Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Chris McDaniels
Chris McDaniels
Connect Directly
E-Mail vvv

The Pitfalls of Cyber Insurance

Cyber insurance is 'promising' but it won't totally protect your company against hacks.

Imagine an insurance market plagued by eye-popping premiums and deductibles, skimpy coverage, a lack of standards that makes "apples-to-apples" comparisons of policies nearly impossible, and customers who are at a significant disadvantage because they don't fully understand their risks or how much coverage they need.

No, the above isn't a description of the individual health insurance market; it describes the enterprise cyber-insurance market.

What's in Your Policy?
Although the cyberthreat landscape grows more dangerous by the day, half of U.S. firms have no cyber insurance, 27% have no plans to buy coverage, and only 16% report having a policy that covers all of their risks, according to a FICO survey.

While it's true that some organizations refuse to buy cyber insurance out of the misguided notion that they don't "need" to worry about being hacked, this mindset isn't entirely at fault. Just as many individuals have found their "good" health insurance to be useless in the face of a catastrophic illness, many enterprises have been left high and dry by cyber-insurance policies that didn't fully protect them after a major cyber attack.

Ameriforge Group sued its cyber insurer, Chubb Group, when Chubb refused to cover the $480,000 in losses the manufacturer incurred due to a CEO email phishing scam. Chubb paid out on some of the losses P.F. Chang's suffered after a point-of-sale data breach but did not cover the $1.9 million Payment Card Industry Data Security Standard assessment the restaurant chain was slapped with. Sometimes, firms can inadvertently void their policies before an attack happens. Policies that include cyber-extortion clauses prohibit organizations from publicly disclosing that they have purchased this coverage – such as in a security operations center report or a press release.

Cyber Insurance Market “Promising” but Dysfunctional

A report by Deloitte released in February, "Demystifying Cyber Insurance Coverage," describes a market that is "promising" but "problematic" for both insurers and customers. Because cybersecurity is a relatively new field and the threat landscape changes daily, insurers don't have the historical data they need to build reliable predictive models. They fear a catastrophic accumulation of claims if a major attack were to hit multiple insured customers, as happened with WannaCry and NotPetya ransomware. Insurers also tend to offer policies focused on the protection of personally identifiable information (PII), even though many organizations don't handle PII or are more susceptible to ransomware, cyber extortion, or other attacks that don't involve PII.

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Customers, meanwhile, many not have a complete grasp of their organizations' vulnerabilities or the threat landscape in general. This results in firms buying "skinny" (but still very expensive) policies that offer scant protection or exclude the threats they're most vulnerable to. Other organizations mistakenly believe that their general business liability or business interruption policies cover cyber attacks.

Cyber Insurance Isn't a Replacement for Cybersecurity
Cyber insurance may promote a moral hazard, where companies feel they don't have to invest in cybersecurity because “the insurance will cover it” if they get hacked. Yet, even the most robust policy will not cover all of a business's losses after an attack. It may not cover regulatory fines, as in P.F. Chang's case, and it won't cover all of the losses incurred if a business has to scale back operations or even temporarily shut down in the wake of an attack. Cyber policies also generally don't cover ransomware attacks that can be traced back to malicious insiders, such as rogue employees or disgruntled third-party vendors.

Other organizational challenges include the need to have a thorough knowledge of the corporate data environment, vulnerabilities, and risks, as well as the overall threat environment, which changes daily. Furthermore, there's a lack of standardization in the insurance market, which makes comparing policies difficult.

Cyber-insurance policies also don't eliminate the need for organizations to take proactive steps to secure their systems. In fact, insured customers are required to do so or their policies will be voided. So, regardless of whether an organization purchases a policy or not, it will still need to do the following:

• Keep all software and operating systems updated (remember, WannaCry and NotPetya both attacked older versions of Windows)

• Run robust, up-to-date antivirus software

• Maintain compliance with industry and regulatory standards like HIPAA and PCI-DSS

• Continually monitor networks for suspicious activity, 24 hours a day, 365 days a year

• Have in-house and/or remote security staff on hand at all times to respond to anomalies and attacks

• Have a comprehensive, written cybersecurity policy that is regularly reviewed and updated

• Train all employees on cybersecurity best practices, such as how to spot phishing emails

• Control physical access to sensitive areas on its premises, such as server rooms

• Utilize other controls, such as firewalls, network segmentation, and encryption as appropriate

• Perform regular backups so that systems can be restored in the event of a ransomware attack, or even a natural disaster like a fire or flood

Related Content:

Chris McDaniels is Chief Information Security Officer of Mosaic451, a cybersecurity service provider and consultancy with expertise in building, operating, and defending some of the most highly secure networks in North America. McDaniels is a US Air Force veteran with over 14 ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
8/25/2017 | 7:34:10 PM
Re: Insurance?
@REISEN: Doctors and lawyers -- even the very best -- typically have malpractice insurance as a matter of course. And most companies have some form of umbrella policy at the very least as a matter of course. Drivers have auto insurance as a matter of course (sometimes as a matter of law, albeit). It's a bit hard for me to agree that cyberinsurance is for cowards just because it goes to things you should be doing anyway.

