Cybersecurity: Insurers Closely Scrutinize Cyber Breach Claims

With cyber losses hitting $16 billion in the US last year, it’s probably not surprising to learn that the companies backstopping those losses are applying a lot closer scrutiny to insurance claims associated with cybersecurity breaches. Here’s an excerpt from this Cybersecurity Dive article:

Given the financial squeeze on cyber insurers over the past year, they have been more closely scrutinizing claims and pressuring customers’ security teams to prove they are properly maintaining their security controls.

The result: Policyholders are recovering a smaller percentage of the total cost of a breach, according to Gavin Mead, cyber, data and tech risk partner at PwC. Disputes between the insurance provider and policyholder often center around whether security practices — particularly multifactor authentication — were actually enforced during the breach.

A significant amount of data breach costs are incurred by the victim organization’s response to a cyberattack, including forensic investigation, breach notification, credit-monitoring services and breach counsel. However, the larger exposure to a company is often the legal fallout, including class action data-breach suits from customers.

“That tail can rival the incident itself in financial terms,” Mead told Cybersecurity Dive. In some cases, companies work to make sure they identify every last customer that is exposed to a breach, thus extending the time and expense required to complete the incident response process, he noted.

The article goes on to point out that one of the frustrations that policyholders experience is that there’s a disconnect between their cybersecurity efforts and the rewards they receive from insurers for robust security controls. While these companies can get coverage, they don’t always see significant benefits when it comes to pricing, deductibles, or breadth of coverage.