Cyber Insurance, Warranties & Ransomware Protection: Mind The Coverage Gap!
With new threats emerging daily and increasing in complexity and sophistication too, cyber security has become a critical focus for all organisations – with every single company, irrespective of its size and location, at risk of a cyber-attack. As a result, most have started opting for cyber insurance to cover the losses that such attacks may incur, sometimes together with a specific ransomware warranty, catalysed by this type of threat accounting for some 75% of cyber insurance claims (AM Best 2021). Outside of ransomware, cyber insurance can cover areas including extortion demands and remediation efforts.
But this is a market under strain, with the ratio of losses to premiums earned at 73% in 2021 according to Fitch Ratings and difficulty in diversifying the risk as cyber-attacks have no boundaries. Further, the absence of historical data complicates the capacity for the type of risk forecasting that the insurance industry typically employs to set pricing rates. In combination, this is ultimately threatening the profitability of the industry and thereby the protection it affords – and fuelling rising premium prices for customers too.
Headline grabbing ransomware warranties are also an area that further investigation and small print reading is required. What may look an attractive proposition (and often a no brainer) in many cases will never pay out and could lead to dangerous complacency.
Additionally, clauses around cybersecurity insurance are increasingly tightening, as highlighted by the recent announcement by Lloyds of London on coverage limitation, for example its insurance products will no longer cover the fallout of cyber-attacks exchanged between nation-states. Many insurers are also imposing stricter safeguarding requirements, which although helping to support increased levels of cyber security defences, this can also leave some organisations and especially SMB’s exposed, as they are less able to meet the new minimum threshold limits.
This makes knowing exactly what is covered in any policy you have today, or are contemplating purchasing in the future, a business and technology imperative. Companies should know that cyber insurance policies and ransomware protection warranties do not cover every aspect of attacks and in most cases, there will be varying triggers, limits, conditions and coverages for different types of claims which can lead to denial or a reduced claim, creating an expectation and actualisation gap. Education and awareness here is key – you must be fully aware of what is not covered by your cyber insurance today, to avoid any surprises later. Roy May does a great job of covering exactly this point.
Let’s explore some of the key issues in turn to support exactly that.
- Third-Party Mistakes: Cyber insurance companies do not cover you if a cyber-attack takes place on any third-party system causing damage to your primary business. This third-party software or services can be your web hosting, email, cloud services, customer service management or any other significant online business relationship.
- Losses Incurred During ‘Waiting Period’: The insurance world often has a time-based deductible referred to as a “waiting period.” Only the losses that incur after the completion of the waiting duration are covered by insurance. This waiting period is usually around 10 to 12 hours. It means that if your network undergoes a cyberattack during the waiting period, you will not be able to claim money from your insurance.
- Loss During Downtime: Losses incurred during the business interruption event are not covered by major policies. The downtime can cause harm to your business in many ways leading to loss of productivity and customers trust, loyalty and ultimately their business. No matter how much sales loss this downtime costs you, it will not be covered.
- Reputation Damage: This is one of the most significant risks a company faces if a cyber-attack or data breach happens. Indeed, 1 in 3 customers are willing to leave a brand they love after just one bad experience, rising to over 90% after 2 or 3 poor experience interactions. (ADD CITE). Any attacks during special events like Cyber Mondays can do even more harm to the organization. As it is difficult to quantify such loss, cyber insurance companies do not cover them in their policy.
- Bodily Injury or Property Damage: Cyber-attacks have tangible consequences. As the world moves towards IoT (Internet of everything), the connections between objects are increasing, and there are chances that it may lead to bodily injury or property damage. It can sound unusual but many production firms are nowadays running entirely on computers.
Everything right from collecting raw materials to shipping the final products happens through automated systems. In the scenario of a cyberattack taking place during any part of this process, it would lead to a catastrophe. If any company ends up in any such situation, cyber insurance will likely not cover the (extent of) the need.
- New Hardware: Usually cyber insurance policy will not cover any property damage like hardware replacement and other equipment caused due to a cyber-attack. It becomes problematic when the hardware is corrupted to such an extent that it is impossible to fix it. The best way in such cases is to replace the hardware with something new, but the organization itself will have to pay for this.
- Software Upgrades: The latest versions of the software are traditionally not covered by cyber insurance policies. In case of a cyber-attack, major cyber insurances will only help you restore the software to where it was before the attack took place.
- Lost Equipment: Most cyber insurance policies do not cover any cybercrime that originated from a lost portable device like a company laptop or tablet. Few insurance policies include only encrypted devices in their policy, so all the devices used in the organization must have appropriate security patches.
- Card Issuer Fines and Penalties: A key concern when dealing with a data breach is related to the penalties and potential fines imposed against a company by card issuers like MasterCard, Visa, etc, or indeed imposed against company directors under GDPR and similar regulations. These fines or penalties can reach a substantial amount of up to six figures. A few insurance companies exclude covering these types of fines which could lead to severe financial loss.
- Specialised Attacks: Many insurance policies cover only the attacks that are committed by cybercriminals that seek personal profits, or collective profits when bad actors collaborate together for shared gain. They deny the coverage if the attack is carried out with a motive of terrorism or by a nation-state actor for political ends, an area where research shows increasing scale and volume of attacks to evade detection (Microsoft 2021)
Final Thoughts – So, Is Cyber Insurance Worth It?
The resiliency of a business is tied to its cyber resilience, making a sustained and organisation wide focus on cybersecurity critical, right across technology, process, culture and skills. As part of this, cyber insurance plays a role in protection by necessitating advances in security by design within increasingly stringent terms – and by supporting organisational recovery in the event of a breach when all such obligations were fulfilled. But not all cyber insurance policies are made equal, with material differences in coverage and conditions. So you must fully understand both your requirements and your obligations before making a final decision.
Start-ups and SMB’s having small portfolios or minimal digital assets might not be able to justify the expense of cybersecurity insurance, with a better return on investment likely achieved by focusing on security defence, for example Zero Trust practices and employee training and awareness. For large enterprises managing a significant volume of sensitive financial information or PII for their customers, then investment in a reputed cyber insurance policy can be well justified – but only as part of a holistic cybersecurity strategy. No policy will prevent nor spontaneously solve issues related to security but rather, they can form the final piece in a proactive defence program that focuses on both early identification of risks, and expedient recovery when (not if) an attack of some form inevitably occurs.
About the Author
Dr. Sally Eaves is the Chair for Global Cyber Trust at leading Think Tank GFCYBER and Digital Decentralization, Democracy and Security Advisor for the Centre for a New American Security (CNAS) reporting to the United States Government. A highly experienced Chief Technology Officer by background, Professor in Advanced Technologies, and a Global Strategic Advisor on Digital Transformation, Sally specialises in the application of emergent technologies, notably AI, Security, 5G, Cloud and IoT disciplines, for Business and IT transformation, alongside enabling Social Impact at scale.
An international Keynote Speaker and Author, Sally was the inaugural recipient of the Frontier Technology and Social Impact award, presented at the United Nations, and has been described as the “torchbearer for ethical tech”, founding Aspirational Futures to enhance inclusion, diversity, equity and belonging in the technology space and beyond.