Cyber insurance, like all insurance, is all about the fine print.
In 2017, G&G Oil Company purchased a commercial insurance policy that, while not a full-fledged cyber insurance policy, did include coverage for losses “resulting directly from the use of a computer.”
They were hit with a ransomware attack later that year and had to pay a ransom in bitcoin to the attacker to restore access to their systems. They filed a claim with their insurance company… and were denied. Their insurance company claimed the bitcoin payment to the bad guy was not in fact caused directly from the use of a computer, and that the payment was voluntary.
G&G Oil Company sued their insurance provider and the case is still ongoing, having recently visited the Indiana Supreme Court, who passed it back down to the lower courts.
Why does this story of a 5-year legal battle over insurance matter?
Cyber insurance, as a product, is still a very new offering. Providers and purchasers alike are still figuring out what the policies should contain.
The result? Lots of companies have ill-fitting cyber insurance coverage that doesn’t match their risk profile and organizational needs.
Cyber Insurance is still in its formative years.
Cyber Insurance however has only been around since 1997, when AIG wrote the first policy focusing on being hacked by a 3rd party. That was back when hackers were generally thought to be bored teenagers sitting in their parents’ basements.
If that stereotype was ever true, it is most definitely not true now.
According to the 2021 Verizon Data Breach Report, 80% of attacks are financially motivated and run by organized crime. When we say “organized crime” we’re not talking about lone wolf unshaven guys in hoodies. These are full-on companies with benefits, Christmas parties, job ads, HR departments, and performance reviews. Their business model is extortion and the sale of your data.
Security.org states that in 2020, 1 in 6 cyber attacks involved ransomware and half those businesses ultimately paid the attackers. They also state that because COVID increased the number of people working from home, so did the attack surface, causing a 197% rise in Social (People) attacks and 169% increase in identity theft.
The risks businesses face from cyber attacks change continuously; regulatory reporting, customer credit monitoring, forensic investigations, legal expenses, ransom payments, business continuity etc. and so does the coverage that insurance companies offer. With the cyber insurance market predicted to be worth $23.7 billion by 2025 it shouldn’t come as a surprise that 500+ companies are ready to write you a policy.
The catch however is that the insurance industry is built on experience and predictable models.
Cyber insurance has very little historical data, especially for SMB’s (Small and Medium Businesses). This means there is a wide spectrum of coverage and premiums that may or may not be a good fit for your business, because the insurers are still learning too.
Your Cyber Insurance Policy Should be Unique
On the surface, getting cyber insurance is easy: Call a broker, write a cheque, and get a policy.
Beneath the surface, it’s much more complicated.
There are a ton of decisions to be made about the coverage you’re getting. You neither want to overpay for excessive coverage that you will almost never need nor do you want your insurance to not cover an attack you do experience.
Yours truly has been the CISO at life and property insurance companies, so I have some both-sides knowledge about insurance. Understanding and articulating what your risks are is important to ensuring you get the right coverage.
Here’s how I recommend evaluating any current or future cyber insurance policies.
How to Evaluate a Cyber Insurance Policy
Step 1 – Determine the business case (Why bother getting cyber insurance?)
- 1. Contractual obligations to partners, clients, etc to protect data and indemnify against loss
- 2. Regulatory or Industry requirements for customer protection, notification, responses
- 3. Reputational risk or loss of confidence from customers or regulators
- 4. Minimizing revenue loss from costs incurred from lost business during an incident, legal fees, fines, forensic investigations, customer credit monitoring among a host of others
Step 2 – Identify your risks (What can go wrong)
Some people make the mistake of not viewing cyber risks as business risks and delegate them to IT. However, cyber risks are business risks as they can impact your business’ ability to meet its goals. You will never meet your online sales goal if your e-commerce website is taken down!
You know your business goals and what you want to achieve, but what are the cyber risks that threaten them?
E-commerce companies could have their business severely interrupted by a website takedown or social media advertising account compromise. They’re also vulnerable to many types of fraud.
SaaS businesses frequently process and store lots of data for their clients. The business is liable for that data in the event of a breach.
All modern businesses are vulnerable to phishing and other social engineering attacks.
As usual, there is no one-size fits all solution. It’s important to consider your own business and make the needed decisions.
Step 3 – Quantify your risks
What do these risks translate into? High, Medium and Low are great for t-shirts, but less useful when weighing a risk against a potential revenue stream. Quantifying risks with real (or at least estimated) numbers makes them much easier to understand, discuss, and use to make decisions.