Bad things happen. That's what insurance is for.
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
8/25/2017 | 7:31:12 PM
Re: Insurance?
@REISEN: To be fair, most if not all of this is exactly what cyberinsurance carriers do. Granted, however, the standards/procedures are way different between small businesses (who typically just have to fill out a form) and large enterprises (which have to undergo actual audits).
User Rank: Strategist
8/25/2017 | 8:45:28 AM
Re: Insurance?
While the article is better than most when it comes to the topic the information is still not entirely accurate.  There are carriers that are guilty of providing "skinny" coverage forms however the same can be said for many E&O carriers just trying to get some quick premium.  To generalize the entire marketplace based on a couple cases where coverage was not provided is misguided.  In the case of P.F. Changs, the policy did not include coverage for PCI fines & penalties because the agent/broker that placed the business did not include the coverage when they offered terms from Chubb.  The reference to the Ameriforge case is even worse because the claim involves a crime insurance policy, not a cyber insurance policy! These types of errors fall mostly on the part of the agent & broker that helped place the business for not obtaining or presenting the right coverage to the purchaser of the policy.

From a policy perspective, a comprehensive stand-alone cyber insurance policy will include coverage for the breach of PII/PHI, Cyber Extortion (including ransomware & other extortion events), business interruption & lost income from an event, and lost revenues as a result of your vendor suffering an attack impacting your business all with a minimum premium of $1,000 for a 1M limit.  The rating basis for premiums is a combination of the revenues, operations/industry and (if available) the number of records being stored.  For example, a 100M manufacturer is going to be seen as a lower risk than a 10M healthcare practice because of the nature of information and regulatory environment on the healthcare side.

The fact of the matter is that these policies should not be seen only as an insurance policy.  A good policy should be used as a service to make your company a better risk.  Coverage with the right insurance carrier can include risk management in the form of portals & webinars with others going so far as to offer proactive risk management in the form of consulting, active monitoring, table tops, and pentesting as a part of the policy.  No matter how good an IT department can be there is no way to solve the problem of IT & Cyber security, especially when it comes to the human element, but the problem and risk can be managed.  Similar to having a general liability or E&O policy, a cyber insurance policy should be seen as a way to round out a company's risk management.
User Rank: Ninja
8/23/2017 | 11:07:58 AM
Re: Insurance?
True - have no idea what current rates are though.  This is a relatively new fad and I think written for cowards in the IT staffing department - when management has zero faith in what they are doing!   How many employers take out insurance, in geneal, to protect employees from failing to do their jobs????
User Rank: Apprentice
8/21/2017 | 4:09:00 PM
Re: Insurance?
Insurance premiums would undoubtedly be higher than current rates if underwriters evaluated companies as you're recommending.
User Rank: Ninja
8/21/2017 | 12:43:23 PM
If I was an under-writer evaluating a business for coveage, I would first want to closely examine in detail CURRENT backup plans and disaster continuity plans to ensure that basic, good protocols are being followed.  I would want to know if the network is buttoned up tight - that the servers are secure and that other protocols, such as HIPAA, are being observed.  I would want to see user education plans too.  Only IF the house is locked, tight and solid would I ever CONSIDER writing a policy and that would also be up for review every 3 months.    Knowing standards as they are today, I would probably be writing very FEW policies. 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
6 Ways Passwords Fail Basic Security Tests
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/28/2020
'Act of War' Clause Could Nix Cyber Insurance Payouts
Robert Lemos, Contributing Writer,  10/29/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Measure and Reduce Cybersecurity Risk in Your Organization
In this Tech Digest, we examine the difficult practice of measuring cyber-risk that has long been an elusive target for enterprises. Download it today!
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-30
Trend Micro Antivirus for Mac 2020 (Consumer) contains a race condition vulnerability in the Web Threat Protection Blocklist component, that if exploited, could allow an attacker to case a kernel panic or crash. An attacker must first obtain the ability to execute high-privileged code on the targ...
PUBLISHED: 2020-10-30
Trend Micro Antivirus for Mac 2020 (Consumer) contains an Error Message Information Disclosure vulnerability that if exploited, could allow kernel pointers and debug messages to leak to userland. An attacker must first obtain the ability to execute high-privi...
PUBLISHED: 2020-10-29
Cross-Site Scripting (XSS) vulnerability on WSO2 API Manager 3.1.0. By exploiting a Cross-site scripting vulnerability the attacker can hijack a logged-in user’s session by stealing cookies which means that a malicious hacker can change the logged-in user’s pass...
PUBLISHED: 2020-10-29
A flaw was found in Ansible Collection community.crypto. openssl_privatekey_info exposes private key in logs. This directly impacts confidentiality
PUBLISHED: 2020-10-29
Sal is a multi-tenanted reporting dashboard for Munki with the ability to display information from Facter. In Sal through version 4.1.6 there is an XSS vulnerability on the machine_list view.