Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Chris McDaniels
Chris McDaniels
Connect Directly
E-Mail vvv

The Pitfalls of Cyber Insurance

Cyber insurance is 'promising' but it won't totally protect your company against hacks.

Imagine an insurance market plagued by eye-popping premiums and deductibles, skimpy coverage, a lack of standards that makes "apples-to-apples" comparisons of policies nearly impossible, and customers who are at a significant disadvantage because they don't fully understand their risks or how much coverage they need.

No, the above isn't a description of the individual health insurance market; it describes the enterprise cyber-insurance market.

What's in Your Policy?
Although the cyberthreat landscape grows more dangerous by the day, half of U.S. firms have no cyber insurance, 27% have no plans to buy coverage, and only 16% report having a policy that covers all of their risks, according to a FICO survey.

While it's true that some organizations refuse to buy cyber insurance out of the misguided notion that they don't "need" to worry about being hacked, this mindset isn't entirely at fault. Just as many individuals have found their "good" health insurance to be useless in the face of a catastrophic illness, many enterprises have been left high and dry by cyber-insurance policies that didn't fully protect them after a major cyber attack.

Ameriforge Group sued its cyber insurer, Chubb Group, when Chubb refused to cover the $480,000 in losses the manufacturer incurred due to a CEO email phishing scam. Chubb paid out on some of the losses P.F. Chang's suffered after a point-of-sale data breach but did not cover the $1.9 million Payment Card Industry Data Security Standard assessment the restaurant chain was slapped with. Sometimes, firms can inadvertently void their policies before an attack happens. Policies that include cyber-extortion clauses prohibit organizations from publicly disclosing that they have purchased this coverage – such as in a security operations center report or a press release.

Cyber Insurance Market “Promising” but Dysfunctional

A report by Deloitte released in February, "Demystifying Cyber Insurance Coverage," describes a market that is "promising" but "problematic" for both insurers and customers. Because cybersecurity is a relatively new field and the threat landscape changes daily, insurers don't have the historical data they need to build reliable predictive models. They fear a catastrophic accumulation of claims if a major attack were to hit multiple insured customers, as happened with WannaCry and NotPetya ransomware. Insurers also tend to offer policies focused on the protection of personally identifiable information (PII), even though many organizations don't handle PII or are more susceptible to ransomware, cyber extortion, or other attacks that don't involve PII.

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Customers, meanwhile, many not have a complete grasp of their organizations' vulnerabilities or the threat landscape in general. This results in firms buying "skinny" (but still very expensive) policies that offer scant protection or exclude the threats they're most vulnerable to. Other organizations mistakenly believe that their general business liability or business interruption policies cover cyber attacks.

Cyber Insurance Isn't a Replacement for Cybersecurity
Cyber insurance may promote a moral hazard, where companies feel they don't have to invest in cybersecurity because “the insurance will cover it” if they get hacked. Yet, even the most robust policy will not cover all of a business's losses after an attack. It may not cover regulatory fines, as in P.F. Chang's case, and it won't cover all of the losses incurred if a business has to scale back operations or even temporarily shut down in the wake of an attack. Cyber policies also generally don't cover ransomware attacks that can be traced back to malicious insiders, such as rogue employees or disgruntled third-party vendors.

Other organizational challenges include the need to have a thorough knowledge of the corporate data environment, vulnerabilities, and risks, as well as the overall threat environment, which changes daily. Furthermore, there's a lack of standardization in the insurance market, which makes comparing policies difficult.

Cyber-insurance policies also don't eliminate the need for organizations to take proactive steps to secure their systems. In fact, insured customers are required to do so or their policies will be voided. So, regardless of whether an organization purchases a policy or not, it will still need to do the following:

• Keep all software and operating systems updated (remember, WannaCry and NotPetya both attacked older versions of Windows)

• Run robust, up-to-date antivirus software

• Maintain compliance with industry and regulatory standards like HIPAA and PCI-DSS

• Continually monitor networks for suspicious activity, 24 hours a day, 365 days a year

• Have in-house and/or remote security staff on hand at all times to respond to anomalies and attacks

• Have a comprehensive, written cybersecurity policy that is regularly reviewed and updated

• Train all employees on cybersecurity best practices, such as how to spot phishing emails

• Control physical access to sensitive areas on its premises, such as server rooms

• Utilize other controls, such as firewalls, network segmentation, and encryption as appropriate

• Perform regular backups so that systems can be restored in the event of a ransomware attack, or even a natural disaster like a fire or flood

