For over the past decade, higher education institutions have been relying on cyber liability insurance (CLI) to act as a safety net to cover costs of a major incident; however, with the prevalence and ever-rising costs of ransomware incidents, cyber liability insurance is not the saving grace it used to be. So what can higher education institutions expect from their insurance? What will they cover? And how does that coverage change in the wake of international events like Russia’s invasion of the Ukraine?
According to Mike Gioia, Chief Information Security Officer at Bentley University and REN-ISAC member since 2019, the answer to many CLI questions is the same: “It depends on your coverage.” To be well-informed, as well as well-protected, you need to know the details of your specific insurance policy coverage.
“Cyber liability insurance is evolving from an institution’s safety net, especially for smaller organizations that don’t have robust or mature information security teams, into this thing where you are not as protected or as covered as well as you think you are,” said Gioia. “On top of that, it’s getting really expensive. At Bentley, we saw our premiums double and our deductible become five times more expensive just in the past year.”
So what are Gioia’s tips for getting the most of your cyber liability coverage?
Know what your policy coverage includes.
This is a must, says Gioia. Coverage varies greatly from company to company and from policy to policy, so knowing what your coverage includes is one of the best ways to get the most out of your policy. “Know your policy, your coverage limits, what the policy actually covers. For example, our CLI only covers forensics and technical recover if the incident originated from an external or malicious rogue entity. Also understand what they define as malicious because it may differ from your definition.”
Be aware of your coverage exclusions.
According to Gioia, knowing what your CLI will NOT cover is extremely important. For example, he has recently seen that some policies include a ransomware exclusion clause, meaning that they will not cover incidents involving ransomware or tied to a hacking entity known for using ransomware. “This is our number one threat right now, so insurance with this type of exclusion is really kind of a waste.”
Gioia has also seen policies that refuse to cover past breaches, similar to pre-existing condition exclusions in some medical insurance. Because of the extended timeline related with some types of breaches, this can lead to a lack of coverage. For example, University X signed a new insurance policy in February of this year and the following May had a data breach incident. That university may expect to be covered; however, if the initial intrusion took place prior to the start of the insurance policy, the event would not be covered under their current insurance leaving them to cover all the response and recovery costs themselves.
Integrate contacting and collaborating with your insurance provider into your incident response plan.
The last thing anyone wants during an incident is to be scrambling for insurance contact information. Gioia suggests adding insurance information into your incident response plan. Some important things to include are correct contact information, details on how they want to be notified, when they want to be notified.
Have a clear understanding of your insurance company’s incident response timeline.
Time is critical during an incident, and the last thing you want is to be unsure of when to expect help from the insurance company. According to Gioia, “Not all CLI policies have the same timeline from the reporting of an incident, to evaluating the claim, to actually beginning their response. Some companies can take 24-48 hours, and with a serious incident like ransomware, you don’t have time to wait.”
“The situation gets even more complicated if the company decides not to cover the incident after that initial wait time” says Gioia. “Now you are on your own to go find someone else to help you, and all of that is taking away from response, allowing the incident to get worse. It’s just increasing your recovery time.”
Consider setting up an Emergency Incidence Response Retainer with a policy approved vendor.
With the possible wait time and multiple exclusions, Gioia believes it is important to have an emergency incidence response retainer in place and finalized before an incident occurs. “Here at Bentley,” says Gioia, “we have a contract with Palo Alto that enables us to get initial contact within two hours, start of recovery operation within 12 hours, and ‘boots on the ground’ assistance within 24 hours (if needed). If we do not use their emergency response services during the year, then we can our purchased hours for proactive services like incident response plan reviews, tabletop exercises, or threat evaluations.”
If considering this kind of service Gioia recommends that you have this retainer in place before an incident occurs, so as to not have to wait for legal and purchasing during an incident. Also, use a vendor approved by your insurance company to avoid service changes during an incident.
Understand how world events like the Russia/Ukraine War impact your coverage.
As other types of insurance, CLI has specific war exclusion clauses that deny coverage due to acts of war. The Russia invasion of the Ukraine brings unique considerations for cyber liability insurance. “This is the first-time cyberspace is being used as a battlefront,” says Gioia, “but are related cyber-attacks an act of war because it is part of the Russian/Ukraine battlespace? Or is it an act of terrorism? It’s a big gray area because the internet is not territorially distance bounded.”
To explain, Gioia gives this example. Russia has hacked a Ukrainian hospital, and the hack happens to bleed over to a hospital in Poland, causing downtime and disruption. Article 5 of the North Atlantic Treaty states that, if an action of a country propagates down to a NATO territory, that action is considered an act of war, and NATO member states are to assist by taking “such action as [the member state] deems necessary, including the use of armed force, to restore and maintain the security of the North Atlantic area.” While this stipulation has not been used often, it may impact how a cyber incident is classified.
Gioia said another important factor is the outcome of the recent Merck v Ace American case. Back in 2017, Merck suffered an attack from NotPetya, and Ace American, their CLI provider denied coverage, citing the “acts of war” exclusion. After five years of legal battles, the New Jersey Superior Court ruled in favor of Merck, stipulating that the language of insurance war exclusions is meant to apply to armed conflict not cyber-attacks.
Gioia encourages all CLI policy holders to bring up these issue with their CLI vendor in order to verify how they differentiate acts of war and acts of cyberterrorism
With attacks on the rise and the vagaries of CLI insurance, Gioia emphasizes that the best thing you can do to protect your institution is to ask questions and prepare back-ups for the worst-case CLI scenarios.
____
The REN-ISAC would like to thank Mike for his time and knowledge in creating this blog post. The REN Member Spotlight is an opportunity to highlight the wealth of knowledge and depth of skill within our membership, and we are so lucky to have Mike as a member. Thank you for all you do, Mike, for Bentley, for the REN-ISAC, and for the larger higher education community.