Describing a risk as “a 10% chance of a $10 million loss” is much more concrete than simply saying “high.”
Understanding what your risks are and how they could financially impact your business provide decision makers with a clearer picture of how to respond.
This is the methodology we here at Fractional CISO use in our quantitative risk assessments.
Step 4 – Determine what to do with the risks. Identify your risk tolerance
Insurance is a key component of any risk management strategy. If there is a risk to your business, you have four choices on how to deal with it.
Avoid – Don’t do (or stop doing) whatever is creating the risk.
Mitigate – Do something to lower the risk to an acceptable level.
Accept – Let the cards fall where they may.
Transfer – Let someone else own the risk.
Cyber insurance allows companies to transfer a portion of their risk to the cyber insurance company, for a fee.
Step 5 – Be clear about what risks you care about and when.
A SaaS company might be willing to accept their environment being down for an hour (accept) and self-fund the cost (no insurance) but if it goes beyond 3 hours the costs could be too great and require insurance (transfer).
Step 6 – Know your business process, who the key stakeholders are and how they could impact your business.
What happens if a key vendor that your company relies on is down from an attack and your company gets caught up in it? What happens if you’re the cause of a partner’s outage? Is this something your company can survive?
Step 7 – Know what you are already covered or not covered for.
A business continuation policy may cover physical threats such as a building burning down but specifically not cover the business being down from a cyber attack.
Step 8 – Know thyself.
Cybersecurity insurance policies have requirements that their customers must meet to qualify for coverage. Failure to meet these requirements may result in denied coverage or claims.
You may be transferring risk to the insurance company, but there are limits to what they are willing to accept.
Your organization needs to have a cybersecurity leader that the CEO can rely on to effectively communicate cyber risk so the organization can make wise decisions.
Step 9 – Align your coverage needs with the “DICED” Model
Whether looking for new insurance or reviewing your current coverage, the DICED model can help make sense of what can seem a tangled mess.
D – Declarations – This includes, effective date, business address, etc. This is the administrative information that seems trivial..until it doesn’t.
Ex. A policy doesn’t come into effect until the first of the coming month, but an organization was attacked in the last week! The coverage will not help in this situation.
I – Insuring Agreement – This is the meat of the insurance policy, which outlines what’s covered and for how much. Place special attention in this area, since this is what you’re really purchasing in your plan.
Some policies may not mention coverage over specific types of attacks, or they might institute impractically low coverage caps for common attacks like social engineering.
If something is not explicitly stated, it is very likely not covered. It might feel like common sense that a ransomware attack is “directly caused by the use of a computer” – but G&G Oil Company’s insurer didn’t think so!
C – Conditions – Roles & Responsibilities before and after an incident and requirements on how to address an incident.
For example, insurers may require that the business deploys anti-virus software on all computers and stipulate that only the insurer can negotiate with a ransomware attacker.
Ex. Will a lack of proper security measures invalidate the policy? Are those expectations clear?
E- Exclusions – What’s not covered. This may not even be called out specifically and be scattered throughout the policy which makes it even more important to understand.
Ex. Cyber policies typically have war or hostile act exclusions. Given the rise of cyber warfare and its use in relation to the ongoing war in Ukraine, what happens if your organization becomes collateral damage?
D – Definitions – Words can have many meanings and what a term means to you may not be the same meaning as what it means in the agreement. Clarity is important here.
For example: is phishing defined as fraud, or social engineering? Different types of attacks may have different coverage limits.
Step 9 – Shop around.
You know what you want, you know what it’s worth to you and you know what level of risk tolerance your company is willing to take on. That may mean speaking to multiple underwriters or even brokers. Not every insurance broker is a specialist in all forms of insurance, after all!
Someone who is great at fire insurance may not understand the nuances of cyber.
Talking to someone who specializes in cyber insurance will help ensure you get the right policy.
No insurance policy is perfect – but you can get close.
Insurance is based on the premise of guessing: will something happen or not? No policy is going to be 100% perfect.
The key to get the right cyber insurance coverage for your business is to understand and become comfortable with the following:
- What your risks are
- What your coverage is
- What your residual exposure is
If you are knowledgeable about these parts of your business risk and cyber insurance policy, you are likely in a good spot and can get your focus back to where it belongs… running your business.
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.