Research shows that companies with a strong security posture are more likely to buy insurance. “Philosophically, they see it as a complement to current security rather than an alternative,”
Insurance is no substitute for a strong resilience posture. Insurers can—and will—refuse to cover events that could have been avoided. Organizations can prepare for a number of what-ifs by creating adequate redundancies, practicing disaster scenarios and ring-fencing critical systems. For specific risks that cannot be avoided, cyber insurance may be an option.
In this article, I will discuss some of the important points
+ What, when and why do we need Cyber Insurance
+ Who needs Cyber Insurance
+ Types of Cyber Insurance
+ Questions to be asked from the Insurance Provider
+ Meeting Cyber Insurance Policy Obligations
+ Evidence documents that are produced by insured
+ Successful Cyber claim case study
+ Refusal of Cyber claims
As a part of risk mitigation strategy, the residual risk factor is transferred to risk insurer companies. Cyber Insurance is an insurance product that covers the policy holder against the internal and external risks.
While hackers mainly target large businesses, smaller companies and healthcare organizations have also seen a rise of attacks as their databases contain a wealth of personal data regarding the details of their clients and patients.
A smaller business is less likely to spend more money on security controls and encryption than a larger business, which may make them easier to hack.
No matter the size, an organization can be in possession of large amounts of confidential data. In fact, there has been a notable increase in reports where unsuspecting businesses have become victims of Cybercrime due to being underprepared, for example by not securing data and IT systems properly.
As smaller business and healthcare organizations are more vulnerable, they need to make sure they have not only tighter security controls but also sufficient Cyber insurance coverage, anticipating a worst-case scenario. If a smaller business isn’t sufficiently covered, the recovery costs could be extremely high. The damage to a smaller company’s reputation could also prove deeper still, affecting the strength of running a business in the long run.
Do individuals need Cyber insurance?
Anyone who uses online services is potentially at risk of a Cybercrime. Whether you go shopping online, have a mobile banking app, or work from home, Cyber risks lurk everywhere. While insuring all your personal data might seem excessive, consider the value of some of the information you’re sharing online.
What exactly does cyber insurance do? This coverage is meant to offset the expenses incurred during a data breach or cybersecurity event, including:
- Recovering compromised data
- Legal settlements and regulatory fines
- Hiring experts to identify and repair damage
- Notifying customers, and providing identity and credit monitoring
- Business interruption, network downtime, and lost employee productivity
Types of Cyber Insurance
1) Cyber Security – Does not cover damage done to third party
2) Cyber Liability – Cover the liability for damages resulting from data breach
3) Technology Errors and Omissions Insurance – For businesses who provide or sell technology product and services. It generally covers the costs of defending against a negligence claims made by a client.
Scenarios for Cyber Insurance Policy with Supply Chain
Let’s say Company A is a bank or a large enterprise. Company A has several different vendors and support services that they do business with to achieve their goals.
One of those support partners (Company B) is a professional services firm that they use for various needs such as consulting and general staff augmentation. Company B resources generally use the info systems of Company A to complete their tasks and perform the services on-site.
Another one of those vendors is Company C, a SAAS provider which Company A uses to provide their retail banking portal for their customers. Let’s also assume that Company C uses their own vendors (Company D, Company E) for various activities.
Company A purchases a policy to protect against financial loss from a cyber event or data breach.
Generally, do these policies cover Company A if…
1) A breach occurs due to an employee of Company B mishandling a materially significant amount Company A’s customer data.
2) A breach occurs due to a vulnerability in Company C’s software exposing the customer data of Company A.
3) A breach occurs due to an employee of Company D or Company E mishandling Company A’s customer data.
Some of the Questions to be asked from the Insurance Provider
- Does coverage include both first and third parties, as well as third-party service providers? Third party vendors can provide an unfortunate alleyway into sensitive company data, so ensure they are included in your cyber insurance policy.
- Will coverage still apply if the event was cause by non-malicious employee activity? Or social engineering attacks including spear phishing and advance persistent threats (APT)?
- Given that some of these threats take time to discover, will the cyber insurance policy include time frames during which coverage is in effect? Or will there be limits?
