Understanding the Sensitivity of Cyber Liability Policies

With the many threats faced by businesses today, leaders must be vigilant about protecting their cyber liability policies. These policies are critical in mitigating the risks associated with cyber threats, but sharing their details can inadvertently expose your organization to further risk. This article aims to educate on the importance of safeguarding the terms of cyber liability policies and explain why others may be reluctant to share detailed policy information.

Risks and Exploitation Tactics of Disclosing Cyber Liability Policy Details

Exposure of Security Weaknesses: Cyber liability policies often outline specific types of coverage and exclusions. This information can reveal potential vulnerabilities. For instance, if a policy heavily covers ransomware attacks but not business interruptions, attackers might infer that denying access to critical business services could add more pressure to the organization and target those areas.
Understanding Response Capabilities: These policies typically reveal information about the organization’s incident response plans and capabilities. Attackers can exploit this information to time their attacks when the organization is undergoing change or to exploit gaps in the response strategy. Knowledge of incident response plans allows attackers to time their attacks when the organization is least prepared.
Financial Limits and Coverage: Knowing the financial limits of the policy can help attackers gauge the potential payout from a successful attack. If they know your organization has substantial coverage for certain types of incidents, they might tailor their attacks to maximize financial gain. Understanding the financial limits of the policy can lead attackers to demand ransoms or cause damages that align with the maximum coverage, ensuring they extract the highest possible payout.
Legal and Regulatory Insights: Policies often include details about compliance with legal and regulatory requirements. Attackers can use this information to craft attacks that exploit regulatory weaknesses or create legal complications for the company. For example, an attacker could report a compromise to a regulator or payment brand to pressure the company to pay.

Best Practices for Evaluating Requests for Policy Information

Your organization may receive third-party requests to share your policy information for various purposes, such as responding to a request for proposal or an audit inquiry. Conversely, you may inquire about a potential vendor's cyber liability coverage.

In either case, it is crucial to create a shared understanding of what information is required and for what purpose. While someone may request your full policy, you should challenge this need before instantly providing the information. Often, requestors only need to verify that your organization is covered and meets a certain threshold of coverage, rather than understanding the specific terms and details of a complex policy.

This is also true for your vendors. While it is easy to request information and store it away in a database, you should clearly understand:

what information your organization needs to learn about a vendor’s coverage and why.
whether your team has the skills to evaluate specific policy terms.
what you are going to do with this information and how you will protect it.

Ensure your information-sharing policy sets clear expectations on the disclosure of your information to third parties and the information you must obtain from your vendors. Remember, your organization is accountable for the information you obtain from others. Ensure your vendor management team seeks only the necessary information and protects it from disclosure or misuse as you would protect your own information.

Now that you know the sensitivity of this information, you should understand why other organizations may be reluctant to share this information with you to limit their exposure, and why sharing this information may expose your organization.

If you determine that sharing is appropriate, follow best practices to protect this information. Always seek legal counsel before sharing sensitive policy details to ensure compliance and protection.

Best Practices for Sharing Policy Information

To mitigate the risks in sharing your policy information, it is crucial to share only the minimum necessary information. Here are some recommended practices, listed from least to most information shared:

Provide a Letter of Coverage: Confirm that the organization has coverage that meets or exceeds the requested amount and type.
Certificate of Insurance (COI): Share a COI with redacted sensitive information.
Policy Terms: Clearly state that the policy terms are "Internal Use Only" and considered "Sensitive, proprietary information" and share only the minimally relevant information.
Private Review: Conduct reviews with verified stakeholders such as auditors in a secure setting where you may display information but not share the actual artifacts.

Additionally, requestors should be required to sign a Non-Disclosure Agreement (NDA) before you share any sensitive information. This ensures that the information remains confidential and legally protected.

If a requestor persists in seeking detailed policy terms, escalate the request to legal counsel. Maintaining the confidentiality of these terms is essential in protecting the institution from potential exploitation.

Conclusion

In summary, the terms of a cyber liability policy are extremely sensitive and should not be shared with or requested from others without careful consideration. If there is a requirement to share or request this information, always seek legal counsel first. Protecting these details is paramount to maintaining the security and integrity of your organization and protecting your partners from exposure. By following these guidelines, you can help safeguard cyber liability policies and reduce the risk of exploitation by malicious actors.

Related Categories

Fraud & Cyber Security

Jeffrey Julig

Jeffrey Julig joined SWBC in January 2016 and currently serves as Senior Vice President and Chief Information Security Officer (CISO). He leads a dedicated team of security and business continuity professionals, ensuring the protection of SWBC’s diverse business lines from internal and external threats. His mission is to safeguard the security, privacy, and resiliency interests of the organization and its clients. Before joining SWBC, Jeffrey served in the United States Air Force for over 25 years, honing his leadership and technical skills in high-risk, no-fail national security environments. He attended the Department of Defense Cybercrime Investigations Training Academy (DCITA) and is a former certified digital forensics examiner. He completed the San Antonio FBI Citizens Academy and is currently a member of Cybersecurity San Antonio and InfraGard San Antonio. Jeffrey earned a Certificate of Achievement in Advanced Cybersecurity from Stanford University and completed Stanford’s Cybersecurity and Executive Strategy course. He holds a Bachelor of Science in Cybersecurity from the University of Maryland University College. Additionally, he earned 14 professional certifications, including Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), Certified Information Privacy Technologist (CIPT), and global information assurance certifications (GIAC) in Strategic Planning, Policy, and Leadership and Law of Data Security and Investigations.