Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Chris McDaniels
Chris McDaniels
Connect Directly
E-Mail vvv

The Pitfalls of Cyber Insurance

Cyber insurance is 'promising' but it won't totally protect your company against hacks.

Imagine an insurance market plagued by eye-popping premiums and deductibles, skimpy coverage, a lack of standards that makes "apples-to-apples" comparisons of policies nearly impossible, and customers who are at a significant disadvantage because they don't fully understand their risks or how much coverage they need.

No, the above isn't a description of the individual health insurance market; it describes the enterprise cyber-insurance market.

What's in Your Policy?
Although the cyberthreat landscape grows more dangerous by the day, half of U.S. firms have no cyber insurance, 27% have no plans to buy coverage, and only 16% report having a policy that covers all of their risks, according to a FICO survey.

While it's true that some organizations refuse to buy cyber insurance out of the misguided notion that they don't "need" to worry about being hacked, this mindset isn't entirely at fault. Just as many individuals have found their "good" health insurance to be useless in the face of a catastrophic illness, many enterprises have been left high and dry by cyber-insurance policies that didn't fully protect them after a major cyber attack.

Ameriforge Group sued its cyber insurer, Chubb Group, when Chubb refused to cover the $480,000 in losses the manufacturer incurred due to a CEO email phishing scam. Chubb paid out on some of the losses P.F. Chang's suffered after a point-of-sale data breach but did not cover the $1.9 million Payment Card Industry Data Security Standard assessment the restaurant chain was slapped with. Sometimes, firms can inadvertently void their policies before an attack happens. Policies that include cyber-extortion clauses prohibit organizations from publicly disclosing that they have purchased this coverage – such as in a security operations center report or a press release.

Cyber Insurance Market “Promising” but Dysfunctional

A report by Deloitte released in February, "Demystifying Cyber Insurance Coverage," describes a market that is "promising" but "problematic" for both insurers and customers. Because cybersecurity is a relatively new field and the threat landscape changes daily, insurers don't have the historical data they need to build reliable predictive models. They fear a catastrophic accumulation of claims if a major attack were to hit multiple insured customers, as happened with WannaCry and NotPetya ransomware. Insurers also tend to offer policies focused on the protection of personally identifiable information (PII), even though many organizations don't handle PII or are more susceptible to ransomware, cyber extortion, or other attacks that don't involve PII.

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Customers, meanwhile, many not have a complete grasp of their organizations' vulnerabilities or the threat landscape in general. This results in firms buying "skinny" (but still very expensive) policies that offer scant protection or exclude the threats they're most vulnerable to. Other organizations mistakenly believe that their general business liability or business interruption policies cover cyber attacks.

Cyber Insurance Isn't a Replacement for Cybersecurity
Cyber insurance may promote a moral hazard, where companies feel they don't have to invest in cybersecurity because “the insurance will cover it” if they get hacked. Yet, even the most robust policy will not cover all of a business's losses after an attack. It may not cover regulatory fines, as in P.F. Chang's case, and it won't cover all of the losses incurred if a business has to scale back operations or even temporarily shut down in the wake of an attack. Cyber policies also generally don't cover ransomware attacks that can be traced back to malicious insiders, such as rogue employees or disgruntled third-party vendors.

Other organizational challenges include the need to have a thorough knowledge of the corporate data environment, vulnerabilities, and risks, as well as the overall threat environment, which changes daily. Furthermore, there's a lack of standardization in the insurance market, which makes comparing policies difficult.

Cyber-insurance policies also don't eliminate the need for organizations to take proactive steps to secure their systems. In fact, insured customers are required to do so or their policies will be voided. So, regardless of whether an organization purchases a policy or not, it will still need to do the following:

• Keep all software and operating systems updated (remember, WannaCry and NotPetya both attacked older versions of Windows)

• Run robust, up-to-date antivirus software

• Maintain compliance with industry and regulatory standards like HIPAA and PCI-DSS

• Continually monitor networks for suspicious activity, 24 hours a day, 365 days a year

• Have in-house and/or remote security staff on hand at all times to respond to anomalies and attacks

• Have a comprehensive, written cybersecurity policy that is regularly reviewed and updated

• Train all employees on cybersecurity best practices, such as how to spot phishing emails

• Control physical access to sensitive areas on its premises, such as server rooms

• Utilize other controls, such as firewalls, network segmentation, and encryption as appropriate

• Perform regular backups so that systems can be restored in the event of a ransomware attack, or even a natural disaster like a fire or flood

Related Content:

Chris McDaniels is Chief Information Security Officer of Mosaic451, a cybersecurity service provider and consultancy with expertise in building, operating, and defending some of the most highly secure networks in North America. McDaniels is a US Air Force veteran with over 14 ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
8/25/2017 | 7:34:10 PM
Re: Insurance?
@REISEN: Doctors and lawyers -- even the very best -- typically have malpractice insurance as a matter of course. And most companies have some form of umbrella policy at the very least as a matter of course. Drivers have auto insurance as a matter of course (sometimes as a matter of law, albeit). It's a bit hard for me to agree that cyberinsurance is for cowards just because it goes to things you should be doing anyway.

