This is part two of a three-part series that also explores business interruption coverage under a cyber insurance policy and how to lower your cyber insurance costs.
A cyber breach is painful and costly. The silver lining – if there is one – is that an incident can reveal an Achilles heel that a company can protect by improving its systems. Cyber insurance policies usually don’t cover these upgrades (often called “upgrades”) or only cover part of the cost. This is because cyber insurance is designed to restore an organization’s systems – back to where they were before the attack – not to cover upgrades.
This article on cyber insurance exclusions explores four examples of upgrades that may not be fully covered, as well as insight into how insurers and policyholders typically negotiate these issues.
Example 1: Software and Hardware Upgrades
After a cyber breach, cyber incident response and recovery professionals can recommend system upgrades. A common example is a recommendation to upgrade an on-premises Microsoft Exchange server to cloud-based Office 365. They may also suggest installing the latest version of software if an insured is unable to fully restore their systems from a backup after a ransomware attack.
Position of the insured: Now is the perfect time to update our software. This will make us stronger and more attractive to insure.
Position of the insurer: The policy does not cover upgrades that cost more than the original, require a switch to a subscription model, or incur training costs for your staff.
Cyber insurance lawyer says: Policyholders almost always have to pay for software and hardware upgrades out of pocket. An exception, however, is if upgrades are the only option available. Organizations should add the cost of regular upgrades to their IT budget to help them stay IT secure and improve the chances of obtaining and maintaining cyber insurance.
Example 2: Extending endpoint detection and response monitoring
After a breach, it is common to deploy endpoint detection and response (EDR) software for a short period of time to monitor network activity and identify malware.
Position of the insured: It makes sense to maintain the contract with the EDR provider for the longer term to strengthen our defenses. We really want to prevent this from happening again.
Position of the insurer: Your cyber insurance policy covers the eradication of the threat actor’s presence on your system. EDR software is only covered as part of the immediate response to a breach. Current contracts to prevent future threats are not covered.
Cyber insurance lawyer says: Extending your EDR engagement is a forward-looking security enhancement. While that’s a great idea (it’s on our cyber hygiene checklist, along with regular upgrades to your software and hardware), it’s something organizations are supposed to pay for outside of their cyber insurance claim.
Example 3: Streamlining network infrastructure
Over time, an organization’s IT infrastructure can become a patchwork of bespoke integrations, encrypted blind spots, legacy servers and decentralized IT service providers. This is particularly common during corporate mergers. A cyberattack can wreak havoc on these systems.
The situation of the insured: Our network is Frankenstein’s monster. We would never have built it this way if we had made it from scratch. It will take a lot longer to try to recreate the original mess than to do it right the second time – and time is money. Our insurance company should cover the costs to get us up and running faster. It might even be cheaper!
The position of the insurer: Insurance will normally pay to restore systems to what they were before. But, if there is no cost difference between the options, the upgrades can be covered. If the upgrade costs more, insurance may only cover part of the cost.
Cyber insurance lawyer says: It may be possible to have the cost of network improvements covered – policyholders need only prove that this will be financially beneficial to the insurance company. Organizations need to assess the cost of two scenarios: rolling the network back to its pre-breach state and rationalizing it. If it costs less to build back better, chances are the insurer will agree to cover it. Policyholders must show their insurer the cost comparison and obtain their agreement before embarking on a complete computer restoration.
Example 4: Regaining supplier trust
A cyber breach can cause reputational issues, as the company that suffered the attack is seen as a higher risk to do business with. This can cause integration partners to deny access to shared networks or databases until the company can prove that it has improved its cybersecurity.
The situation of the insured: My vendors have a list of upgrades I need to perform and I can’t restart my business until those upgrades are complete. These upgrades should be covered by the restoration or business interruption coverages of our cyber insurance policy.
The position of the insurer: The costs of bringing a supplier up to standard are not covered because they are not linked to the refurbishment of the pre-existing system.
Cyber insurance lawyer says: This one is tricky. Do the costs meet the definition of restoration, in that they are necessary to restore business operations? Or are they upgrades, in the sense that they have to meet new standards? (Upgrades are often not covered by cyber policies.) It also depends on the cause. Were the upgrades caused by the cyber incident? Or were they caused by new, stricter standards from the supplier? Surely the policy wouldn’t cover the cost if the vendor demanded upgrades without an incident occurring. In cases like this, insurers and policyholders must recognize this ambiguity and negotiate to reach an agreement.
So what’s a business to do?
A home insurance policy won’t pay to build a mansion if a modest bungalow burns down. Similarly, a cyber insurance policy will not pay to upgrade outdated systems after a cyberattack.
This does not mean that organizations should be satisfied with their pre-attack status. In fact, if they don’t invest in their cyber hygiene, their insurance costs may increase or they may be denied cyber coverage altogether.
Organizations that have experienced a cyber breach and need cost-effective solutions for recovery should start by defining their recovery efforts as less costly than restoring to the previous state. In our depiction of the world’s largest insurers on complex cyber claims, we have learned that insurers are often very reasonable in a cyber claims scenario if proposed improvements are the most cost-effective route to restoring operations.