Mapping the landscape of insurance that businesses require to secure their property, assets, and employees is a massive and complex task. Policies are simultaneously hyper-specific and unintelligible; counsel and executives alike can find the paperwork confusing or obtuse.
This confusion is even more prevalent when considering policies protecting against cyber threats, like data breaches or business email compromise (BEC) scams. This segment of the insurance market is relatively fresh territory, which can make seeking coverage feel a lot like the wild west. As a result, companies often find themselves left high and dry when they discover too late that their policy has coverage gaps exactly where they are most vulnerable.
It’s 2020. Do you know what your insurance policy covers?
The National Law Review points out that some court decisions in disputes over CGL or Crime/Fidelity uphold the insurance company’s right to deny coverage on what is essentially a linguistic technicality. Yes, there was a data breach, but since the hacker published the data (not the policy holder!), you aren’t covered.
There’s also the fact that insurance companies are becoming increasingly aware of the popularity and high success rate of BEC scams. That means they’re motivated to find ways not to cover these specific situations. AIG argued just a couple of months ago that they’re not liable for covering losses due to “criminal acts” – in this case, an email fraud that resulted in a $6 million loss. AIG’s defense? They never sold the client a cyber insurance policy, just a specialty risk protection policy. CIO Dive recently put out a warning to readers about this very subject, alerting them to check the fine print to confirm that they have the coverage they need in the event of a payments fraud loss.
The message here is clear: When it comes to cyber attacks, you’re on your own.
And then there are all those technological advances being made by scammers every single day. Cyber attacks can come in guises most of use haven’t had to consider – we’ve been too worried about what we can do to protect against the last attack. Insurance companies will never sign off on policies with vague terminology about what kind-of-sort-of-maybe-might happen to you, and they can’t dream up the next big thing in cybercrime before it happens. So there is no clarity when it inevitably comes around.
What can businesses do to protect their data and assets?
One option is to shell out for stand-alone cyber insurance – if you can find an insurance company that will offer that level of protection. But even if you do find such a policy, there are cracks in the small print that many businesses can fall through.
But what is it that people are always saying about the best offense being a good defense? It may not be as simple as that, but it's an excellent place to start. Take preventative measures, and make sure your payment processes are airtight. (We have a free guide for this- take a peek.) But remember, relying on your humans to spot these fraudsters is not a defense that will stand up for long. Your processes, procedures and people need to be locked down, but they also need technology and platforms as a backstop. Find partners to remove the burden- and in the meantime, educate yourself about all the ways scammers want to separate your business from its cash. We have a guide to business payments fraud risk assessment, fraud vectors and prevention you can read here.
If you put up gates to protect your business in the first place, you (hopefully) won’t find yourself on the other side of a courtroom from your insurance agents, who are pointing out that your policy doesn’t cover a version of an email scam that hadn’t been invented when the policy was drawn up.