Don’t invalidate Your Cyber Insurance
All insurance policies require the policyholder to take reasonable care to reduce risk. Failure to comply with policy terms can result in claim denial, non-renewal or cancellation.
Cyber insurance is no different, but because policies are complex businesses and their employees may be unaware that workplace practices are not in compliance with policy conditions. Based on a recent article by Kirsten bay, president and CEO of Cyber adAPT, here are some considerations.
Data breach is a constant threat, and insurers want to know that data is properly protected. Employees need to communicate with their systems administrator how they collect, use and share data. The administrator should know whether this activity is covered by the firm’s Cyber policy, and if not take steps to change company procedures. Employees should inform the administrator if they are automating or digitalizing processes, as this may increase cybersecurity risks.
If data is stored in the cloud, the policy must be checked to be sure it is covered unless the cloud provider assumes liability in the service agreement.
The use of mobile devices to access business networks is becoming more common. These devices may belong to the business or to employees, and they may not have the same degree of protection. Cyber policies may not cover mobile devices, or exclude coverage for unencrypted devices.
Cyber policies which cover extortion or ransomware have specific notification requirements and coverage can be voided if employees pay a ransom without notifying the insurer. Some policies include a confidentiality agreement voiding coverage if its existence is improperly disclosed.
As part of a company’s internal policies and procedures, employees must be informed of how to respond to a cyber incident. This should include training to see how they would respond in practice. Businesses must improve their security measures and systems to keep up with developments. Firewall based systems are obsolete and detection-based security systems are current best practice. Insurers can provide technical advice on cybersecurity issues.