Bad things happen. That's what insurance is for.
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
8/25/2017 | 7:31:12 PM
Re: Insurance?
@REISEN: To be fair, most if not all of this is exactly what cyberinsurance carriers do. Granted, however, the standards/procedures are way different between small businesses (who typically just have to fill out a form) and large enterprises (which have to undergo actual audits).
User Rank: Strategist
8/25/2017 | 8:45:28 AM
Re: Insurance?
While the article is better than most when it comes to the topic the information is still not entirely accurate.  There are carriers that are guilty of providing "skinny" coverage forms however the same can be said for many E&O carriers just trying to get some quick premium.  To generalize the entire marketplace based on a couple cases where coverage was not provided is misguided.  In the case of P.F. Changs, the policy did not include coverage for PCI fines & penalties because the agent/broker that placed the business did not include the coverage when they offered terms from Chubb.  The reference to the Ameriforge case is even worse because the claim involves a crime insurance policy, not a cyber insurance policy! These types of errors fall mostly on the part of the agent & broker that helped place the business for not obtaining or presenting the right coverage to the purchaser of the policy.

From a policy perspective, a comprehensive stand-alone cyber insurance policy will include coverage for the breach of PII/PHI, Cyber Extortion (including ransomware & other extortion events), business interruption & lost income from an event, and lost revenues as a result of your vendor suffering an attack impacting your business all with a minimum premium of $1,000 for a 1M limit.  The rating basis for premiums is a combination of the revenues, operations/industry and (if available) the number of records being stored.  For example, a 100M manufacturer is going to be seen as a lower risk than a 10M healthcare practice because of the nature of information and regulatory environment on the healthcare side.

The fact of the matter is that these policies should not be seen only as an insurance policy.  A good policy should be used as a service to make your company a better risk.  Coverage with the right insurance carrier can include risk management in the form of portals & webinars with others going so far as to offer proactive risk management in the form of consulting, active monitoring, table tops, and pentesting as a part of the policy.  No matter how good an IT department can be there is no way to solve the problem of IT & Cyber security, especially when it comes to the human element, but the problem and risk can be managed.  Similar to having a general liability or E&O policy, a cyber insurance policy should be seen as a way to round out a company's risk management.
User Rank: Ninja
8/23/2017 | 11:07:58 AM
Re: Insurance?
True - have no idea what current rates are though.  This is a relatively new fad and I think written for cowards in the IT staffing department - when management has zero faith in what they are doing!   How many employers take out insurance, in geneal, to protect employees from failing to do their jobs????
User Rank: Apprentice
8/21/2017 | 4:09:00 PM
Re: Insurance?
Insurance premiums would undoubtedly be higher than current rates if underwriters evaluated companies as you're recommending.
User Rank: Ninja
8/21/2017 | 12:43:23 PM
If I was an under-writer evaluating a business for coveage, I would first want to closely examine in detail CURRENT backup plans and disaster continuity plans to ensure that basic, good protocols are being followed.  I would want to know if the network is buttoned up tight - that the servers are secure and that other protocols, such as HIPAA, are being observed.  I would want to see user education plans too.  Only IF the house is locked, tight and solid would I ever CONSIDER writing a policy and that would also be up for review every 3 months.    Knowing standards as they are today, I would probably be writing very FEW policies. 
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-20
** DISPUTED ** The BIOS configuration design on ASUS ROG Zephyrus M GM501GS laptops with BIOS 313 relies on the main battery instead of using a CMOS battery, which reduces the value of a protection mechanism in which booting from a USB device is prohibited. Attackers who have physical laptop access ...
PUBLISHED: 2019-10-19
The Video_Converter app 0.1.0 for Nextcloud allows denial of service (CPU and memory consumption) via multiple concurrent conversions because many FFmpeg processes may be running at once. (The workload is not queued for serial execution.)
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.