You bought business insurance, you bought cyber insurance. Your business suffered a financial loss due to a computer incident, network intrusion, or data breach. You have made a claim with your insurer, but they are refusing to pay your claim. What to do? In a similar scenario, Target Corp has decided to sue it’s insurer for $74 million for refusing to pay the cost of replacing Target credit cards after the 2013 Christmas breach.
In the classic employment of risk management in business and IT operations, there are 4 ways to manage risk.
- Avoid – This choice reduces a risk to the point where there is no more risk. This is typically the result of ending a risky practice or procedure. Risk is avoided by removing the risk.
- Accept – If we accept a risk, we have decided that the threat from the risk is too small to matter. Or we may accept the risk if the cost of mitigation exceeds the value of of the loss that would result if the risk occurred.
- Mitigate – In this scenario, we have decided to reduce the risk through changing a policy or process. We are unable to reduce the risk to zero and avoid the risk altogether, but we can mitigate the financial exposure created by the risk.
- Transfer – This is the role that traditional insurance and cyber insurance play in risk management. By paying insurance premiums, you assign certain financial risks to the insurer, who will make you whole after a loss.
The problem with insurance policies is that they is usually written with the wisdom of hindsight. Past legal precedents guide and inform the insurer and the insured. In the realm of cyber insurance, precedent is still being established. What this means is when you make your claim, you may need to take your insurer to court to get paid, and then only if you win your case.
What makes the Target case interesting is that they are suing under their general business policy for the financial loss of a physical asset and its replacement, namely the thousands of Target cards that were replaced because of the theft of card information. The insurer is refusing to pay because they say a loss due to a cyber attack is not covered. Target says that the loss was to physical assets (the credit cards) and that this is covered under their general business policy. It will be interesting to see how this plays out in court. It is certain to establish a precedent, regardless of the outcome.
The takeaway for business owners and managers is this: it is time to read your policy. General liability policies are all pretty much the same from one carrier to another, but cyber insurance is a different animal, and policies differ between carriers. Make sure you understand what your policy covers, and what it does not. Often, if your company fails to remediate a vulnerability uncovered in a vulnerability assessment, and this vulnerability allows an attack, the insurer may decide that was an act of willful negligence, and refuse to pay the claim. So it pays to understand your cyber and general insurance policies.
- Minneapolis Star-Tribune
- WyzGuys – Cyber-Insurance: Your Business Must Have It
- WyzGuys – Recovering From A Cybersecurity Incident