Research shows that companies with a strong security posture are more
likely to buy insurance. “Philosophically, they see it as a complement
to current security rather than an alternative,”
Insurance is no
substitute for a strong resilience posture. Insurers can—and will—refuse
to cover events that could have been avoided. Organizations can prepare
for a number of what-ifs by creating adequate redundancies, practicing
disaster scenarios and ring-fencing critical systems. For specific risks
that cannot be avoided, cyber insurance may be an option.
In this article, I will discuss some of the important points
+ What, when and why do we need Cyber Insurance
+ Who needs Cyber Insurance
+ Types of Cyber Insurance
+ Questions to be asked from the Insurance Provider
+ Meeting Cyber Insurance Policy Obligations
+ Evidence documents that are produced by insured
+ Successful Cyber claim case study
+ Refusal of Cyber claims
a part of risk mitigation strategy, the residual risk factor is
transferred to risk insurer companies. Cyber Insurance is an insurance
product that covers the policy holder against the internal and external
While hackers mainly target large businesses, smaller
companies and healthcare organizations have also seen a rise of attacks
as their databases contain a wealth of personal data regarding the
details of their clients and patients.
A smaller business is less
likely to spend more money on security controls and encryption than a
larger business, which may make them easier to hack.
No matter the
size, an organization can be in possession of large amounts of
confidential data. In fact, there has been a notable increase in reports
where unsuspecting businesses have become victims of Cybercrime due to
being underprepared, for example by not securing data and IT systems
As smaller business and healthcare organizations are
more vulnerable, they need to make sure they have not only tighter
security controls but also sufficient Cyber insurance coverage,
anticipating a worst-case scenario. If a smaller business isn’t
sufficiently covered, the recovery costs could be extremely high. The
damage to a smaller company’s reputation could also prove deeper still,
affecting the strength of running a business in the long run.
Do individuals need Cyber insurance?
who uses online services is potentially at risk of a Cybercrime.
Whether you go shopping online, have a mobile banking app, or work from
home, Cyber risks lurk everywhere. While insuring all your personal data
might seem excessive, consider the value of some of the information
you’re sharing online.
What exactly does cyber insurance do? This coverage is meant to offset the expenses incurred during a data breach or cybersecurity event, including:
- Recovering compromised data
- Legal settlements and regulatory fines
- Hiring experts to identify and repair damage
- Notifying customers, and providing identity and credit monitoring
- Business interruption, network downtime, and lost employee productivity
Types of Cyber Insurance
1) Cyber Security – Does not cover damage done to third party
2) Cyber Liability – Cover the liability for damages resulting from data breach
Errors and Omissions Insurance – For businesses who provide or sell
technology product and services. It generally covers the costs of
defending against a negligence claims made by a client.
Scenarios for Cyber Insurance Policy with Supply Chain
say Company A is a bank or a large enterprise. Company A has several
different vendors and support services that they do business with to
achieve their goals.
One of those support partners (Company B) is
a professional services firm that they use for various needs such as
consulting and general staff augmentation. Company B resources generally
use the info systems of Company A to complete their tasks and perform
the services on-site.
Another one of those vendors is Company C, a
SAAS provider which Company A uses to provide their retail banking
portal for their customers. Let’s also assume that Company C uses their
own vendors (Company D, Company E) for various activities.
Company A purchases a policy to protect against financial loss from a cyber event or data breach.
Generally, do these policies cover Company A if…
1) A breach occurs due to an employee of Company B mishandling a materially significant amount Company A’s customer data.
2) A breach occurs due to a vulnerability in Company C’s software exposing the customer data of Company A.
3) A breach occurs due to an employee of Company D or Company E mishandling Company A’s customer data.
Some of the Questions to be asked from the Insurance Provider
coverage include both first and third parties, as well as third-party
service providers? Third party vendors can provide an unfortunate
alleyway into sensitive company data, so ensure they are included in
your cyber insurance policy.
- Will coverage still apply if the
event was cause by non-malicious employee activity? Or social
engineering attacks including spear phishing and advance persistent
- Given that some of these threats take time to
discover, will the cyber insurance policy include time frames during
which coverage is in effect? Or will there be limits?
