In an era where cyber threats are evolving at an unprecedented pace, the importance of robust cyber insurance coverage for non-profits cannot be overstated. However, many non-profit organizations find themselves facing challenges when it comes to understanding and navigating their cyber insurance policies. Recent discussions, such as those from a recent congressional hearing on cybersecurity and infrastructure protection, highlight crucial concerns that all non-profits should be aware of when evaluating their cyber insurance coverage.

Here are some key red flags in your cyber insurance policy that non-profits need to watch for to ensure they are adequately protected:

1. Sublimits that Fall Short of Actual Needs

One of the most common issues with cyber insurance policies is the presence of sublimits that are too low to cover the true costs of a cyber incident. Sublimits are caps on coverage for specific types of losses, such as data breach notification or regulatory fines. These sublimits can be a ticking time bomb for non-profits, as they may leave you underinsured when a significant incident occurs.

Red Flag: Check if your policy has sublimits that are disproportionately small compared to the potential costs of a breach. For instance, if your policy offers only $50,000 in coverage for data breach notification but the actual costs could easily exceed $500,000, you could be left with a substantial financial gap.

What to Do: Ensure that the limits for critical coverages such as data breach response, legal fees, and regulatory fines align with the potential impact of a cyber incident. Consult with a cyber insurance expert to review your coverage limits and negotiate for higher sublimits where necessary.

2. Minimum Baseline Requirements for Coverage

Insurance providers are increasingly stringent about requiring policyholders to maintain best practices in cybersecurity. If your organization fails to meet these baseline requirements, you could face denied claims in the event of a breach.

Red Flag: Review your policy to see if there are specific cybersecurity practices you must adhere to. For example, you might be required to have up-to-date antivirus software, regularly conduct vulnerability assessments, or have strong access controls in place. Failure to meet these requirements could jeopardize your coverage.

What to Do: Ensure that your organization implements and maintains recommended cybersecurity best practices. Document your efforts to show compliance with the policy’s requirements and conduct regular internal audits to ensure ongoing adherence.

3. Evolving Terminology and Coverage Definitions

The cyber insurance market is still maturing, and terms and definitions in policies are evolving. Recent statements in June 2024 from industry cyber insurance companies underscore that insurers are grappling with how to define and cover emerging cyber threats.

Red Flag: Pay close attention to the terminology used in your policy. Terms like “cyber event,” “data breach,” and “business interruption” can have specific, evolving meanings that might not be immediately clear.

What to Do: Work with a knowledgeable broker or legal advisor to interpret the language in your policy. Ensure you understand what is and isn’t covered and seek to clarify ambiguous terms with your insurer to avoid surprises during a claim.

4. Insurer Flexibility and Policy Customization

As mentioned during the recent congressional hearing, insurers need flexibility to adjust policies based on emerging risks and evolving threats. This flexibility can be a double-edged sword, potentially leading to vague coverage terms and the potential for disputes over what constitutes a covered loss.

Red Flag: Be aware of policies that offer overly broad or ambiguous coverage terms that could be manipulated by insurers.

What to Do: Ensure your policy includes clear definitions of coverage terms and does not rely on overly flexible language that could leave room for insurer interpretation in the event of a claim.

5. Insufficient Coverage for Third-Party Risks

Cyber insurance policies often need to cover risks beyond the internal operations of your organization, including risks related to third-party vendors and partners.

Red Flag: Check if your policy includes adequate coverage for third-party risks such as vendor data breaches or liability claims resulting from service failures.

What to Do: Ensure that your policy covers third-party risks and that the limits are sufficient to address potential liabilities from your vendor relationships and other external partnerships.

Conclusion

As non-profits continue to play a vital role in our communities, protecting your organization against cyber threats should be a top priority. Understanding and addressing these potential red flags in your cyber insurance policy will help ensure that you are not caught off guard by coverage gaps or denied claims. Stay proactive in your approach to cybersecurity and work closely with experts to ensure that your policy provides the protection you need.

For further guidance, contact our Cyber & Risk advisory team to review your current coverage and make necessary adjustments to safeguard your organization’s mission and operations. Stay vigilant and be prepared—your non-profit’s resilience depends on it.