What is cybersecurity insurance policy? What does it cover?

A cybersecurity insurance gives the financial protection from cybersecurity incidents. Consulting firms nowadays are acting as a risk assessor giving you ways to gauge your cybersecurity readiness along with recommendation on the security controls. Organisations which are smaller can seek the help of their cybersecurity insurance broker for a security risk assessment. Ransomware being the major reason why these new insurance policies have come into effect. Companies are forced to implement stronger computer security controls. Cybersecurity insurance started as a rider on other business insurance policies which covered third-party claims or damages that occurred to downstream people and organisations that ended up with loss due to insured victim. First party coverage directly covering the insured party because of hacking or intrusion did not appear until early 2000s.

Before early 2000s, cyber hacking was a very rare event. There were very few instances in which data breach would happen or a small scale hacking event would happen causing smaller financial losses. The hackers back then usually broke into a network, collect some information and would leave the network once done. Unlike today, the scenario is completely different. The intruders harvest their code and run profitable projects within a network for many years. This business and the profitability has made hacking a money making scheme for many bad actors. This has pushed the business into new heights and now as a result we are seeing more and more people delving into this idea of money making.

Multiple individuals and gangs have started operating out in the dark to generate huge amounts of cash in a simple hacking campaign. This has now led to a situation to force companies to follow certain frameworks and regulations to avoid huge penalty on them. A plethora of regulations (e.g., PCI-DSS, SOX, NERC, HIPAA, etc.) were developed to fight these events of cyber trauma. Cybersecurity insurance offerings started as a way to compensate businesses for losses related more to data theft than business interruption and recovery. Now cybersecurity criminals could directly make large sums of money from their victims. They didn’t have to steal information and resell it or buy something to make a profit. They could demand a ransom and get paid with far shorter payoff dates.

For a handful of years, the number of insurance firms offering cybersecurity insurance climbed year after year. At its peak, nearly 200 different insurance firms offered cybersecurity insurance that covered ransomware attacks. Cybersecurity insurance would (and usually does) cover paying the ransom, restoration costs, and business interruption costs—up to the limit of the coverage.

For the insured, cybersecurity insurance allows a (large) part of the financial risk to be “transferred” to another entity (the insurance company). This is known as risk transference. For many years, cybersecurity insurance was relatively low cost, as compared to other types of insurance covering the same amount of financial risk. There were a lot of different types of offerings, with a wide range of deductibles and coverages, for organizations to pick from. As recently as a few years ago, the insurance carriers that offered cybersecurity insurance were making a lot of profit. It was “easy money.” Insurance carriers would routinely make 60 percent or more of every dollar they charged for cybersecurity insurance. Ransomware and their ransoms were increasing, but they were still comparatively uncommon events. The average ransoms paid were only in the tens of thousands of dollars.

As years passed by the number of ransomware events grew exponentially and average ransoms paid grew even more, insurance carriers were still making 40 percent of every dollar in premiums paid. It was still good profit for the insurance companies that provided cybersecurity insurance. It was good for the insured. Insured organizations could get millions of dollars in coverage for a reasonably low cost. It was win-win for both sides, and many cybersecurity insurance firms didn’t work that hard to assess actual client cybersecurity risk. The profit they were making didn’t require lengthy cybersecurity risk assessments. It has all changed. The incredible profitability the cybersecurity insurance industry enjoyed has vanished in recent years— mostly due to ransomware. The number of ransomware attacks and amounts of ransoms paid have shaken the cybersecurity insurance market.

Due to this growth in ransomware cases many insurance companies were forced out of business. Those who are still left in business are either giving insurances which needs mandated risk assessment or offering very less coverage and still have higher premiums. If you ask me if this because of ransomware alone, I would not agree. There are other threats which have surfaced and have made huge profits like business email compromise, phishing threats. Many business rely on wire transfers and most of the confidential information are sent through email. Millions of companies have lost billions by transferring funds to the wrong bank account due to impostor emails. Most cyber insurance providers have now mandated certain policies like implementation of MFA, undergo routine patching, vulnerability and risk assessments.

