As cyber insurers become more experienced in what kinds of claims are being presented, and the threat action details therein, specific types of coverages are no longer being included.
I’ve written quite a few times about specific cyber insurance claim cases that required going to court to settle. And in most of them, the courts sided with the insurer because the wording in the cyber insurance policy made certain it was covering specific use cases. According to a recent article in JD Supra, cyber insurers are either eliminating the coverage entirely or are “have quietly added policy language that, in essence, makes it incredibly challenging, and in some instances impossible, to secure any actual recovery for the claim.”
In addition, they are adding in specific verbiage that any kind of fraud involving change of payment instructions must include that the policyholder “independently verify” the request – that is, use another medium instead of simply taking the word of an email purporting to be someone with authority to make the request in the first place.
What we’re seeing isn’t greed or bad faith on the part of the cyber insurer; in fact quite the contrary – they aren’t in the business of simply handing out checks, so they need to either put in specific requirements or remove/reduce coverages for cases where the risk is just too high because – yep, you guessed it – users come into the equation.
In the end, this is really the problem – even with all the security tech in the world in place, all it takes is a little social engineering and a user that’s not paying attention and you have yourself a successful case of fraud, and it’s subsequent cyber insurance claim.
The answer here isn’t to put more emphasis on the cyber insurer; instead the focus should be on preventing such attacks from being successful – accomplished by educating the user with Security Awareness Training designed to teach them about scam tactics and their role in the organization’s cyber security stance.