We all hope that we will never have to file an insurance claim, and, if filed, our claim will not be rejected. The ever expanding cyber threat landscape calls these two tenets into question. Will your cyber insurance pay your claim?

Cyber insurance has evolved from being implicitly covered under General Liability / GL to a completely separate and highly nuanced policy. It is critical to understand the coverage scope and its covenants.

In the face of law suits, insurers have been under pressure to provide more clarity about what, if any, cyber risks may be covered or excluded under a GL policy. Insurers and brokers are now more likely to steer customers to specialized cyber insurance policies that address the unique exposures associated with cyber events.

The cyber insurance itself has been a rapidly evolving field struggling to keep up with the advancing cyber threat landscape. “Chasing” the latest cyber threats in a policy which is in place for one year appears to be a losing proposition. This inability to keep up with malicious actors is being addressed by an increased focus on the insurable cyber incident’s operational impact, subject to exclusions and conditions.

It is the insurance policy’s covenants – the insured’s obligations under the policy - that are often overlooked. Simply speaking, if the insured fails to meet the coverage requirements, the insurer has the right to reject future claims. The covenants sections of cyber coverage have expanded and cover security monitoring, log collection, access control, regular comprehensive assessments, etc. In addition, cyber polices now include expanded reporting requirements and call for an ongoing dialogue between insurers and insured.

The seemingly bespoke nature of today’s cyber coverage does open a door to negotiating a custom policy which may result in a lower price in exchange for fewer controls and a limited coverage. This tradeoff, however, needs to be evaluated and quantified.

To minimize the possibility of a non-covered cyber incident it pays to understand your cyber coverage requirements and include them in every security evaluation. If a requirement is not met, it is important to agree with your insurer on the time to cure the deficiency. Failure to meet these requirements may render your cyber policy worthless.

Microsoft last week confirmed what many already realized - Microsoft is one of the largest diversified providers of cyber security solutions and services. In making this industry's "hunch" official, Microsoft validated the criticality of a well developed and multifaceted cyber security expertise to the success of an application provider. A provider of end-user solutions can no longer succeed in the market without weaving cyber security consideration into every aspect of an application development life cycle.

Microsoft launches Security Experts services, boosting security spend (cnbc.com)

Gartner identifies Cybersecurity Mesh as the second top 2022 technology trend after Data Fabric. According to Gartner, “Cybersecurity mesh is a flexible, composable architecture that integrates widely distributed and disparate security services”. As cybersecurity focus shifts to protecting data at source, data in transit, and user touch points, the application architecture and design play an increasingly vital role in bringing to life the application frameworks which are cyber robust and easily defendable, can be monitored in real time and adjusted quickly and / or in an automated fashion in response to threats. All this needs to happen without impacting the user interaction with the application. Consequently, developer success will increasingly depend on integrating a robust security expertise in their application development process.

The other side of this predication is also true – no cybersecurity firm will succeed without a thorough and nuanced understanding of data, data fabric, and user experience. Microsoft’s vast trove of user and application knowledge will, undoubtedly, make it a much more informed and sophisticated cybersecurity fighter than many pure cybersecurity players. The knowledge of how a modern application is constructed and brought to life will become an indispensable component of cybersecurity analysis and architecture planning.

And clients? Clients are likely to start requiring that their development partners start demonstrating cyber security knowledge alongside their understanding of client operations. If a proposed application cannot be built as inherently cybersecure, a client might consider looking for a more cybersecurity aware application development partner.

You Had a Cyber Incident – Will Your Cyber Insurance Pay?

Microsoft Launches Cybersecurity Services - How Customers and Microsoft Developers Are Impacted