Magda On Cyber
Published in

Magda On Cyber

Everything you Need to Know about Cyber Insurance

Cyber insurance is a type of insurance policy that businesses can purchase to financially protect themselves from the potential damages that a cyber attack could cause. Damage from a cyber attack can include financial losses, stolen data, and damage to a company’s reputation.

Cyber insurance policies can also help businesses cover the costs of responding to and recovering from a cyberattack, including hiring forensic experts to investigate the attack and paying for credit monitoring services for affected customers. Some policies even provide coverage for business interruption losses, which can occur when a company is forced to shut down its operations due to a cyber attack.

There are a few misconceptions about cyber insurance that seem to be popular among business owners. The first is that carrying cyber insurance means that your company admits to being vulnerable to digital attacks. This isn’t the case- every company, no matter how large or small, every company is subject to attack. Carrying cyber insurance shows that you’re proactive about protecting your company and its data.

100% security does not exist. There is always a residual risk. Even the most well-prepared companies and individuals can fall victim to a sophisticated cyberattack. That’s why it’s important how quickly you detect, respond, and recover.

Another common misconception is that having cyber insurance will automatically mean that your company will be fully compensated for any damages incurred in an attack. In reality, many policies have fairly high deductibles and may not cover certain kinds of damages (e.g., reputational harm). That’s why it’s important to carefully review your coverage and policies.

Photo by National Cancer Institute on Unsplash

Does Cyber Insurance cover Social Engineering?

Social engineering involves manipulating people into giving away confidential information or performing actions that enable a cybercriminal to gain access to systems or networks. It’s one of the most common ways malicious hackers gain access to sensitive data and systems. Social engineering is often centered on the following:

  1. impersonation of a genuine and authoritative user in a formal setting (like a manager or a CEO)
  2. impersonation of a third-party or contractor in a supply chain in order to obtain access to confidential information
  3. looking for something in a dumpster (checking trash for documents containing private information)
  4. amongst others

Social engineering is a threat (called peril in the insurance world) that many firms do not have enough insurance coverage for.

Cyber insurance might not cover certain social engineering losses depending on the insurance policies when financial fraud is involved. In that case, commercial crime insurance policies would typically cover social engineering losses, including fraudulent wire transfers, with an eventual endorsement.

In many cases, the company’s crime and fidelity insurance policies are used with the idea that a social engineering loss will be covered. This, however, is not always the case in practice. Insurance companies have refused coverage for social engineering claims under crime/fidelity insurance because there has been no ‘direct’ fraud. Rather, the fraudulent transaction was approved by a trustworthy employee who was unaware of the scam. However, even if that employee was duped into doing that action, it is not considered to be a case of “direct” fraud. A common feature of conventional crime/fidelity plans is the inclusion of exclusions that make it difficult to file social engineering claims.

For organizations that want to avoid these coverage issues, they may obtain an endorsement to their crime/fidelity insurance that may cover social engineering claims in addition to other coverages. A deductible may apply to the endorsement in certain cases, and the endorsement may be subject to extra risks.

It is recommended that insureds collaborate with their brokers/agents to ensure that they have enough coverage, as coverage will vary by insurer.

Can I get a Cyber Insurance without having a Robust Cyber Security Program?

In order to be eligible for cyber insurance, companies are typically required to demonstrate that they have implemented certain security measures. This usually happens through an extensive assessment of the company’s security controls, especially for bigger organizations. I personally spent hours and hours with companies in my former life, assessing and discussing their cybersecurity posture before they were able to get cyber insurance.

It is impossible to obtain cyber insurance without a robust cybersecurity program in place, especially for large organizations, as insurers will want to see that your business has taken measures to protect itself from cybercrime.

Cyber attacks can have a number of potential financial consequences for companies and individuals. For businesses, a cyber attack can lead to loss of revenue, damage to reputation, and increased costs for security and recovery. In some cases, cyber attacks can also lead to physical damage to hardware or critical infrastructure. Cyber insurance can help to mitigate these financial consequences by providing coverage for the costs associated with recovering from a cyber attack.

Cyber insurance is a form of risk management used to protect businesses from the potential financial consequences of cyber attacks. It helps the company to manage its cash flow and liquidity following a cyber attack.

A robust cybersecurity program will include measures to protect, detect, respond and recover. If your business does not have a cybersecurity program in place, it is at high risk of being hacked or not being able to recover and could potentially face significant financial losses.

Is Cyber Insurance Reimbursing other Costs than Fines?

The insurance industry has been slow to adopt cyber insurance as a product offering because of the difficulty in quantifying and pricing the risk. However, there is a growing awareness of the potential for large losses from cyberattacks, and regulatory changes are likely to increase demand for cyber insurance. And as more businesses become aware of the importance of cyber insurance, the market for this coverage is expected to grow rapidly over the next few years.

The scope of coverage will vary depending on the policy, but typically it will cover losses resulting from data breaches, attacks that damage or disable information systems, and costs associated with restoration efforts. Policies may also cover extortion and ransomware payments, legal defense fees, and business interruption losses. Depending on the insurance provider, cyber insurance can reimburse companies for a range of costs related to a ransomware attack, including the ransom amount, business interruption, data loss and damage, and expenses related to incident response and forensic investigations.

In its annual report on data breach costs, the Ponemon Institute found that the average cost of a data breach increased to $4.24 million, up from $3.86 million in 2020, according to the Cost of a Data Breach Report 2021 released by IBM and the Ponemon Institute.

