“Thank goodness” is probably what Illinois-based manufacturing company ICS thought about having a cyber insurance policy with Travelers Insurance after a data breach in 2022. But after claims investigators pulled out their microscopes, they found that ICS failed to use multi-factor authentication(MFA) across all digital assets, which they had agreed to do in their policy. Travelers sued ICS and won. The policy was rescinded, and so were ICS’s feelings of gratitude, which likely evolved into worried whispers of “Oh, crap.”
Smart businesses like yours are adding cyber insurance to their policies because they know good security hygiene is just as much a competitive advantage as a way to reduce business risk. But with cyber insurance premiums steadily increasing – they rose 62% last year alone – you want to make sure your claim is paid when you need it most.
Why Claims Get Denied
“Most claims that get denied are self-inflicted wounds,” says Rusty Goodwin, the Organized Efficiency Consultant at Mid-State Group, an independent insurance agency in Virginia.
Though we like to paint insurance companies as malicious money-grubbers hovering oversize “DENIED” stamps over claims, denials are usually the result of an accidental but fatal misrepresentation or omission by businesses or simply not letting an insurer know about changes in their security practices. However, there are simple steps you can take to prevent a claim-denial doomsday.
4 Ways To Make Sure Your Claim Doesn’t Get Denied
1. Find a broker to help you understand your policy.
There’s no doubt that insurance policies are tedious, filled with legal lingo that makes even the Aflac Duck sweat. Nevertheless, there are several parts to an insurance contract you must understand, including the deck pages (the first pages that talk about your deductible, total costs and the limits of liability), the insuring agreements (a list of all the promises the insurance company is making to you) and the conditions (what you are promising to do).
“If your broker can help you understand them and you can govern yourself according to the conditions of that contract, you will never have a problem having a claim paid,” says Goodwin.
Some brokers don’t specialize in cyber insurance but will take your money anyway. Be wary of those, Goodwin warns. “If an agent doesn’t want to talk about cyber liability, then they either don’t know anything about it or they don’t care because they won’t make a lot of money off it.” If that’s the case, he says, “take all your business elsewhere.”
2. Understand the conditions.
Insurance companies are happy to write a check if you’re breached if and only if you make certain promises. These promises are called the conditions of the contract. Today, insurance companies expect you to promise things like using MFA and password managers, making regular data backups, and hosting phishing simulation and cyber security awareness training with your employees.
Understanding the conditions is critical, but this is where most companies go wrong and wind up with a denied claim.
3. Make good on the promises.
If you’ve ever filled out a homeowners insurance application, you know you’ll get a nifty discount on your premium if you have a security alarm. If you don’t have one, you might tick “Yes,” with good intentions to call ADT or Telus to schedule an installation. You enjoy your cheaper premium but are busy and forget to install the alarm (nobody comes around to check anyway).
Then, your home gets broken into. “Guess whose insurance claim is not going to be paid?” Goodwin says. “The power is in our hands to ensure our claim gets paid. There’s really nothing to be afraid of as long as you understand the promises that you’re making.”
This happens all the time in cyber insurance. Businesses promise to use MFA or host training but don’t enforce it. As in the case of ICS, this is how claims get denied.
4. Don’t assume the right hand knows what the left hand is doing.
Goodwin sees companies make one big mistake with their insurance policies: making assumptions. “I see CFOs, CEOs or business owners assume their MSP is keeping all these promises they’ve just made, even though they never told their MSP about the policy,” he says. MSPs are good at what they do, “but they aren’t mind readers,” Goodwin points out.
Regularly review your policy and have an open and transparent line of communication with your IT department or MSP so they can help you keep those promises.
“We’re the architect of our own problems” Goodwin says. And the agents of our own salvation if we’re prepared to work with a quality broker and make good on our promises.