And if your firm buys cyber breach insurance, will the insurance pay?
There are many stipulations in regards to qualifying for cyber breach insurance. Most insurance companies require you to affirm a Statement of Fact and Fraud Warning. When you buy the insurance, you are essentially promising to comply with the rules they set forth.
Here is a real life example of one of those statements:
Statement of Fact and Fraud Warning
THIS INFORMATION AFFECTS THE POLICY. PLEASE READ IT CAREFULLY.
Name Redacted Cyber Enterprise Risk Management Policy
Name Redacted ® Enterprise Risk Management Policy
NOTICE: THE THIRD PARTY LIABILITY INSURING AGREEMENTS OF THIS POLICY PROVIDE CLAIMSMADE COVERAGE, WHICH APPLIES ONLY TO CLAIMS FIRST MADE DURING THE POLICY PERIOD OR AN APPLICABLE EXTENDED REPORTING PERIOD FOR ANY INCIDENT TAKING PLACE AFTER THE RETROACTIVE DATE BUT BEFORE THE END OF THE POLICY PERIOD.
AMOUNTS INCURRED AS CLAIMS EXPENSES UNDER THIS POLICY SHALL REDUCE AND MAY EXHAUST THE APPLICABLE LIMIT OF INSURANCE AND WILL BE APPLIED AGAINST ANY APPLICABLE RETENTION. IN NO EVENT WILL THE INSURER BE LIABLE FOR CLAIMS EXPENSES OR THE AMOUNT OF ANY JUDGMENT OR SETTLEMENT IN EXCESS OF THE APPLICABLE LIMIT OF INSURANCE. TERMS THAT ARE UNDERLINED IN THIS NOTICE PROVISION HAVE SPECIAL MEANING AND ARE DEFINED IN SECTION II, DEFINITIONS. READ THE ENTIRE POLICY CAREFULLY.
All information submitted by me (otherwise known as the “Insured”) in the statement below, any application, attachments or supplemental information which is provided for the purpose of obtaining insurance, is true, accurate, current, and complete to the best of my best knowledge and belief as of the date of the affirmed electronic signature below. I fully understand that any significant material misstatement in this application for Cyber Insurance may will constitute cause for denial of my application or coverage under the Policy, the denial of claims arising from such incidents, or termination of the resulting Policy, by the Insurer or its authorized representatives.
Some insurance firms also have restrictions on the type and size of companies that qualify for coverage. Below is an example of this from the same firm. Do not be discouraged if you don’t qualify for this particular list; there are many different companies offering differing plans. It is possible that any disingenuous representations made here could jeopardize payment by the insurance company when there is a loss.
I Affirm the following:
My Company’s Core Products or Services do not include any of the following:
– Accreditation Services Provider
– Adult Content Provider
– Airlines
– Credit Bureau
– Collection or Repossession Agency
– Cryptocurrency Exchange/Cryptomining/Storage or Wallet
– Data Aggregator (Financial, Healthcare, Retail)
– Data Broker
– Healthcare Exchanges
– Direct Marketer
– Gambling Services Provider
– Political Sites/Political Figures
– Technology Consulting
– Cyber Security Consulting
– Manufacturer of Life Safety
– Marijuana/Marijuana Products
– Media Production Company
– Online Exchange or Content Site
– Payment Processor
– Peer to Peer File Sharing
– Social Media
– Online/Video Gaming
– Search Engine Providers
– IOT Manufacturers
– Software Developers
– Telecommunications Company
– Surveillance
– Third Party Claims Administrator
– Depository Institution (>25% E-Commerce)
– Staffing/PEO Organizations
– Utilities
Perhaps the most important section of these stipulations is seen in the example below. While we have never seen coverage denied for failing to meet these stipulations, it is possible that this could change, as many of the insurance companies are currently incurring cyber breach losses far beyond what they calculated when they set their rates. Just recently, an insurance company withdrew from a market segment due to the losses being purportedly ten times greater than expected.
I Affirm the following IT Controls have been (or are in the process of) being put into place:
– Antivirus and Firewalls (Windows 7 or higher qualifies)
– Encryption of Sensitive Data
– Encryption of Mobile Computing Devices
– Critical Software Patching Procedures
– Critical Data Backup and Recovery Procedures
Consumer Practices:
– If I accept Credit Cards, I am PCI Compliant
– If I am a healthcare services provider or work with sensitive healthcare data, I am compliant with HIPAA.
– I have obtained legal review of all of my company’s trademarks and domain names.
– I require that all outgoing payments or funds transfers be subject to segregations of duties between initiation and authorization, such that no one individual can control the entire process.
– I require that all outgoing payments or funds transfers be subject to dual authorization by at least one supervisor after being initiated by a third employee.
– I confirm all changes to vendor/supplier details (including routing numbers, account numbers, telephone numbers, and contact information) by a direct call using only the contract number previously provided by the vendor/supplier before the request was received.
Losses:
I affirm that within the past three years, there have been no Incidents or Claims to which the policy being purchased would apply. Additionally, I am not aware of any fact, circumstance, or situation that could reasonably be expected to give rise to an Incident or Claim to which the Policy would apply.
Lastly, this insurance company issues a Fraud Warning Statement, which clearly indicates they can get serious about how they cover these policies.
FRAUD WARNING STATEMENTS
The Applicant’s submission of this Application does not obligate the Insurer to issue, or the Applicant to purchase, a policy. The Applicant will be advised if the Application for coverage is accepted. The Applicant hereby authorizes the Insurer to make any inquiry in connection with this Application.
Now that you have more insight into the qualification part of cyber breach insurance, check out these Top 5 Reasons to Invest in Cyber Breach Insurance. If you still have questions, Alvaka Networks is available 24/7 to answer them.
Contact us at 949.428.5000 or info@alvaka.net, or fill out the form on this page!
Smoke testing is a term used to describe the testing process for servers after patches are applied. 
Estimating an average time for patching servers and PCs can be a bit tricky. It can vary from one month to the next, depending upon the number and complexity of the patches released by your software vendors. You must consider all versions of operating systems and have a complete inventory of all your application software to do this job correctly. Our experience has shown that manual patching of systems takes on average of about 1.5 hours each.
This is a basic cost calculator for you to compute your typical monthly cost for patching your servers, PCs, laptops, tablets and associated application software. It also forms the basis for you to begin calculating your Return on Investment for software patching, or for comparison with alternatives to the manual process of patching operating systems and application software—such as Patch Management as a Service, also known as Vulnerability Management as a Service.