As cyber insurance slowly moves from corporate to consumer coverage, some interestingly comprehensive policies have been introduced. One, introduced this month by AIG, puts a strong emphasis on services to prevent attacks rather than merely paying for them once they happen. We decided to dive into the fine print to see how much wiggle room the insurer gave itself.
The new policy, called Family CyberEdge, is designed as a supplement to existing homeowner’s insurance and will cost an extra $597 for $50,000 limits for each key area, consisting of cyber extortion, data restoration, crisis management and cyber bullying, with no deductibles beyond a flat $1,000 for data restoration. Bump the coverage limit up to $100,000 and the annual premium rises to $972, or go for the maximum coverage of $250,000 and the annual premium comes in at $1,723.
Those premiums, however, start to look quite reasonable when you peek into the contract and see the services covered.
For cyberbullying of a family member, for example, a year of psychiatric services is covered, along with bills from PR, digital forensic analysis and cybersecurity firms, plus lost salary if the bullied person loses a job during the first 60 days after the cyberbullying is discovered. It also covers temporary relocation of the victim and “temporary private tutoring or any increase in expense for school enrollment for you or a family member to relocate to an alternative but similar school.”
That’s not bad. (Note: The current language leaves open the possibility that cyberbullying perpetrators may also have coverage — especially if they are sued, which could be covered under the homeowner’s policy — but Jerry Hourihan, president of the AIG group that is offering this insurance, said that wasn’t the intent.)
A provision that is a bit more controversial is coverage for cyber extortion. The policy will reimburse an insured for paying a ransom “paid by you or a family member, with our prior written consent, to terminate or end a cyber extortion threat that is harming or would otherwise result in harm to you or a family member; and the costs for a service provider to conduct an investigation to determine the cause of a cyber extortion threat.”
That’s controversial because almost all security experts strongly recommend not paying such ransoms, since it only serves to encourage more cyber extortion. Once the word spreads that AIG will cough up any cyber extortion demand for those paying for this insurance, will their customers become especially attractive targets? Will AIG end up paying an ocean of such claims?
Digging into the cyberattack coverage, AIG offers a fairly broad programming exclusion: “We do not cover any loss resulting from an error in computer programming or error in instructions to a computer.” On its own, this could open the door to rejecting almost any data attack. Is it an error in computer programming to leave the user open to a data attack? Couldn’t the argument be made that any vulnerability a cyberthief leverages is “an error in computer programming”?
Is it an “error in instructions to a computer” to set firewall protections that are not sufficiently strict?
Here’s a goodie that I would love to see CISOs use more often with enterprise security: “If requested, permit us to question you or a family member under oath at such times as may be reasonably required, about any matter relating to this insurance or you or your family member’s claim, including any inspection of any computer system. In such event, you or your family member’s statement containing your or a family member’s answers will be signed.”
Then there are the issues of trust. AIG has a list of approved partners to deal with cyberattacks, extortion threats and stolen data. The policy requires full cooperation, or payments could be denied. “Cooperate with the service provider and us (AIG). You or a family member must permit the service provider to make calls on your or your family member’s behalf to resolve the event.”
Cooperation makes sense. But making calls on an insured’s behalf gets tricky. Is the partner merely chasing down details and asking questions? Or are they making representations on behalf of the insured? This required trust might be a bit much to ask, given that only AIG gets to vet these companies.
Then there are the preventative elements. “You have the duty to maintain security systems for the use of passwords, firewalls, and anti-virus software and the proper disposal of used hard drives or other storage media including CDs, DVD’s, modems, or other mobile drives or devices. Take action to avoid future loss, including securing any computer systems or data.”
Although I love the big-picture sound of insisting on preventative measures, this section doesn’t have any specifics. That means that it could be a blanket “get out of paying for claims” free card. Once an attack happens and forensics has determined how the attacker did the deed, it’s easy to go back and point to something that the insured could have done differently to avoid the incident.
If this were my policy, I would insist that the insurer spelled out more specifics so that I could prove compliance prior to an incident. As any PCI company knows, Visa loves to retroactively declare — after a breach — that a merchant was never properly PCI compliant based on breach details. AIG was apparently taking notes.
All in all, personal cyber insurance is a good idea. But poring over the particulars of coverage policies — before a deal is signed — is always a good idea.