Related Content:

Chris McDaniels is Chief Information Security Officer of Mosaic451, a cybersecurity service provider and consultancy with expertise in building, operating, and defending some of the most highly secure networks in North America. McDaniels is a US Air Force veteran with over 14 ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Ninja
8/21/2017 | 12:43:23 PM
If I was an under-writer evaluating a business for coveage, I would first want to closely examine in detail CURRENT backup plans and disaster continuity plans to ensure that basic, good protocols are being followed.  I would want to know if the network is buttoned up tight - that the servers are secure and that other protocols, such as HIPAA, are being observed.  I would want to see user education plans too.  Only IF the house is locked, tight and solid would I ever CONSIDER writing a policy and that would also be up for review every 3 months.    Knowing standards as they are today, I would probably be writing very FEW policies. 
User Rank: Apprentice
8/21/2017 | 4:09:00 PM
Re: Insurance?
Insurance premiums would undoubtedly be higher than current rates if underwriters evaluated companies as you're recommending.
User Rank: Ninja
8/23/2017 | 11:07:58 AM
Re: Insurance?
True - have no idea what current rates are though.  This is a relatively new fad and I think written for cowards in the IT staffing department - when management has zero faith in what they are doing!   How many employers take out insurance, in geneal, to protect employees from failing to do their jobs????
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
8/25/2017 | 7:34:10 PM
Re: Insurance?
@REISEN: Doctors and lawyers -- even the very best -- typically have malpractice insurance as a matter of course. And most companies have some form of umbrella policy at the very least as a matter of course. Drivers have auto insurance as a matter of course (sometimes as a matter of law, albeit). It's a bit hard for me to agree that cyberinsurance is for cowards just because it goes to things you should be doing anyway.

Bad things happen. That's what insurance is for.
User Rank: Moderator
8/25/2017 | 8:45:28 AM
Re: Insurance?
While the article is better than most when it comes to the topic the information is still not entirely accurate.  There are carriers that are guilty of providing "skinny" coverage forms however the same can be said for many E&O carriers just trying to get some quick premium.  To generalize the entire marketplace based on a couple cases where coverage was not provided is misguided.  In the case of P.F. Changs, the policy did not include coverage for PCI fines & penalties because the agent/broker that placed the business did not include the coverage when they offered terms from Chubb.  The reference to the Ameriforge case is even worse because the claim involves a crime insurance policy, not a cyber insurance policy! These types of errors fall mostly on the part of the agent & broker that helped place the business for not obtaining or presenting the right coverage to the purchaser of the policy.

From a policy perspective, a comprehensive stand-alone cyber insurance policy will include coverage for the breach of PII/PHI, Cyber Extortion (including ransomware & other extortion events), business interruption & lost income from an event, and lost revenues as a result of your vendor suffering an attack impacting your business all with a minimum premium of $1,000 for a 1M limit.  The rating basis for premiums is a combination of the revenues, operations/industry and (if available) the number of records being stored.  For example, a 100M manufacturer is going to be seen as a lower risk than a 10M healthcare practice because of the nature of information and regulatory environment on the healthcare side.

The fact of the matter is that these policies should not be seen only as an insurance policy.  A good policy should be used as a service to make your company a better risk.  Coverage with the right insurance carrier can include risk management in the form of portals & webinars with others going so far as to offer proactive risk management in the form of consulting, active monitoring, table tops, and pentesting as a part of the policy.  No matter how good an IT department can be there is no way to solve the problem of IT & Cyber security, especially when it comes to the human element, but the problem and risk can be managed.  Similar to having a general liability or E&O policy, a cyber insurance policy should be seen as a way to round out a company's risk management.
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
8/25/2017 | 7:31:12 PM
Re: Insurance?
@REISEN: To be fair, most if not all of this is exactly what cyberinsurance carriers do. Granted, however, the standards/procedures are way different between small businesses (who typically just have to fill out a form) and large enterprises (which have to undergo actual audits).
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-02-27
SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header.
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.
PUBLISHED: 2021-02-27
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.
PUBLISHED: 2021-02-27
i-doit before 1.16.0 is affected by Stored Cross-Site Scripting (XSS) issues that could allow remote authenticated attackers to inject arbitrary web script or HTML via C__MONITORING__CONFIG__TITLE, SM2__C__MONITORING__CONFIG__TITLE, C__MONITORING__CONFIG__PATH, SM2__C__MONITORING__CONFIG__PATH, C__M...