Are You Sure Your Covered? Understanding Cyber Insurance Exclusions
A recent, great article in Network World, Cyber insurance: Worth it, but beware of the exclusions, discusses some the growing field of cyber liability insurance. Many businesses may not be aware that their general liability insurance often may exclude coverage in the event of a data breach, meaning that in order to protect themselves, they need to look into adding data breach insurance. However, you also need to be aware that many general cyber liability policies include numerous exclusions, so it’s important to understand just what is or is not covered. Additionally, if you’re working with an ITAM/ITAD company, you need to make sure you understand how you’re protected.
The article cites a recent post in Dark Reading, which explains that many cyber insurance policies exclude coverage for:
- Breaches of protected information in paper files
- Claims brought by the government or regulators, including the Office of Civil Rights, the Department of Health and Human Services, and the Office of the Attorney General
- Vicarious liability, for data entrusted to a third-party vendor, when the breach occurs on the vendor’s system
- Unencrypted data
An important exclusion for many companies is this one: “Vicarious liability, for data entrusted to a third-party vendor, when the breach occurs on the vendor’s system.” We find that indemnification is widely misunderstood in the ITAM/ITAD industries. Many companies believe they are sufficiently indemnified from the improper or incompetent actions of their vendor only to learn that they are not.
Three Dirty Little Secrets of Insurance:
- If you’re not named as an additional insured, you’re not covered
- Most service providers are under-covered in terms of professional insurance
- Most service providers do not have broad enough coverage
Companies look to Brass Valley to securely decommission their IT assets, and in 13 years of business, we have yet to have a client or prospective client ask to see our insurance policy let alone look at the exclusions. And, they really should be asking. Not only that, but when we participate in RFPs we can tell there is a general lack of knowledge about indemnification based on the questions that are being asked.
Brass Valley’s approach to indemnification links a service agreement with the client, meaningful documentation and proof of service, and a comprehensive insurance platform based on the type of work we perform and experience in cyber security. Taken together our clients have a platform of protection that provides a legal firewall in case something goes wrong. It really pays to understand how the insurance your service providers use works or in many cases doesn’t really work to your benefit.
Contact us for a confidential discussion of your risk management requirements and concerns.