Cost of a Data Breach Report 2021

Cyber attacks can have significant consequences for businesses, including loss of business profit, reputational damage, loss of customer trust, and regulatory fines. Recovery from a cyber attack can be costly and time-consuming, requiring businesses to invest in new security measures and technologies. Activities that may be required during recovery include identifying and remediating security vulnerabilities, restoring data and systems, updating policies and procedures, and training employees on new security protocols.

What is the Role of Cyber Insurance in Cyber Incident Response?

Cyber insurance can be an important part of a company’s cyber incident response plan. When a data breach or cyber attack occurs, the insurance company can help and support through its partner network, forensic investigations, incident response, and data recovery activities.

Cyber insurance can also help cover the costs of recovery and minimize the financial impact on your organization. It can help fund expenses related to crisis management and public relations and reimburse you for lost income if your business is forced to shut down due to a cyber attack.

In addition to financial protection, cyber insurance can also provide access to resources and expertise that can help you manage a breach and mitigate the damages.

As the stakes get higher, businesses are often turning to specialized consultants to help them recover from these devastating events. With cyber insurance, policies include access to data breach coaches or consultants who can assist with an incident response support as part of the coverage.

But what exactly do data breach coaches or consultants do? And how can they help your business recover?

Let’s start with the basics. A data breach coach is someone who specializes in helping businesses recover from a data loss event. They are often experts in forensics and incident response, and they use their knowledge to help businesses assess the damage, mitigate losses, and develop a plan for recovery. Data breach coaches can be incredibly helpful in the aftermath of a data loss event.

Is Cyber Insurance paying for Physical Damage following a Cyber Attack?

There is some debate on whether or not a cyber attack can cause physical damage, as some say it is possible while others claim it is not. I personally think it is absolutely possible.

Cyber-attacks can cause physical damage to property, just like a fire or burglary. For example, a malicious hacker might be able to access a company’s computer system and overload the cooling systems in the data center, leading to a fire. Or they might disable security cameras or access controls, making it easier for criminals to break into the building. There have been recent cases where cyberattacks have caused physical damage. For example, when the attack specifically targets nuclear facilities, it can cause the centrifuges to spin out of control, leading to a fire that damages the equipment. Nonetheless, this example is not that common (Gladly so !!! ). Other attacks are more prevalent. We can talk about cyberattacks on the manufacturing industry and factories. When a factory gets attacked, it can suddenly stop, and all the equipment activities might be interrupted. And that means that the industrial equipment such as Programmable Logic Controller (PLC), Supervisory control and data acquisition (SCADA), amongst others, might not work anymore.

For example, there are a few potential reasons why a PLC might get faulty when suddenly interrupted. One possibility is that the sudden interruption causes the PLC to reset or restart, and during this process, one of its internal components may malfunction. Another possibility is that the sudden power outage may cause a surge in voltage that damages the PLC’s circuitry. Finally, it’s also possible that something external to the PLC (such as an electromagnetic pulse) could cause it to malfunction.

Those types of events are called in the insurance industry silent cyber. Silent cyber is a type of physical damage that can occur to critical infrastructure as a result of a cyber-attack. This type of damage is often not immediately apparent and can include things like equipment failure or degradation, loss of data or communication, and even personnel injury. Silent cyber has been a challenge for property insurance policies, for example. And insurers are still trying to understand all the risks associated with cyber-attacks, and many policies do not explicitly cover losses from hacking or other cyber incidents.

Is Cyber Insurance Paying Claims?

In short, yes, cyber insurance is paying claims.

An insurance claim is a demand made by the policyholder to the insurance company for compensation under the terms of the policy. Insurance claims can be made for a range of reasons, from natural disasters and accidents to theft, damage, and cyber.

You need to do a few things to make an insurance claim. First, you need to notify your insurer as soon as possible after the event that has caused the damage or loss. You will then need to provide them with all the relevant information about the incident and any supporting documentation such as police reports (Forensic investigation). Once your insurer has all of this information, they will assess your claim and determine how much (if any) compensation you are entitled to under the terms of the policy in place.

One of the biggest broking firms mentioned the average data breach loss falling within the coverage offered by cyber insurance policies, up to 75%.
Two of the most often encountered coverage concerns included the employment of unauthorized suppliers and the conduct of business without the permission of the insurer.

Cyber Claims from WTW Report

Understanding the policy, communicating with insurers early on, and being aware of authorized vendor lists or obtaining insurer pre-approval for your preferred suppliers can all assist in guaranteeing that these types of coverage difficulties are avoided in the first place.

While no one wants to think about experiencing a cyber attack, investing in cyber insurance is important. Cyber insurance is a form of risk management that all businesses should consider. Furthermore, organizations should regularly review their cyber insurance policies to ensure that they are still providing adequate coverage in light of recent changes in the threat landscape. And they should also work with their insurers to develop a plan for how they will respond to a cyber incident if one occurs.

Cyber insurance can help protect your business from the financial damages associated with cybercrime, including data breaches, hacking, and ransomware attacks. There are a variety of cyber insurance policies available, so it is important to work with an agent who understands the risks specific to your business.

If you’re not sure if cyber insurance is right for your business, contact your broker or agent today, and they would be happy to discuss options with you.

By Magda Chelly

Chief Security Officer | TEDx Speaker | Author & Keynote Speaker | IFSEC Global Top 20 Cybersecurity Influencer | Entrepreneur | PhD, S-CISO, CISSP, Cert SCI (General Insurance)

Find out on magda-on-cyber.com

Awards

Follow Magda on her Social Media Accounts:

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Dr Magda CHELLY, CISSP, PhD

Dr Magda CHELLY, CISSP, PhD

Cyberfeminist | Entrepreneur | Former CISO | PhD, CISSP, S-CISO | CoFounder @R3sp_Cyb3r | @womenoncyber | Documentary The Dark Web on @myCanal