Cyber Insurance: 5 Things It Does Not Cover

Cyber insurance is a vital risk mitigation and risk transfer strategy for organizations of all sizes — not just those that handle sensitive data. Most cyber insurance policies will reimburse clients for financial losses incurred as a direct result of an incident, as well as legal costs stemming from third-party claims. Cyber insurers also offer a plethora of services to help clients restore operations, minimize reputational damage and improve their cybersecurity postures.
But the negative impacts of a cyberattack are many, and few policies cover them all. The top non-covered expenses that your company could face following a cyber incident include:

Potential loss of future profits

The damages associated with data breach impacts — like data loss, public exposure of sensitive data, theft of intellectual property and harm to brand reputation — can continue for several years following an incident. These ongoing effects often lead to lost sales, reduced market share, difficulty attracting new employees and other issues that decrease profitability. Most likely a cyber insurer will not cover these losses unless you can directly link them to the data breach.

Loss of intellectual property value

For tech firms, manufacturers and others, your IP is the crown jewels of your business — core to your success and continued operations. Exfiltration of proprietary materials such as product designs and formulas can undermine your competitive position, cost you market share or even put you out of business. Unfortunately, many cyber insurance policies exclude coverage for financial damages caused by IP loss.

Costs to enhance your cybersecurity posture

A major post-breach expense for many firms is implementing new technology, controls and policies to bring cybersecurity up to an improved level that better protects the business and its stakeholders. While these costs can greatly reduce the likelihood of future cyber insurance claims and the risks of future cyberattacks, they are usually excluded from cyber insurance coverage.

Socially engineered financial fraud

If you provided funds to an attacker voluntarily and willingly, such as by wiring money into their account, your cyber insurance policy often will not cover the lost funds. This holds even when employees are duped by a business email compromise (BEC) scam or other social engineering cyberattack.

In some cases, coverage of BEC-related losses comes down to the specific language in the policy. It’s always a good idea to read cyber insurance policies and exclusions carefully and obtain legal advice if you have questions.

Nation-state attacks

Some cyber insurance policies include an act of war or nation state attack clause that may deny coverage if an attack is declared an act of war or claimed to have been conducted by a nation-state. An example could be advanced persistent threats (APTs) launched by a rogue state-sponsored group to steal designs for advanced U.S. weapons — especially if the U.S. government declares these to be acts of war.

In November 2021, Lloyd’s of London released four new cyber war and cyber operation exclusion clauses that deny coverage for losses resulting from nation-state sponsored cyber-attacks. These include cyber-operations taking place in a war and retaliatory attacks.

Lloyd’s move raises many questions, especially around how insurers, governments and security professionals determine what constitutes a nation-state attack. It may also put the onus on national governments to develop stopgap plans to bolster critical infrastructure entities following a financially devastating cyber breach.

An Ounce of Prevention

To get insurance, there are stringent cybersecurity and resilience requirements — all of which need to be adhered to. In response, an organization’s cybersecurity strategy includes not only taking steps to prevent an attack from happening or to stop an attack when it happens, but also cyber resilience to focus on ensuring that business operations do not entirely break down because of an attack. Those who go above and beyond these requirements are often able to potentially lower their risk and premiums.

ESET has also developed a full spectrum of preventive advanced cybersecurity solutions, as well as employee cybersecurity awareness training, with your cyber insurance prerequisites in mind. Visit our website to explore your options.

With more than 20 years of security industry experience, Tony Anscombe, Chief Security Evangelist for ESET, is an established author, blogger and speaker on the current threat landscape, security technologies and products, data protection, privacy and trust, and internet safety. His speaking portfolio includes industry conferences RSA, Black Hat, VB, CTIA, MEF, Gartner Risk and Security Summit, and the Child Internet Safety Summit. He is regularly quoted in security, technology and business media, including BBC, the Guardian, the New York Times and USA Today, with broadcast appearances on Bloomberg, BBC, CTV, KRON and CBS.

 This guest blog is part of a Channel Futures sponsorship.