As the person in charge of cyber insurance at your firm, you shopped around for the best terms for your company's policy. You compared all the limits and purchased the one that had the best overall value. Unfortunately, hiding in the 76 page document were exclusions taking away vital coverage.
Here the most common exclusions to look for in your cyber policy:
1. Nation-State Attacks and Terrorism:
Some policies may exclude coverage for damages arising from nation-state-sponsored cyber attacks or cyberterrorism. Given the rising sophistication of state-sponsored threats, understanding your policy's stance on such incidents is crucial.
2. Intentional Acts and Rogue Employee Exclusion:
Coverage might be void in cases where the cyber incident results from intentional acts by an insured party or actions of a rogue employee. Examining the policy language to discern the scope of intentional acts and employee actions is vital for a comprehensive understanding.
3. Unencrypted Data:
Exclusion may apply if the incident involves unencrypted data. Encrypting sensitive information is a cybersecurity best practice, and understanding the implications of non-compliance with this requirement is essential.
4. Prior Knowledge Exclusion:
The policy may not cover damages if the insured had prior knowledge of a cybersecurity vulnerability and failed to address it. Proactive risk management and addressing known vulnerabilities become imperative under this exclusion.
5. Contractual Liability:
Exclusions related to contractual liability may leave gaps in coverage. Understanding how your policy addresses liabilities arising from contractual agreements is crucial for mitigating potential risks.
6. Property Damage Exclusion:
Damage to physical property resulting from a cyber incident might be excluded from coverage. Integrating cyber insurance with other lines of coverage becomes essential for comprehensive protection.
7. Social Engineering:
Certain policies might have limitations or exclusions regarding losses from social engineering schemes. Given the prevalence of these tactics, understanding the extent of coverage in this regard is critical.
8. Malicious Software Exclusion - Non-Targeted:
Exclusion may apply if malware doesn't directly target the company. This nuanced exclusion, observed in recent BOP add-on policies, emphasizes the need to scrutinize the specifics of malware-related coverage.
9. Misalignment of Practices and Application:
Claims could be denied if your application doesn't align with your cybersecurity practices. Ensuring that your stated practices accurately reflect your implemented measures is vital to avoid potential coverage discrepancies.
10. Limitations of Contingent Business Income
If your key vendor is hacked such as a CRM or Shopify type site and it causes you to lose business or shut down your system, you need to know the extent of your coverage for lost income. Always have contingencies in place for any vendor and never give them admin access.
If any of these made you go run to your insurance policy to check if you had these specific exclusions, then it would be good for you to reach out to me for a comprehensive policy review.
Be sure to follow me and subscribe to the newsletter if you aren't already for cyber security news and updates.
FAQs
War, invasion, or terrorism: Any damage from government-sponsored groups or ideological origins may be excluded from the policy. Security maintenance failures: The company must meet and maintain minimum security standards to have an insurance claim approved.
What is not covered in a cyber insurance policy? ›
Loss of value through intellectual property (IP) theft
Often, they won't recognize IP theft until long after an incident (for example, when a competitor takes a new product to market). Nevertheless, devaluation due to IP theft is a loss most cyber policies don't cover.
What is the exclusion clause in cyber insurance? ›
Cyber insurance will not cover criminal, civil or regulatory fines, penalties or sanctions that your business is legally obliged to pay. Exclusions will vary between insurers so it is important to understand terms and conditions. Speak to your broker or insurer directly if you are unsure about any terms.
Which of the following is typically excluded from cyber insurance coverage? ›
Cyber insurance policies typically exclude coverage for losses resulting from acts of war, terrorism, or other hostile actions. While this exclusion may seem irrelevant to most businesses, it's important to remember that cyberattacks can be perpetrated by nation-states or terrorist organizations.
What do cyber insurance policies cover and exclude? ›
1. What does a cyber insurance policy cover? A cyber insurance policy protects organizations from the cost of internet-based threats affecting IT infrastructure, information governance, and information policy, which often are not covered by commercial liability policies and traditional insurance products.
What are the major exclusions of the policy? ›
The Exclusions
The three major types of Exclusions are: Excluded perils or causes of loss. Excluded losses. Excluded property.
Which category is not covered under cyber liability? ›
Bodily injury and property damage claims: Cyber liability does not cover claims of bodily injury or property damage. Businesses need general liability insurance to protect themselves against these claims.
What is a exclusion clause example? ›
An exclusion clause is a clause that excludes or restricts liability. Therefore, it is a clause under which a party seeks to exclude or limit its liability for non-performance of the contract. For example, such a clause may set a monetary cap on liability or restrict or exclude the rules of procedure or evidence.
What do cyber insurance policies cover and exclude ie first party vs third party )? ›
First-party coverage applies to the expenses incurred directly as a result of the breach, such as forensic investigation and recovery. Third-party coverage applies to lawsuits by customers against the company in connection with their leaked data.
What is included in exclusion clause? ›
Also known as exemption, disclaimer, or limitation clauses, they are, as a general guide, any term which purports to restrict, modify or exclude a remedy or liability arising out of a breach; or which appears to exclude or restrict a liability or duty that would otherwise arise.
Typically, phishing attacks can be covered however, some situations may mean your cyber insurance doesn't cover the issue. For example, since a phishing attack requires an employee to act, direct financial losses may not be covered, but intangible assets would be covered.
Which of the following is included in cyber security? ›
Cyber security is the practice of defending computers, servers, mobile devices, electronic systems, networks, and data from malicious attacks. It's also known as information technology security or electronic information security.
Does cyber insurance cover data breaches? ›
Cyber coverage offers protection from threats posed by cyberattacks and data breaches — including losses to a company's finances, reputation and operational capabilities.
