Cyber insurance: What are the considerations and challenges?

By David Dufour, VP of Engineering & Cybersecurity, Webroot

For business owners, connecting to the internet has been a blessing, allowing organisations the ability to grow at an unprecedented rate. However, such connection does have its drawbacks, namely cyberattacks. Business owners have come to accept cyberattacks as an eventuality, rather than a possibility. Executives can do their best to defend against attacks, such as implementing a robust employee training programme, but even with the most cutting-edge security solution in place, there is no such thing as being 100% secure.

David Dufour
David Dufour

As Forrester points out in its Now Tech: Security Awareness and Training Solutions, Q1 2019, “Even the most sophisticated technologies and well-crafted policies can be rendered useless when employees simply decide to — or unknowingly — break the rules. Because of this, and because many cybersecurity attacks are personally tailored to mimic daily, routine actions, it’s harder than ever to protect your workforce against today’s threats.”

Considering the fact that cyberattacks have become the norm for businesses, the need for cyber insurance has never been more vital. Having a policy that will provide financial compensation in the case of a successful cyberattack provides an additional sense of financial security to a business as insurers are able to reimburse organisations should they fall victim to an expensive ransomware attack or data breach.

What is cyber insurance?

According to Hiscox, cyber insurance is a form of coverage designed to protect your business from threats in the digital age, such as data breaches or malicious cyber hacks on work computer systems. Over the past decade, it has become a necessity as businesses, of all sizes, across the world are falling prey to cyberattack sand are having to pay hundreds of millions in compensation to partners and customers for their compromised data. However, what companies will struggle to pay for is the impact on brand reputation and regaining customer trust, two things that insurance cannot directly recover. Cyber insurance is required because it is rare for an insurance provider’s general liability coverage to include nontangible assets – such as data – as they’re not considered ‘property’. No cyber insurance policy will work without a robust, preventative cybersecurity strategy in place to keep businesses running smoothly through modern threats.

Cyber insurance typically falls under two categories, although some policies will incorporate both:

  • First-party insurance: This type of insurance provides compensation for damages that directly affect a business, such as the cost of data recovery.
  • Third-party insurance:Cover damages to other people or business partners of the targeted business, such as stolen customer data.

Cyber insurance may cover costs associated with the following items:

  • Legal fees and expenses
  • Notifying affected customers of a breach and protecting their identities
  • Business interruption, downtime and lost revenue
  • Recovering compromised data
  • Repairing damaged networks, computers and systems
  • Public relations or crisis communications support

Organisations need to consider several factors when selecting the most appropriate cyber insurance policies. The top priority is ensuring that an organisation’s existing cybersecurity network is as strong as it can be. When a business is attacked and it submits a claim, in line with their insurance policy, insurers will look to see if the claimant has taken the correct steps to protect their data and infrastructure. The insurer has the right to refuse payment if they find that the victim did not take appropriate measures to secure their assets.

In fact, providers have a specific exclusion for negligence written in their policy language, and this can catch organisations out. The now infamous Equifaxfell afoul of this, failing to demonstrate strong cybersecurity measures and now having to pay $700 million dollars plus more than $100 million dollars in recovery costs.

Does cyber insurance cover ransomware?

Ransomware, a now commonly used type of malware that locks sensitive data behind an encryption and holds it to ransom from a business, is a major concern for many businesses thanks to the tremendous disruption that it can bring to an organisation and its supply chain. Cyber insurers are aware of the rise of reported ransomware attacks and are now taking them into account, offering payment that covers the cost of downtime associated with getting an organisation back up and running.

Unconditional coverage is never guaranteed. A recent incident saw cyber insurance coverage denied after an attack from the NotPetya ransomware strain. The ransomware attack was determined to be an “act of war,” exempted from coverage under a clause of the insurance policy. Although the legal territory is still somewhat uncharted, it’s likely that restrictions will continue to come into play with other types of cyberattacks as well.

Insurance coverage is not a substitution for a security program

Just like you wouldn’t leave your door unlocked simply because you have home insurance, cyber insurance should not serve as reasoning to divest funding in security planning and strategy. Additionally, while cyber insurance may reimburse costs, it cannot mitigate the reputational damage incurred by a breach or a security incident. Insurance will not reinstate trust from clients and customers post-breach.

Security teams should get involved early in the insurance process

While the conversation about insurance is often led by financial divisions of a company, such as at the C-suite level, the security department should be involved at the very start to help draw up policies and expected coverage levels. No one will have a better understanding of the technical language and definitions within a cyber insurance contract that the CISO, or other members of the security team. Security also is more qualified to identify important exclusions that may be slipped into the policy and can advise accordingly. To ensure the policy has the right inclusions for a specific organisation’s needs, security must be a valued partner through every step of the evaluation and purchasing process.

With organisations under attack more than ever, cyber insurance is vital for any business looking to survive a data breach or malicious cyberattack. All considerations and challenges must be weighed up to ensure that organisations are giving themselves an extra layer of protection financially, if not reputably. An insurance policy helps, but only if a business can avoid major mistakes that can escalate the costs associated with data breaches.