- Does the policy only apply to targeted attacks, or does it cover any security event to which an organization is subjected?
- Are there any benefits in not making claim, will this reduce the premium at all?
- Are there any additional measures you can put in place to reduce your premium?
- Does the insurer understand your industry and its regulators?
- What regions/territories are you covered in?
- Are there any exclusions to deny the claims?
Meeting Cyber Insurance Policy Obligations
insurer can require a level of security as a precondition of coverage.
Such conditions are usually stated in the cyber insurance policy, and
insured needs to meet these conditions during the validity of the
Furthermore, when applying for the cyber insurance
coverage, the insured can be asked to share information about the
adopted information security controls. These controls should be
maintained during the validity of the contract.
Evidence documents that are produced by insured
Insurer can request below evidence documents to validate the insured risk management process
a) IS policies, guidelines and procedures other than ISMS ISO/IEC 27001:2013
b) Documents about an insured’s internal roles and responsibilities.
c) Plans and records of awareness programes.
d) Documents on the management of outsourced/3rd party processes.
e) Records of Incident response.
Successful Cyber Claim Case Study and lesson learned
One Data Breach shows the value of Cyber Insurance. US Bank (Capital
One) reported a data breach in July 2019, affecting 106 million credit
card data. The bank expected the incident to cost somewhere between
$100-150 millions, which would include customer notification, credit
monitoring, tech cost and legal support. There was additional cost of
law suits and regulatory fines.
Luckily Capital One holds over
$400 million Cyber Insurance coverage. This was subject to a $10 million
deductible, but that would appear to be more than enough to cover all
The downside of this data breach resulted to expected reduction of Revenues and EPS over the next three years.
Capital One data breach also raises some very serious questions about
the safety and security of storing sensitive data in a public cloud. In
the case of Capital One, the credit car issuer was storing all sort of
sensitive data in AWS. That helps to explain how AWS employee was able
to access the data so easily. Paige Thompson, the alleged hacker in this
case, simply took advantage of a misconfiguration open source Web
Application Firewall (WAF) on Amazon Web Services.
Refusal of Cyber Security Claims
liability policies start with a complex application process that can be
overwhelming for even the most sophisticated organizations. Companies
that go into this process without doing their due diligence can even see
their application for coverage denied altogether. The following are common reasons cyber insurance applications are denied:
- Inadequate cyber security testing procedures and audits
- Inefficient processes to stay current on new releases and patches
- Inadequate cyber incident response plans
- Inadequate backup processes and recovery procedures
- Inadequate policies concerning the security of vendors and business partners
- Poor-quality security software and employee training
- Lack of adherence to a published security standard
- Inadequate Physical security.
- Lack of Encryption of mobile devices that interact with sensitive or regulated data
retail client had recently suffered a cyber attack for which their
insurer did not respond, prompting them to engage Mactavish to review
and renegotiate their cyber insurance policy.
deploy strong cybersecurity plans and do internal security audits. Doing
so is not only sensible on its own merits, but also a way to get the
best rates and avoid having claims rejected.
Ecosystem and State actors War crime
June 2017, In just 24 hours, NotPetya wiped clean 10 percent of all
computers in Ukraine, paralyzing networks at banks, gas stations,
hospitals, airports, power companies and nearly every government agency,
and shutting down the radiation monitors at the old Chernobyl nuclear
Food giant Mondelez was one of several victims of
NotPetya in 2017. Its insurance provider Zurich Insurance Group declined
to pay for Mondelez’s $100m damages claim because NotPetya was
considered a “hostile or warlike action in time of peace or war”.
pharmaceutical giant Merck said insurers had denied claims after the
NotPetya attack hit its sales research, sales and manufacturing
operations, causing nearly $700 million in damage.
should know that your reputation cannot be insured. It is vital
therefore that you protect your information security to preserve your
reputation, insurance notwithstanding.
Bottom line is — Cyber
insurance is an increasingly important asset for businesses. That being
said, you will only get out of the insurance process what you put into
it. If you don’t do your homework however, you will be wasting your