Recent Posts

Categories

Cyber Insurance Denied

There has been some big cases where Cyber Insurance didn’t pay, not to mention plenty of little ones. Below are just a few examples that made it to the courts.

BitPay vs. Massachusetts Bay Insurance Company

BitPay, a bitcoin processor, had their CFO spear phished and his email credentials compromised. The hacker was able to impersonate him and trick the CEO into paying $1.8 Million dollars in bitcoin to a hacker’s account. According to the Insurance Company: We will pay for loss of or damage to “money,” “securities” and “other property” resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the “premises” or “banking premises”: a. To a person (other than a “messenger”) outside those “premises”; or b. To a place outside those “premises. They used this play on words to distinguish between “fraudulently causing a transfer” and “causing a fraudulent transfer”, as well as the word “premises”, not paying for a bitcoin transfer that occurs online and not on BitPay’s physical property.

Mondelez International vs Zurich American Insurance Company

One of the biggest supply chain attacks that crippled companies across the world, was the NotPetya Ransomware. The insurance company refused to pay the claim for $100 Million to Mondelez International (owner of Oreo, Cadbury, Milka and Toblerone brand)s . Their policy stated that it excludes “loss or damage” caused by a “hostile or warlike action in time of peace or war” by any “(i) government or sovereign power…; (ii) military, naval, or air force; or (iii) agent or authority of any party specified in i or ii above.” Because the US and other countries around the world blamed the Ransomware as an attack from Russia on Ukraine, the Insurance company didn’t pay, despite any real proof or omission from Russia.

Cottage Health vs. Columbia Casualty

Cottage health suffered a massive data breach, where they were not properly storing or managing their patient data, making it publicly available. They had settled their own lawsuit at $4.125 Million. When they filed their claim, they were denied because of the “Minimum Required Practices” provision that says, as a “condition precedent to coverage”, that insured will maintain “ all risk controls identified in the Insured’s Application”.

These cases remind us how important it is to fully understand your policy. You need to know what is covered and what is not covered. You must know your responsibility or requirements to be covered.

You can avoid a claim denial due to “failure to maintain” if you have the following in place:

Backups

While backups are your last resort, they can often save you in a time of need. It will allow you to restore data to a point in time, pre ransomware or malware. It can also help you retore deleted or corrupted data file.

Multi-Factor Authentication

Using a Multi-Factor Authentication in addition to your password can give you that extra protection to protect your accounts if a password does get compromised.

Regular Vulnerability Scanning

There are constantly new vulnerability that arise and it is impossible to stay on them all. With that, best practices are constantly evolving and we are human and people can make mistakes. With regular scans, you can prove you have security measures in place, and if not, quickly get there.

Security and Awareness Training

How can you expect users to even know what to look for if you don’t show them? Teaching your users what to look and what to do (or not do) is your first line of defense. No one wants to fall victim, so if you teach your employees, the will more often make the right decision. This is for everyone equally, from the executive team to the receptionist.

24/7 Monitoring

Criminals do not sleep, so you can never stop monitoring your systems. If your systems are up and running, your monitoring should be to so you can be alerted of a breach, compromise, download, export or attack no matter the day or time. This can give you more time to react and minimize the damage.

Patch Management

Keeping systems up to date is key to keeping vulnerabilities at bay. There are often security updates released monthly (or even more often) when vulnerabilities are found in software and operating systems.

Encryption

When it comes to sensitive data it must be encrypted. Encrypted at rest and transit, otherwise you are leaving your data susceptible to hackers.

Change Management

As we all make changes to our security, access, and systems, having a Change Management tool or policy in place puts approval systems and documentation of each change so that you can go back in time and know what changes have been made and why. This is great for troubleshooting similar problems, finding a “snapshot” at any point in time, and providing proof in case of an incident.

Maintenance and Management of Policies and Procedures Around Access, Audits, and Security

Having policies and not enforcing them or checking them defeats the purpose. It should be part of regular intervals for any company to maintain, review, manage and modify to keep a company current.

Regular Evaluation of Incident Response Plan

Even if you have all the preventative measure in place, it is better to be prepared if an incident occurs. So, having a response plan, testing it, and modifying it with potential new incident types will keep you better prepared. The time in which you it takes you to respond to an incident can be critical in the overall damage.

Related Posts

An image of a security operations center watching for threats.

What is a Security Operations Center?

An image of a hand hovering over a dimly lit cell phone screen that reads "Vishing".

What is Vishing in Cyber Security?

An image of connected circles representing business continuity and disaster recovery.

Business Continuity vs. Disaster Recovery