Part 1: Misconceptions about cyber insurance
Cyber insurance doesn’t pay out.
There have been many successful and public claims on cyber insurance policies. As long as the cyber incident that occurs and the impact are covered by the insurance policy then the claim should be successful and the outcome satisfactory. Key is to ensure that the policy purchased is fit-for-purpose and will respond as intended.
I believe my cyber security is good enough to withstand an attack.
No organisation is 100% secure from a cyber incident. Organisations with the most advanced and well-managed controls have had devastating cyber incidents. An organisation that is operationally mature regarding cyber risk may be less likely to experience a crippling incident, however there are too many difficult to quantify risks (like people) that must be considered.
I use the cloud; their insurance should cover any losses I incur?
3rd party service providers will normally only reimburse a customer for the financial cost of an incident up to the limit of liability outlined in their service contract. In any case organisations are responsible for the security of their customers data, regardless of where it is stored. There is no service agreement between your customer and your 3rd party service provider.
My existing insurance policies will cover me for a cyber incident.
There are many different types of insurance and typically organisations will have several policies with different functions, either individuallly or wrapped up in bundles. It is unlikely that an organisation’s existing insurance program outside cyber will cover cyber incidents unless cyber risk scenarios have been specified. For clarification it is best to speak with your broker.
Part 2: Hard truths about cyber insurance
Your cyber insurance policy may not cover certain incidents
Cyber insurance is still a developing set of products. There can be grey areas as to what type of events will trigger the policy. It is best to itemise the key scenarios for cyber risk for your organisation, like ransomware or a data breach, and confirm that the cyber insurance policy will cover them. For example, a cyber policy may cover ransomware but not cover social engineering fraud via email.
Your coverage limit may be insufficient, or you have more cover than you need
As cyber risk is difficult to quantify, so is the amount of coverage that may be required. When considering the scenarios that may occur, estimate the amount that the incident could cost the organisation. For example, estimate the following:
- Technical recovery and investigation
- Other incident response costs (legal, PR etc)
- Business interruption
- Potential fines and penalties from regulators
- Third-party claims
Compare the largest possible loss from an incident to your limit to check its accuracy.
The insurers have pre-approved panels of providers for incident response, your IT team may not be aware of this.
Where cyber insurance is in place, most often the insurer has a pre-approved panel of service providers that are available to the insured to assist in managing an incident. These include IT forensic experts, legal advisors and PR consultants, among others. There may be an issue if an organisation chooses to use service providers that are not previously approved by the insurer. If you would like to use your own response service providers when you have an incident, agree this with the insurer before you have an incident.
Part 3: How to navigate cyber insurance claims
When should we notify the insurer?
Most cyber insurers have 24×7 hotlines for reporting cyber incidents. The steps involved should be clearly outlined in your incident response plan. Upon notification, the insurer will guide you to their response panel providers. Each insurer has their own procedures, it is essential that an organisation’s incident response team understands, before an incident, what support is available to them under the policy.
What information should I have prepared for the insurer?
As with any cyber incident, as much detail as possible should be recorded. As soon as an organisation becomes aware of an incident then it is prudent that the incident response team keeps a log of activities and findings. The incident response panel provided with the cyber insurance policy will provide clear guidelines on gathering and storing of incident related information.
What if an incident does not seem severe enough to contact the insurer?
One of the key issues with cyber incidents that it is very difficult to ascertain medium and long-term impact while working on mitigation. It is also difficult to be completely sure that an issue is 100% resolved, especially in the case of hacking incidents where the attackers may still have access. A good practice is to send a summary report, say once a month, of any important incidents to the insurer.
Cyber insurance is no longer a “nice to have” or a “box-tick.” It is a critical component of an organisation’s risk management capability for cyber risk. Purchase of a cyber insurance policy must include an understanding of the types of incidents that may occur and what is expected of the insurer, and their response panel when an incident occurs.