Cyber Insurance Coverage Exclusions | Pondurance (2024)

Year after year, cyberattacks just keep coming. Today, ransomware is the primary threat from cybercriminals, particularly in the healthcare, government facilities, and critical manufacturing industries. The average ransom payment nearly doubled from $812,000 in 2022 to over $1.54 million in 2023, according to Sophos’ report The State of Ransomware 2023. In addition to the ransom payment, the average cost to recover from a ransomware attack is $1.82 million.

As a result of the escalating costs of an attack, insurers have increased premiums over the years and are now imposing stricter requirements to qualify for a policy. With so much at risk, it’s more important than ever to understand what your cyber policy covers — and what it doesn’t cover, known as exclusions.

Cyber insurance coverage exclusions in an insurance policy can include failure to maintain standards, payment card industry (PCI) fines and assessments, prior acts, acts of war, and more.

Your company should have procedures and controls in place to protect against cyberattacks, and insurers want to know these protections are at work. Upon application, all insurers require that you answer fundamental questions about your cyber risks to get accepted for a cyber insurance policy. Once accepted, a “failure to maintain standards” exclusion allows the insurer to deny claims if your company doesn’t keep up with adequate security standards or follow best practices during the coverage period.

The language of the exclusion varies widely. You should ask an insurer to remove any ambiguous language in a cyber insurance policy to assure that the standards are clear. Does the insurer require that you use multifactor authentication to protect specific accounts? Is there a timeline for making patches? Does the insurer require periodic phishing training for employees during the policy period? Knowing the answers to these questions and others can ensure that you won’t be denied coverage following a cyberattack or breach.

“Companies with cyber insurance must fully understand what they need to do to maintain the provisions of a policy,” said Doug Howard, CEO at Pondurance. “The first step is making sure there’s no ambiguity in the language of the required standards. Then, during the coverage period, stay diligent about complying with those standards to minimize your vulnerabilities and maintain your coverage in case you need to file a claim.”

After a breach, fines and penalties can be assessed against your company from payment cards, such as Visa and Mastercard — and the fines can be costly. Most insurers will put some restrictions on coverage, so it’s necessary to carefully review your policy for adequate limits and deductibles. If your company is subject to PCI fines or penalties and the exclusion applies, it can be a hefty loss for your business.

As a real-world example, a national restaurant chain experienced a data breach where cybercriminals obtained 60,000 customer credit card numbers and posted them on the internet. Mastercard imposed three assessments on the restaurant chain’s credit card processor: $1.7 million for fraud recovery, $163,123 for operational reimbursem*nt, and $50,000 for a case management fee. The restaurant chain paid the assessments and made a claim to the insurer, but the insurer denied coverage. The restaurant chain filed a lawsuit, and the court dismissed all claims based on the language of the exclusions. The restaurant chain didn’t receive coverage for any of the assessment amounts.

“A cyber insurance claim that falls within this exclusion can be an unexpected hit to the bottom line, especially for small and midsize businesses,” said Doug. “It’s important to carefully consider any exclusions and requirements, line by line, the required assessments both by the cyber carrier and for any regulatory bodies applicable to you (state, industry, federal) and the entirety of the language in your cyber policy.”

A prior acts exclusion prevents a claim for activity that happened before the retroactive date or the first date of a policy. This exclusion can be especially significant in a cyber insurance policy because breaches aren’t always detected until long after they first occur. In fact, the average time to detect and contain a breach is 277 days, according to IBM Security’s Cost of a Data Breach Report 2023.

Your company should take proactive steps to make sure your cyber insurance policy covers any possible breach. For example, when changing insurers, you may want to buy an extended discovery period that offers additional coverage for claims that might have initially happened under the previous policy. Or you may want to choose a retroactive date that precedes the start of the new policy.

War, terrorism, and insurrection typically fall under an act of war exclusion in a traditional insurance policy. However, a cyber insurance claim can involve nation-states, or cyber activity attributed to a suspected nation-state, where hostile attacks are made on U.S.-based companies and data and business operations are held hostage in exchange for large payouts. But, is that an act of war?

The New Jersey courts recently decided an acts of war exclusion lawsuit. The case involved the 2017 Russian cyberattack on Ukraine, known as the NotPetya attack, that impacted U.S. businesses including pharmaceutical giant Merck & Co. Merck claimed it incurred $1.4 billion in damages and filed a claim with its insurer. The insurer denied coverage based on the acts of war exclusion, so Merck sued. In January 2022, the judge ruled that the insurer can’t claim the acts of war exclusion because the language in the policy applies to traditional forms of warfare, not a cyberattack. In 2023, the New Jersey appellate court affirmed the lower court decision. The insurer must pay the claim to Merck. As a result, insurers will likely revise the language in their policies to include nontraditional forms of warfare.

“Requirements and exclusions aren’t always onerous, rather they’re something you just need to understand when you’re agreeing to a contract. The courts have weighed in on some exclusion clauses in cyber policies, particularly the acts of war clause, although not always consistently between cases, and they don’t always rule on the side of the policyholder,” said Doug. “That’s why you need to comb through each line of the exclusion language to know exactly what your policy covers and do not assume that the exclusion will never apply to your organization. Legal advice is always recommended.”

Cyberattacks continue to occur, and the price for a ransomware attack or data breach can be quite costly. Pay close attention to the exclusions when negotiating your cyber insurance policy to ensure that you won’t suffer greater losses than expected when filing a claim.

Don’t want to go at it alone? Working with a managed detection and response provider can help you maintain cybersecurity standards that cyber insurers require and be your partner in case of an incident.

Learn more about cyber insurance coverage and how to qualify for acceptance. Read Here.