Discussions about cyber insurance policy cover and sales techniques have intensified recently, but the narrative can be high level and lacking in any real-life context. Often the best way to understand how much finesse a policy has, and the difference that one word can make, is to look to an actual example.
In this case, it was the use of the word ‘potential’when defining a cyber event. We’ve mentioned it before in our MPR top 5 tips – overlooked features and it might not seem like much, but given the immediacy of incident response requirements, it played a very important role.
Consider the following sequence of events:
A cyber-criminal impersonates an organisation by creating a variant website domain name and sending a phishing email to a member of the public, purporting to be from that organisation, in an attempt to defraud them. The member of the public spots the fraudulent attempt and contacts the organisation to warn them. Although there might not appear to be a typical cyber event/breach (and no financial loss, extortion attempt, system damage or business interruption) the organisation is understandably concerned and decides to engage their cyber insurance policy…
What happens next? Can they engage the insurers incident response and legal services (to establish what has occurred and investigate a solution) or will they be left to deal with the matter on their own? In the early stages of this example, it was unclear if there had been a breach or unauthorised access, so some contracts may not have permitted cover or begin any immediate response/triage until that had been established. Others may allow the incident response services to engage, but if it transpires that it was just a random event with no access or breach of the company systems, then the event may not be covered, leaving the organisation to pay those initial costs.
However, given that an unauthorised access/breach cannot be ruled out, isn’t it better to have policy language that allows the experts to engage quickly and professionally, regardless? This is where ‘potential’ comes into play. If the policy definition includes the following phrase:
“Cyber Event means an actual or potential unauthorised access…..”;
…then the policy can be triggered, and the organisation can access the help that may be required. In the scenario above, that help includes the immediate incident response, legal advice, triage and coordination, which leads to an analysis of the phishing email (to verify the precise domain registrar) and preparation of a shutdown communication request, leveraging with local law enforcement if required. The organisation can be confident that their good name was protected and other 3rd parties were not defrauded through an impersonation.
So, the MPR tip: Look for an insurer that would cover a potential cyber event as well as an actual one. For more tips, such as 5 reasons to act quickly and further helpful material on Cyber Insurance, please visit our cyber product page