Top 6 Reasons Why Your Insurer Might Deny Your Cyber Insurance Claim

Why You HAVE TO Comply With Your Cyber Liability Insurance

If you think that your cyber insurance claim will be approved with no questions asked, it’s time to think again. When reviewing your claim, your insurance provider will assess whether or not you took “due care” to protect your business from being compromised by a cyberattack. While having a cyber liability insurance policy is non-negotiable today, you cannot be fully assured that your insurer will cover any of the costs you incur following a security breach.

Hidden in the fine print of your cyber insurance policy documents are certain terms and conditions set forth by the insurer that you must comply with. That’s why it’s important to assess whether you are compliant with these terms within your cyber insurance policy and ensure that any risks that could lead to non-compliance are fixed, immediately.

Let’s look at some of the common reasons why cyber insurers might deny claims, what kind of impact claim denials can have, and how the right support can help you ensure your cyber insurance claim isn’t denied due to non-compliance.

Top 6 Reasons Why Your Insurer Might Deny Your Claim

Besides their efforts to minimize payouts and boost the loss ratio (the ratio of premiums to payouts), cyber liability insurance companies look at several other aspects to deny a payout or limit the payout to a certain extent. Here are six of the most common reasons why your cyber insurer may either deny your claim completely or a great portion of it.

1. Policy Exclusions

Policy exclusions can easily be considered one of the biggest reasons for claim denials. Applying for a claim for a security incident that falls in the list of exclusions that are often mentioned in the fine print of the policy document could prove to be a futile exercise.

2. Poor Prevention Practices

By not having sufficient prevention practices in place, you could be handing the insurance company an easy reason to deny your claim. Your insurance policy lists data security practices that you must implement in your business’ network.

3. Failure to Document Preventative Measures

Your insurer will want to see tangible evidence, in the form of documentation, regarding the preventative measures you have under way to ward off cyberthreats. To avoid any hassles, you need to have thorough, accurate and updated documentation at all times.

4. A Third-Party Stakeholder Is at Fault

Your network’s security isn’t just your responsibility. It’s the responsibility of your third-party stakeholders as well. A security lapse in a third-party vendor’s network could result in the claim being denied by the insurer. Even if the claim isn’t denied, it’s highly likely that the insurer will scrutinize the matter in depth, which could make it a tedious, drawn-out, process.

5. Accidental Errors and Omissions

Accidental errors and omissions in the documentation you share with the insurer could prove detrimental to the approval of your claim. The documented evidence should include everything you have done to abide by the terms put forth by the insurer.

6. When Coverage Doesn’t Extend Beyond the Interruption Timeframe

Cyber liability insurance policies vary, so you should pay close attention to coverage timeframes. This could be the difference between having all your losses covered versus just a small percentage of them.

The Possible Impact of a Claim Denial

A claim denial can derail a business’ strategy to recover the costs incurred following a security incident. Here are two situations when businesses were denied payouts:

The Peculiar Case of the NotPetya Attacks

Researchers at the Cyentia Institute reviewed the 100 largest cybersecurity incidents over the last five years, which accounted for $18 billion in losses, and discovered that the NotPetya ransomware accounted for 20% of losses. Despite that, the pharmaceutical giant Merck and multinational food company Mondelez International are still in the process of claiming $1.3 billion and $100 million respectively through high-profile lawsuits. In both court proceedings, the insurers cited the “war and terrorism” exclusion to deny the claims since in October 2020 the U.S. government indicted six Russian military personnel for the attacks.

When a Canadian Not-For-Profit Was Denied a Payout

In a case settled recently in May 2021, Family and Children’s Services of Lanark, Leeds and Grenville (FCSLLG), a Canadian not-for-profit organization, failed to seek $75 million (Canadian) in damages. The security incident involved an unidentified hacker who stole confidential reports and leaked them on two Facebook pages. FCSLLG initiated a third-party claim against Laridae, a company it had hired to update its website. Despite holding two policies with the co-operators at the time of the attack, the co-operators denied coverage under both policies based on data exclusions. The policies excluded any loss “arising out of the distribution or display of data by means of an internet website.”

These incidents should serve as a glaring reminder for your business to completely understand where threats are most likely to emerge from and to ensure that potential losses are included in your cyber insurance policy. While certain businesses may be able to continue functioning as usual due to their financial prowess, you must ask yourself if your business can survive a major financial setback, like a data breach or ransomware attack.

Navigating Compliance for Cyber Liability Insurance

While it may seem overwhelming at first, complying with your cyber liability insurance policy’s terms isn’t as daunting as you’d imagine when you have the right support on your side. By leveraging our compliance process automation platform, we can help you with:

• Understanding your contract in detail so that you are fully aware of what your policy covers and what it does not cover.

• Regular automated compliance assessment that will hand you a thorough and accurate analysis of your business’ compliance with the policy’s terms and areas that need fixing or updating.

• Remediation services to ensure all the compliance risks are corrected the right way and in the right amount of time.

• Compliance-specific documentation that’s free of human error, fine-grained and policy-specific to ensure your business can produce evidence of “due care”.

• Purchasing a cyber insurance policy that offers the right type of coverage at the right price for your business.

We can help your organization comply with or acquire a great cyber liability insurance policy that’s trusted by others in your industry. To learn more, contact us today for a consultation!

‍