Cybersecurity insurance: the details count

  • Like any insurance policy, you should review a cyberinsurance policy closely for limitations, exclusions, and provisions that could affect your coverage.

  • Data held by companies not governed by contract may not be protected.

  • Some policies limit coverage to incidents that occur in the United States.

It’s the nightmare scenario for anyone who buys insurance: finding out after a calamity that the policy you thought was bulletproof can’t help.

Reading the fine print line by line can reveal gaps and reduce the likelihood of your policy coming up short, but only if you know what to look for.

For company execs responsible for insuring against a cyberattack, here are five specific areas to review.

1. Loss control evaluation. Your policy may include free or discounted evaluations of your existing security measures to help your insurer and your company determine your current risk level. Loss control companies perform these audits and may recommend steps to reduce risk, lessening the chances of breaches and data theft. However, check the policy for rules that may jack up your premium if recommendations aren’t followed. The evaluation should be a benefit rather than a way for the carrier to increase their rates.

2. Identity theft-resolution services. If a breach puts your customer data at risk, you may be compelled by law to notify those whose information was affected. You may also have to provide them with services, such as identity theft insurance and credit restoration. A good insurance policy will cover their costs whether or not they are legally required. Offering these services to customers might also help repair your reputation.

3. Include coverage for customers that are companies. Check your policy to determine whether coverage extends to other corporations that are injured because of your cyberloss. Specifically, coverage should include companies, corporations, partnerships, and other entities. Policies that only cover damages incurred by “natural persons” — people who aren’t companies — may put you at risk.

4. Information in the wild. Typical cyberinsurance policies protect information as long as it resides on company-owned technology or is handled by your employees. But there are plenty of conditions that call for sensitive or proprietary information to be shared outside your organization. If business partners, contractors, or other third-party vendors handle any of your company information, it could be involved in a data breach of their systems and cause losses for you. Review the language in your policy to determine the limits and exclusions for data that’s in the hands of other companies. In some cases, losses may be covered only if the relationship with the third party is established by a written contract. Data held by companies not governed by contract may not be protected.

5. Location of data and breach. If your data is stored in cloud-based services, those computers—and your information—can be anywhere in the world. Check your policy to determine whether there are restrictions regarding the location of your data or an incident. Some policies limit coverage to breaches that occur in the United States.

Cyberinsurance policies vary, and the specifics are important. Once an incident happens, it’s too late to makes changes. Look closely at every provision and exclusion before initiating a policy agreement.

Putting proper cybersecurity measures in place can help keep you from having to file a claim on your cybersecurity policy. Explore the services and solutions in the AT&T Network Security portfolio that can help you safeguard your data.

Scott Koegler is a technology journalist with a specialization on the intersection of business and technology. All opinions are his own.  AT&T has sponsored this blog post. AT&T is not a provider of insurance or cyberinsurance and disclaims any inference in the sponsored blog post that its products or services guarantee or insure against losses arising from cybersecurity events.

Scott Koegler Writer Sponsored Post About Scott