not covered because the company did not have “control” over the drive?
Nathan Smolenski, vice president and CISO of the Chicago-based recruiting firm Spencer Stewart and former CISO of insurance companies Zurich North America and 21st Century Insurance, said companies currently have towers of insurance that already cover the loss of data and loss of assets, such as laptops or storage devices. Before purchasing cyber insurance, he recommends that companies meet with their insurance brokers to determine what coverage they already and what would be redundant.
Underscoring Schwartau's concerns, Smolenski said it is critical to understand not only what the exclusions are for cyber insurance, but how those exclusions are described. While policies might cover such aspects as forensics investigations, public relations, call centers and credit monitoring, policies generally do not cover the loss to the brand itself, such as lower stock prices or loss of brand reputation.
Jody Schwartz, director of It security and risk at Rewards Network, said that the loss of a storage device containing confidential data or other sensitive information might not be immediately evident. The thief might hold on to the data for months or years before exploiting it, and during that time the insurance coverage could expire.