Top 5 reasons cyber insurance claims are denied

As cyberattacks and data breaches skyrocket, organizations are increasingly considering cyber insurance as part of their overall risk mitigation strategy. Insurance claims are spiking and since the average security incident now costs more than $4 million, it's adding more risk and more cost to the insurer. As a result, underwriters are understandably becoming more cautious around who or what they're insuring and are limiting coverage, tightening policy language, and introducing more exclusions. 

These limits and exclusions give insurers more leverage to slow the claims process, demand more information or worse, deny a claim. Let's understand the top reasons why insurers reject or deny a cyber insurance claim.

Top reasons why cyber insurance claims are denied 

According to Delinia research, if insurers detect these five issues in a post-event investigation, then it's highly likely they will void coverage:

1. Absence of security measures
Depending on the insurer, insured organizations are required to deploy a range of cybersecurity controls such as multi-factor authentication, endpoint detection and response, email and web security, patch and vulnerability management, logging and monitoring systems, backups, as well as conduct security awareness training for staff members, regularly update their software and systems, implement written policies and procedures. If insurers discover that any of these mandated requirements were not followed, then they can reject the claim outright.

2. Human error
If insurers discover that the incident was caused or worsened due to misconfigurations of security controls, failure in addressing known vulnerabilities, employee devices getting lost or stolen, or employees falling victim to a social engineering attack, then in those situations, insurers can argue that the incident could have been prevented, leading to a denial of insurance coverage. 

3. Insider threats
In case the insurer finds that insiders were engaged in unauthorized or illegal activity such as initiating the cyberattack from within the organization, using unauthorized access to launch the attack, engaging in cyber extortion, acquiring or accessing data illegally, then this may lead to the claim being denied. Attacks originating from third parties (a.k.a., supply chain attacks) are also not covered in standard cyber insurance products. 

4. Act of war
Cyberattacks emerging from war or national conflict can give insurers cause for denying a claim. The Merck dispute is a glaring example of this. What's more, since most attackers conceal their identities, tracing attack roots is itself a gray area and this may lengthen or delay the overall claims process. Insurers can leverage exclusionary clauses such as "act of war" or "act of terrorism" and deny coverage or limit the scope of a settlement. 

5. Non-compliance to policy requirements and procedures
Similar to a pre-existing medical condition, if some information has been concealed or not disclosed when applying for insurance, facts have been misrepresented, evidence of pre-existing vulnerabilities that the policyholder failed to remediate, some key procedures have not been followed (such as not reporting incidents to the insurer within a stipulated time frame), then such factors may lead to the insurer voiding the insurance coverage.

How can organizations avoid claim denials?

Implementing strong cybersecurity measures and following best practices can help organizations ensure proper claim coverage and avoid claim denials:

1. Understand your inclusions, exclusions and mandates: It's important to  go through the fine print thoroughly before signing off on a costly cyber policy. Understand what's in scope, what's not; what are the legal requirements and industry specific policies. Use the help of an expert consultant if needed. Adopt tools, procedures, and best practices that your insurance provider has mandated.
2. Focus on things you can control: Cyberattacks are not in anyone's control, but a security program is. Focus on building and maintaining a robust cybersecurity program that includes the right tools, the right people, the right processes, the right governance and the right security culture. 
3. Train your people well: Human error is a leading root cause of a majority of all security breaches. Using a combination of in-person and virtual training, social engineering simulation exercises, as well as clear policies and technical documentation, educate employees to be vigilant and make clear their responsibility and accountability towards security.
4. Mitigate insider risks: Have granular and continuous oversight over user activity. Deploy phishing-resistant MFA and enforce the Principle of Least Privilege (PoLP). Have multi-layered controls in place to reduce the risk of lateral movement. Where feasible, use AI-based automation to reduce human error and misconfigurations. 

Cyber insurance has become a critical safety net these days, a contingent strategy that allows organizations to transfer some level of risk in case of catastrophic strikes. Insurance does not equate to cybersecurity; it cannot recover intangibles such as lost trust or lost reputation. Organizations must focus on a defense-in-depth strategy involving multi-layered controls, security awareness programs, clear policies and procedures. This will not only reduce cyber incidents but help organizations be compliant with mandates and industry best practices.