- Does the policy only apply to targeted attacks, or does it cover any security event to which an organization is subjected?
- Are there any benefits in not making claim, will this reduce the premium at all?
- Are there any additional measures you can put in place to reduce your premium?
- Does the insurer understand your industry and its regulators?
- What regions/territories are you covered in?
- Are there any exclusions to deny the claims?
Meeting Cyber Insurance Policy Obligations
An insurer can require a level of security as a precondition of coverage. Such conditions are usually stated in the cyber insurance policy, and insured needs to meet these conditions during the validity of the contract.
Furthermore, when applying for the cyber insurance coverage, the insured can be asked to share information about the adopted information security controls. These controls should be maintained during the validity of the contract.
Evidence documents that are produced by insured
Insurer can request below evidence documents to validate the insured risk management process
a) IS policies, guidelines and procedures other than ISMS ISO/IEC 27001:2013
b) Documents about an insured’s internal roles and responsibilities.
c) Plans and records of awareness programes.
d) Documents on the management of outsourced/3rd party processes.
e) Records of Incident response.
Successful Cyber Claim Case Study and lesson learned
Capital One Data Breach shows the value of Cyber Insurance. US Bank (Capital One) reported a data breach in July 2019, affecting 106 million credit card data. The bank expected the incident to cost somewhere between $100-150 millions, which would include customer notification, credit monitoring, tech cost and legal support. There was additional cost of law suits and regulatory fines.
Luckily Capital One holds over $400 million Cyber Insurance coverage. This was subject to a $10 million deductible, but that would appear to be more than enough to cover all costs.
The downside of this data breach resulted to expected reduction of Revenues and EPS over the next three years.
The Capital One data breach also raises some very serious questions about the safety and security of storing sensitive data in a public cloud. In the case of Capital One, the credit car issuer was storing all sort of sensitive data in AWS. That helps to explain how AWS employee was able to access the data so easily. Paige Thompson, the alleged hacker in this case, simply took advantage of a misconfiguration open source Web Application Firewall (WAF) on Amazon Web Services.
Refusal of Cyber Security Claims
Cyber liability policies start with a complex application process that can be overwhelming for even the most sophisticated organizations. Companies that go into this process without doing their due diligence can even see their application for coverage denied altogether. The following are common reasons cyber insurance applications are denied:
- Inadequate cyber security testing procedures and audits
- Inefficient processes to stay current on new releases and patches
- Inadequate cyber incident response plans
- Inadequate backup processes and recovery procedures
- Inadequate policies concerning the security of vendors and business partners
- Poor-quality security software and employee training
- Lack of adherence to a published security standard
- Inadequate Physical security.
- Lack of Encryption of mobile devices that interact with sensitive or regulated data
A retail client had recently suffered a cyber attack for which their insurer did not respond, prompting them to engage Mactavish to review and renegotiate their cyber insurance policy.
Clients should deploy strong cybersecurity plans and do internal security audits. Doing so is not only sensible on its own merits, but also a way to get the best rates and avoid having claims rejected.
Ecosystem and State actors War crime
27-28 June 2017, In just 24 hours, NotPetya wiped clean 10 percent of all computers in Ukraine, paralyzing networks at banks, gas stations, hospitals, airports, power companies and nearly every government agency, and shutting down the radiation monitors at the old Chernobyl nuclear power plant.
Food giant Mondelez was one of several victims of NotPetya in 2017. Its insurance provider Zurich Insurance Group declined to pay for Mondelez’s $100m damages claim because NotPetya was considered a “hostile or warlike action in time of peace or war”.
The pharmaceutical giant Merck said insurers had denied claims after the NotPetya attack hit its sales research, sales and manufacturing operations, causing nearly $700 million in damage.
You should know that your reputation cannot be insured. It is vital therefore that you protect your information security to preserve your reputation, insurance notwithstanding.
Bottom line is — Cyber insurance is an increasingly important asset for businesses. That being said, you will only get out of the insurance process what you put into it. If you don’t do your homework however, you will be wasting your money.