What is cyber insurance? Everything you need to know about what it covers and how it works

Cyber insurance is becoming increasingly popular. But what does it cover, what doesn't it cover and what should you be looking for when deciding on a policy?

BEC scams: Number one cause for cyber-insurance claims in 2018

Cyberattacks of all types are an increasingly large problem for all organisations, and as a result many are turning to cyber insurance as a means of protection against some of the effects of an incident. But what is cyber insurance, how does it work and what are some of the things that your business needs to be considering when deciding on a cyber insurance policy?

What is cyber insurance?

Cyber insurance – also known as cyber-liability insurance – is an insurance policy that helps protect organisations from the fallout from cyberattacks and hacking threats. Having a cyber insurance policy can help minimise business disruption during a cyber incident and its aftermath, as well as potentially covering the financial cost of some elements of dealing with the attack and recovering from it.

"The formal definition of cyber insurance is essentially a contract between an insurer and a company to protect against losses that are related to computer- or network-based incidents," explains Juergen Weiss, head of global financial services research and advisory at tech analyst Gartner.

SEE: Network security policy (TechRepublic Premium)

However, there are things that cyber insurance can't protect against and an organisation will need to make sure it understands what is covered and perhaps more importantly what isn't covered when they sign up to a coverage plan. While having some form of cyber insurance in place can help a business in the event of an attack, a business is also responsible for its own cybersecurity – the responsibility isn't something that is just shifted to the insurer.

"Cyber insurance will not instantly solve all of your cybersecurity issues, and it will not prevent a cyber breach/attack," says the National Cyber Security Centre in its guidance.

Who needs cyber insurance?

Any business with an online component or one that sends or stores electronic data might benefit from cyber insurance, as may any organisation that relies on technology to conduct its operations, which is pretty much every business.

Private personal data such as contact details of customers or staff, intellectual property, or sensitive financial data are all potentially very lucrative to cyber criminals who could could attempt to break into the network and steal it.

There's also the potential for hackers to cripple a network with ransomware. A cyber insurance policy that covers ransomware could go a long way to helping organisations that fall victim to attacks like this find a way out of the predicament.

What sort of attacks result in cyber insurance claims?

Cyber insurance claims can be triggered by many sorts of incidents, but right now the most common are ransomware, fund-transfer fraud attacks, and business email compromise scams. 

How much does cyber insurance cost?

The cost of a cyber insurance policy will depend on a number of different factors including the size of the business and the annual revenue. Other factors can include the industry the business operates in, the type of data that the business typically deals with, as well as the overall security of the network.

An organisation that is deemed to have poor cybersecurity or has previous history of falling victim to hackers or a data breach would likely get charged more for a cyber insurance policy than one that has a good reputation for keeping itself secure.

Sectors such as health and finance are likely to find that cyber insurance policies cost more due to the sensitive nature of the fields they operate in.

What does cyber insurance cover?

Different policy providers might offer coverage of different things, but generally cyber insurance coverage will be likely to cover the immediate costs associated with falling victim to a cyberattack.

"Cyber insurance policies are designed to cover the costs of security failures, including data recovery, system forensics, as well as the costs of legal defence and making reparations to customers," says Mark Bagley, VP at cybersecurity company AttackIQ.

Underwriting data recovery and system forensics, for example, would help cover some of the cost of investigating and re-mediating a cyberattack by employing forensic cybersecurity professionals to aid in finding out what happened – and fix the issue.

This is the sort of standard procedure that follows in the aftermath of a ransomware attack, one of the most damaging and disrupting kinds of incident an organisation can face right now.

It is also the case that some cyber insurance companies cover the cost of actually giving in and paying a ransom – even though that's something that law enforcement and the information security industry doesn't recommend, as it just encourages cyber criminals to commit more attacks.

"The insurance company looks at what the potential incident response and forensic bill might be and that's going to be bigger in many cases as organisations aren't prepared, so they'd actually rather pay. It's very frustrating," says Theresa Payton, former White House CIO for the George W. Bush administration and founder and CEO of cybersecurity company Fortalice Solutions.

SEE: VPN: Picking a provider and troubleshooting tips (free PDF) (TechRepublic)

Business email compromise (BEC) phishing scams are another form of cyberattack that can cost a business a large, sometimes six-figure sum of money. These attacks see criminals posing as CEO, supplier, or other trusted contact and duping people into transferring payments.

As the UK's NCSC points out, some insurance policies will cover money lost in BEC fraud – but it's often part of a specific policy that's directly related to BEC. It therefore may not be covered by standard cybersecurity insurance – and your organisation could be left without any aid if that's the case.

