Confident your insurance will cover the costs of a cyber attack? You may want to read this

Many organisations presume their insurance will cover losses should they suffer a cyber attack. Analysing the data in our repository shows that in reality it is a lot less certain.

Welcome to another edition of Cyber Security: Beyond the headlines. Each week we’ll be sharing a bite-sized piece of unique, proprietary insight from the data archive behind our high-quality, peer-reviewed, cyber security case studies.

Businesses take out insurances policies to protect themselves from the typical losses that arise from their day-to-day business activities. For instance, loss or damage to property or protection against legal claims that arise.

In the case of a cyber attack property is likely to have been damaged — IT infrastructure rendered inoperable for instance — and as a consequence you could end up in court. So presumably these would all be covered under your insurance?

Well, looking at the data in our repository it’s far from guaranteed.

The issue seems to stem from the fact that although the cyber risk events are often similar, the causes and consequences can be vastly different.

For instance, take a situation like a ransomware attack, which has become so easy now that “even an 11 year old could do it”. An organisation without a solid incident response plan in the midst of the organisational chaos caused by a ransomware attack may not think to immediately notify their insurer. However many policies require just that for ransom demands to be covered.

What about a situation where a member of staff accidentally clicks on a link in a phishing email. Surely as a pure accident this would be covered? Again, not necessarily. Moses Afonso Ryan, a Rhode Island law firm, suffered a ransomware attack that resulted in a reduction of over $700,000 of income over the course of the business disruption. The insurer only agreed to pay $20,000 towards these costs because the data was held rather than damaged.

Ameriforge Group Inc. fell foul to a CEO email scam where the company’s Director of Accounting received an email with fraudulent payment transfer instructions and transferred the money to the hacker’s accounts. Their insurer refused the claim arguing that the company’s computer fraud coverage requires forgery of a financial instrument or direct hacking and does not cover funds that are knowingly transferred by an employee.

The more we drilled into the data the more of these types of situations we found, where businesses had assumed that they could recover costs under their existing policy and were alarmed to find that the insurance company was able to make the case that they were not.

The really worrying thing here of course is that cyber risk is not just confined to one sector or size of business, it literally affects every organisation that stores data: Small van rental firm who stores customer data for marketing purposes? At risk. Independent jewellery manufacturer with a customer database of high-profile clients? At risk.

Many, many organisations are yet to realise that without accurate cyber cover in their insurance policy a cyber attack could be a business ending event.

So, how do you ensure that you’re insured? (sorry!)

Well, here’s a high level summary of the approach we work through with clients:

Firstly, work on the basis that your existing insurance will not cover a cyber attack and consider acquiring specialist cyber risk cover. These policies are currently more popular in the US market than the EU, but we’re seeing an increasing number being offered by large European insurers.

Secondly, build a clear picture on what the right coverage is for your organisation, factoring in key items such as:

Organisational behaviours:

• How is cyber risk measured and managed across the business?
• How effectively have staff been trained on cyber threats?
• How do staff conduct themselves with regard to the cyber threat? do staff regularly share passwords? is customer data shared in an unprotected manner (i.e. via spreadsheet files)? etc.

IT department’s management of infrastructure:

• Who manages the implementation of patches?
• Who controls identity and access management?
• What oversight of the IT team exists?

Overall risk profile of the organisation:

• Are you operating in a high value target sector for cyber criminals?
• Are you storing high value data?
• What precautions already exist across the organisation to ensure continuity of operations?

Finally, ensure that as with other parts of cyber risk you don’t treat the final policy as a file-and-forget situation. As your external threat environment continues to evolve and your company’s internal environment also changes continually review your policy and ensure that you still have the coverage you expect to have.

Found this interesting? Sign up to receive these insights every week directly in your inbox and check out our previous editions at Cyber Security: Beyond the headlines.