"Thank goodness" is probably what Illinois-based
manufacturing company ICS thought about having a cyber insurance policy with
Travelers Insurance after a data breach in 2022.But after claims investigators
pulled out their microscopes, they found that ICS failed to use multi-factor authentication
(MFA) across all digital assets, which they had agreed to do in their policy.
Travelers sued ICS and won. The policy was rescinded, and so were ICS's
feelings of gratitude, which likely evolved into worried whispers of "Oh,
crap."
Smart businesses like yours are adding cyber insurance to
their policies because they know good security hygiene is just as much a
competitive advantage as a way to reduce business risk. But with cyber
insurance premiums steadily increasing - they rose 62% last year alone - you
want to make sure your claim is paid when you need it most.
Why Claims Get Denied
"Most claims that get denied are self-inflicted wounds,"
says Rusty Goodwin, the Organized Efficiency Consultant at Mid-State Group, an
independent insurance agency in Virginia.
Though we like to paint insurance companies as malicious
money-grubbers hovering oversize "DENIED" stamps over claims, denials are
usually the result of an accidental but fatal misrepresentation or omission by businesses
or simply not letting an insurer know about changes in their security
practices. However, there are simple steps you can take to prevent a claim-denial
doomsday.
4 Ways To Make Sure Your Claim Doesn't Get Denied
1. Find a broker to help you understand your policy.
There's no doubt that insurance policies are tedious, filled
with legal lingo that makes even the Aflac Duck sweat. Nevertheless, there are
several parts to an insurance contract you must understand, including the deck
pages (the first pages that talk about your deductible, total costs and the
limits of liability), the insuring agreements (a list of all the promises the
insurance company is making to you) and the conditions (what you are promising
to do).
"If your broker can help you understand them and you can
govern yourself according to the conditions of that contract, you will never
have a problem having a claim paid," says Goodwin.
Some brokers don't specialize in cyber insurance but will
take your money anyway. Be wary of those, Goodwin warns. "If an agent doesn't
want to talk about cyber liability, then they either don't know anything about
it or they don't care because they won't make a lot of money off it." If that's
the case, he says, "take all your business elsewhere."
2. Understand the conditions.
Insurance companies are happy to write a check if you're
breached if and only if you make certain promises. These promises are called
the conditions of the contract. Today, insurance companies expect you to
promise things like using MFA and password managers, making regular data
backups, and hosting phishing simulation and cyber security awareness training
with your employees.
Understanding the conditions is critical, but this is where
most companies go wrong and wind up with a denied claim.
3. Make good on the promises.
If you've ever filled out a homeowners insurance
application, you know you'll get a nifty discount on your premium if you have a
security alarm. If you don't have one, you might tick "Yes," with good
intentions to call ADT or Telus to schedule an installation. You enjoy your
cheaper premium but are busy and forget to install the alarm (nobody comes around
to check anyway).
Then, your home gets broken into. "Guess whose insurance
claim is not going to be paid?" Goodwin says. "The power is in our hands to
ensure our claim gets paid. There's really nothing to be afraid of as long as
you understand the promises that you're making."
This happens all the time in cyber insurance. Businesses
promise to use MFA or host training but don't enforce it. As in the case of ICS,
this is how claims get denied.
4. Don't assume the right hand knows what the left hand
is doing.
Goodwin sees companies make one big mistake with their
insurance policies: making assumptions. "I see CFOs, CEOs or businessowners
assume their MSP is keeping all these promises they've just made, even though they
never told their MSP about the policy," he says. MSPs are good at what they do,
"but they aren't mind readers," Goodwin points out.
Regularly review your policy and have an open and
transparent line of communication with your IT department or MSP so they can
help you keep those promises.
"We're the architect of our own problems" Goodwin says. And the agents of our own salvation if we're prepared to work with a quality broker and make good on our promises. To find out more, schedule a no cost no obligation discovery call here!