Organisations should, therefore, make sure they know exactly what they're signing up for when choosing a cybersecurity insurance policy – and that it covers the potential damage of the most likely cyberattacks including ransomware, phishing and DDoS attacks.

The NCSC also notes that it's worth checking if your organisation already has cyber insurance in place as part of existing policies, such as business interruption or property insurance. This might provide some level of coverage – or may specifically exclude cyber-related incidents.

What isn't covered by cyber insurance?

There are some things that could be important to organisations that don't tend to be covered by cyber insurance and it's vital to understand what isn't covered, so protecting these assets can be properly managed.

"Cyber insurance is still kind of limited compared to the true amount of risk. So don't think that all forms of cyber risk are covered by insurance," says Jon Bateman, fellow in the Cyber Policy Initiative of the Technology and International Affairs Program at the Carnegie Endowment for International Peace.

The financial damage caused by loss of intellectual property isn't covered by cyber insurance and neither is the reputational costs that can be incurred following a cyberattack.

For example, cyber insurance could pay out for the costs associated with dealing with the direct aftermath of a cyberattack, but in the longer run the company might lose business due to public perception of having poor cybersecurity. A cyber insurance policy won't cover the cost of losing customers due to the bad reputation it picks up as a result of a cyberattack.

Does cyber insurance cover major cybersecurity events?

The summer of 2017 saw two major cyberattacks spread around the world in quick succession with Wannacry ransomware attack taking down networks in May, only to be followed by the much more damaging NotPetya attack just weeks later. NotPetya knocked major organisations around the world offline, and is estimated to have cost billions in lost revenue and restoration costs as in many cases, organisations had to rebuild their networks from scratch.

It sounds like the sort of incident that would result in an insurance company paying out a cyber insurance claim because an organisation was disrupted by an incident that wasn't their fault – especially as NotPetya was so prolific and indiscriminate in its targeting.

However, some insurance providers argued they didn't have to pay out because NotPetya, a malware attack linked to the Russian military, classed as an "act of war" that nullified the claim. Other insurance providers did pay out claims for damage caused by NotPetya.

SEE: Ransomware victims aren't reporting attacks to police. That's causing a big problem

It's likely that this is going to continue to be an issue moving forward, especially as the cyber and physical realms become ever more indistinguishable from one another and insurers and their clients might not see eye to eye on what should and shouldn't be covered.

"A major challenge for this market is how to deal with the most extreme forms of risk – major state-sponsored attacks, major catastrophic incidents across a large number of clients. Cyber-physical events that begin in cyberspace but still go out into the world with societal consequences. They're very difficult to model and price. If a major incident was to happen it would overwhelm the capacity of cyber insurance markets," says Bateman.

What do I need to apply for a cyber insurance policy?

Cyber insurance isn't a silver bullet for solving your cybersecurity problems – far from it. In fact, in order to get a good deal for coverage, your business will likely need to prove that it's responsible with cybersecurity in the first place. Insurers won't want to take on a client that looks almost certain to be the victim of a data breach.

Insurers will want to know what cybersecurity your company has in place when applying for a policy and you'll be expected to maintain accurate details about your cybersecurity as time moves forward – as, in many cases, policies are reassessed every 12 months, so even after acquiring cyber insurance, organisations still need to ensure they maintain proper cybersecurity procedures or risk losing the insurance down the line.

It's also important to understand which are the systems and data that are essential to your organisation, and to understand whether the level of cover you have is adequate. That means deciding on a cyber insurance policy is a question that goes beyond IT and is a question for broader executive management, too.

"Unlike incidents such as a fire or theft, cyber incidents are often not restricted to a single location. Understanding how your organisation operates and the interdependencies between different parts is vital to determining the extent of an incident, which may have global implications," says NCSC.

An organisation can't just decide it doesn't want to invest in cybersecurity any longer because it now has a cyber insurance policy.

What is the future of cyber insurance?

As the frequency of cyberattacks continues to increase and cyber criminals get more brazen with campaigns, the way cyber insurance operates is going to evolve. As previously noted, cyber insurance providers are unlikely to want to offer policies to organisations that pay little attention to their cybersecurity.

Paying out an insurance claim is a purely reactive activity and is costly for the insurance provider. That's why some are starting to take a more proactive approach to cybersecurity, not only there to offer a payout if things go wrong, but actively aiding clients to take a better approach to cybersecurity.

"The whole insurance industry is moving away from being a lender of last resort and payouts, to more like a risk advisor and a partner for your business operations. Insurers are now putting black boxes in your car to track driving behaviour – they want to price more accurately and ideally change your behaviour," says Weiss.

"And the same is happening in the cyber insurance space. The want to make sure that you as a corporate adapt to the risk. It's a mix of audit, protection and prevented loss," he adds.