The board of directors, in exercising their fiduciary responsibilities, should ensure that the enterprise maintains a comprehensive cyber insurance plan covering both internal and external losses resulting from a cyber attack. Insurance companies have already started including cyber-risk exclusions on traditional covers, making it clear that businesses can experience severe shocks in the event of a significant breach.
The prevalence of high-profile cyber attacks has prompted many businesses to complement existing cyber defences with cyber insurance cover, fuelling the growth of the cyber insurance market. Consulting giant PwC predicts that the cyber insurance industry will triple to approximately US$7.5 billion by 2020. Cyber related insurance claims are also on the rise. CFC Underwriting, the largest independent specialty Managing General Agent (MGA) in the UK, revealed that it handled more than 400 cyber-related claims in 2016, a 78 per cent increase from 2015, underscoring the growing frequency of high impact cyber attacks.
What costs can cyber insurance cover?
Cyber insurance protects an enterprise against internal and external losses from cyber-related breaches, such as:
- Business disruption costs
- Replacement of impaired digital assets
- Legal expenses and regulatory fines
- Forensics and incident remediation
- Third-party damages
- Customer fraud protection
- Customer communications.
Target held approximately US$100 million worth of cyber insurance cover by the time of its highly publicised 2013 data breach, helping offset a significant portion of the ensuing losses (approximately US$250 million).
Cyber security insurance is particularly essential for small to medium enterprises (SMEs), whose entire capital can be wiped by a single cyber attack. Furthermore, as compared with larger enterprises, SMEs often have inadequate cyber security resources to protect themselves against soaring attacks, and are therefore being disproportionately targeted by cyber criminals. This notion was asserted by a 2106 Guardian article, which said, ‘not only are small businesses now firmly in the crosshairs of cyber-criminals, they are fast becoming their favoured target – and are often woefully unprepared’.
Fortunately, several cyber insurance firms are partnering with legal firms and introducing specialist lawyers, commonly referred to as ‘cyber breach coaches’. These lawyers provide the required expertise in the event of a breach, assisting the covered enterprise to prepare correspondence to customers, regulators or the public. Cyber insurance providers are also working with specialist security providers, providing incident containment, forensics investigation and malware clean up services in the event of a data breach. Understanding what your cyber insurance covers, as well as the associated exclusions, is important for two reasons:
- It provides an enterprise with an opportunity to eliminate needless costs. For instance, there may be no need to purchase a separate cyber security incident response retainer if this is already covered by your cyber insurance cover.
- Clarity of insurance scope eliminates financial shocks in the event of a cyber breach. Incorrectly assuming your cyber insurance provides PR advice or security incident response can result in embarrassing communications or higher than expected costs.
Cyber insurance limitations
No doubt cyber insurance has become a vital component of cyber resilience. But several challenges still exist, which, if poorly understood, could result in severe financial shocks in the event of a cyber breach. Here are five limitations businesses should consider when purchasing cyber insurance cover:
- Most cyber insurance policies don’t cover intangible cyber breach impacts – particularly loss of intellectual property or brand damage – which can be detrimental to the enterprise. In addition, policy providers are still struggling to price cyber risk due to the lack of reliable cyber breach loss data and the rapidly evolving cyber threat environment. Additionally, most insurers rely on control self-assessments carried out by their policyholders, which may not objectively assess a policyholder’s vulnerabilities. The result: cyber-risk insurance is still excessively expensive for most SMEs. This sentiment was echoed by a 2015 UK Government report, which stated that cyber insurance cover costs ‘roughly three times more than general liability and six times more than property insurance’.
- Several insurers demand policyholders to demonstrate a minimum set of cyber security controls – such as credit card data encryption, PCI compliance, ongoing security monitoring, etc. – before providing cover or approving claims. As such, consistently paying your premiums doesn’t guarantee that associated claims will be paid. In 2014, US-based Cottage Healthcare Systems was hacked, resulting in a data breach. Its insurance provider, Columbia Casualty, legally sought reimbursement of approximately US$4 million arguing that Cottage had failed to maintain adequate cyber security controls, which left the company vulnerable to the cyber attack. Cottage allegedly stored unencrypted data on a vulnerable server exposed to the internet. Similarly, a 2015 report by Reuters highlighted that the cost of renewing policies for companies that had been breached were ‘prohibitively expensive’, with some insurers even turning away customers perceived as high-risk.
- Some cyber insurance policies require policyholders to notify the insurer of the data breach or cyber attack within a specific period (e.g. 60 days). But several studies show that some cyber attacks can take months to detect. Heavy reliance on outsourced providers can also significantly delay cyber breach notification, rendering this sort of cyber insurance cover useless.
- Many cyber insurance policy clauses are both ambiguous and unreasonable. Back in 2014, BitPay, a Bitcoin payment processor, experienced this firsthand. BitPay had purchased cyber insurance cover from Massachusetts Bay Insurance Company (MBIC). But when BitPay fell victim to a spear phishing attack in which it lost US$1.8 million, MBIC rejected the claim due to the wording in the contract.The insurer argued that its policy covered ‘direct losses’ and that the spear phishing attack fell into the ‘indirect loss’ category because an authorised user had triggered the transaction. This sounds highly unreasonable given most cyber breaches, even highly sophisticated ones, often include an element of human trickery.
- According to the World Economic Forum, several insurers are capping the amount of coverage at US$200 million, leaving many businesses potentially exposed to losses from highly-damaging cyber attacks that may cost way more than that amount.
Therefore, to avoid missteps businesses should integrate cyber risk into the enterprise risk management framework; cyber risk should not be solely managed by an enterprise’s technology team. Finance teams should also consult with their legal and cyber security colleagues to ensure cyber insurance cover and exclusions are clearly understood, thereby minimising the likelihood of uncertain cyber-attack losses.
Despite the growing significance of cyber insurance in today’s fast changing and high-risk digital environment, most businesses remain under-insured. However, this will soon change, as rising investor and customer expectations, coupled with the introduction of stricter data breach notification laws across many jurisdictions, will further drive cyber insurance uptake.
CISO Playbook: Cyber Resilience Strategy - Building a high-value cyber resilience strategy
This playbook is part of our series dedicated to helping organizations protect digital assets in the face of growing threats.
Please add your details below to download the CISO Playbook: Cyber Resilience Strategy - Building a high-value cyber resilience strategy and sign up for Free membership of the Cyber Leadership Institute.