Beware Cyber Policies that Exclude Human Error

Beware Cyber Policies that Exclude Human Error

By Amy Elizabeth Stewart

The 2017 Equifax breach, which exposed the personal information of more than 146 million Americans, is a great reminder to businesses that they must take steps to ensure the security of their customers’ private information.

The breach also highlights the importance of cyber insurance, which can help cover the costs of responding to such a breach and compensate those who were injured by it.

A story in the New York Times, however, illustrates the importance of reading the fine print of a cyber policy closely before procuring coverage. According to the Times, the company’s former CEO, Richard F. Smith, told the House Energy and Commerce Committee that the breach happened “because of a mistake by a single employee.”

On multiple occasions, Mr. Smith referred to an ‘individual’ in Equifax’s technology department who had failed to heed security warnings and did not ensure the implementation of software fixes that would have prevented the breach. 

Assuming Mr. Smith’s account is correct and the breach happened as the result of a lapse by a single employee, it would put Equifax in very good company. Most data breaches are, at least in part, the result of human error. Whether it’s an employee mistakenly clicking on a link in a phishing email, the failure to install a manufacturer’s software patch, or any number of mishaps – errors and lapses in judgment can happen to anyone.

Companies considering purchasing a cyber policy should take human fallibility into account when examining prospective policies. Carefully analyze policies containing exclusions that effectively shift the risk back to the insured by requiring the business to follow certain protocols, policies, procedures, etc. Such exclusions may restrict coverage or eliminate it altogether if the insured fails to comply with the pertinent protocols.

During the process of applying for cyber insurance, therefore, businesses should take care not to overstate their internal controls in the hopes of getting a less expensive premium. Better yet, invest a little time and money on the front end consulting with cyber-security experts to ensure that appropriate protocols are in place and accurately described to insurance underwriters and consider engaging experienced coverage counsel to ensure the company is getting the coverage it expects, without exclusions that create unexpected gaps.

For other advice on what to look out for when purchasing a cyber policy, check out our Tips for Buying Corporate Cyber Insurance blog post.