Based on the cyber security posture of the organisation firms would be given the coverage. Some providers even give grace period of 90 days called a contingency or subjectivity to get the issue resolved, after getting the coverage. Today, that grace period is likely to be nonexistent. Organisations seeking insurance today, will likely have to be fully protected from day one. Many firms that offer cybersecurity insurance don’t cover ransomware events or, more often, offer significantly diminished coverage or what is known as co-insurance for an additional fee.

What’s Covered by Cybersecurity Insurance Policies?

It is important to understand that cybersecurity insurance covers more than just ransomware events. They cover identity theft, insider threats, and other types of cyber incidents too. Some insurance does not cover ransomware also. In a survey it is noted that only 64% of the companies had ransomware protection in their coverage. Some providers will give it as an add-on with additional premium. It is important for organisations to opt for ransomware coverage as it is the most frequently occurring cyber incident and with highest financial loss.

The following are some of the common covered costs:

• Recovery costs
• Ransom
• Business interruption cost
• Customer notification and protection
• Fines and legal investigations

- Recovery costs: The cost involved in the aftermath of a ransomware attack, to recover, rebuild the involved systems and put them back into operational regardless of the fact the ransom is paid or not. Recovery is the most expensive part. The cybersecurity insurance firm may have their own in-house incident responders and recovery specialists or outsource recovery to other firms that specialize in ransomware recovery. Both in-house and outsourced incident responders are usually quick to respond and good at what they do. Find out if you must use the insurance firm’s in-house or outsourced incident response and recovery specialists or if they are just recommendations.

- Ransom: Cybersecurity insurance providers do provide the cost of paying the ransom in a ransomware event. They usually hire skilled negotiators who often get the ransom negotiated into half the actual ask. There are thousands of well known negotiators who are offering this as a service to clients. They know the ransomware gangs, how they operate and the mode to contact them. In turn, ransomware gangs trust these specialised people in making deals rather than the victim. It is easy to pull off a deal with these negotiators as the bad actors know they would get their money for sure. During a ransom payment event, clients usually do not seek help of third parties. The decision is mostly made by them and they even payout without consulting their insurance providers. It is always better to have the policy checked before making a decision.

- Business interruption cost: Some insurance policies may or may not cover the loss of business interruption. Most organizations would not be back to 100 percent operational capacity similar to what they were doing before the attack for many months. Most cybersecurity insurance policies will cover only the lost revenues. If they do, the first-party coverage will cover the insured party’s lost revenue. Third-party coverage, if there is any, will cover loss revenue that downstream customers end up having because of the upstream victim’s ransomware event.

- Customer notification and protection: In some cases, victim's customers, vendors, even employees could be impacted. If any confidential information is stolen they have to be notified appropriately. For this coverage, they need to have identity protection and credit monitoring services to be purchased. Some providers do have reputation and brand consultants who fix their reputation issues during a ransomware event. Pretty much the collateral damage can be reduced.

- Fines and legal investigations: Cybersecurity incidents invite huge fines and regulatory fines or investigations. Most of the insurance providers will cover the fines and legal costs if the victim is did not commit any illegal actions. This will be thoroughly investigated by a team and if the involvement in illegal activity is proved on the victim, then the claim will be declined.

What’s NOT Covered by Cybersecurity Insurance Policies?

• Costs of any mitigations to prevent a ransomware attack in the first place
• Resources involved in obtaining cybersecurity insurance
• Personnel changes, adds/deletes/changes
• Productivity slowdowns due to new procedures and protections
• Interruptions to uninsured third parties
• Additional new defense preparations to mitigate the next attack

So now that we have understood about cybersecurity insurance, how it evolved, what is covered and what not. My recommendation to the enterprises would be to immediately look out various insurance policies which help your organisation to reduce the risk and financial burden. There shouldn't be a second thought on investing on a good policy. Always its better to shell out few extra budget on these premiums so that all critical attacks like ransomware is covered under the policy. Cybersecurity Insurance policy will become a mandatory compliance going forward as new rules and frameworks are rolled out and organisations will be forced to comply. The ransomware business is huge and scary, and it is not going to stop anytime soon. Lets wait and watch how the cyber insurance business evolves. I would be happy to hear your comments and feedback on this article, please feel free to share them via my twitter or linkedin profile.