Skip to main content

We are not paying…The cyber insurance conundrum

(Image credit: Image source: Shutterstock/MaximP)

As the Wannacry ransomware attack – where 230,000 computers worldwide were attacked causing absolute chaos – taught us, cyberattacks come at an exorbitant cost for any targeted organisation, and their implications go way beyond a simple interruption of service. Enterprises that fall victim to cyberattacks face devastating consequences that, aside from the physical/digital harm, include economic and reputational damage. As a response, more and more companies across every sector have taken measures to protect digital assets from attacks of this kind and purchased a cyber insurance policy.

While the first cyber insurance policies came into play in the early 1990s during the ‘boom’, the biggest threat to businesses was system downtime and unexpected interruptions that cost companies to lose trade and possible profit. Nowadays, the number threats to business have rapidly increased in number and severity.

Choosing the right cyber insurance

Cyber insurance falls into three broad categories, and depending on the type of business and its associated risks, organisations can opt for one or more of the following:

  • Cyber Security Insurance: This coverage provides coverage for first party damage to the insurer. It does not cover damage done to third parties. Cyber security insurance deals with the immediate response costs associated with a data breach, such as digital forensics, public relations, and communications (such as notifying affected individuals whose data has been compromised).
  • Cyber Liability Insurance: Also called Information Security and Privacy Insurance, these policies cover the policy holder’s liability for damages resulting from a data breach. It does not cover expenses that deal with the immediate response cost. This type of insurance protects businesses which sell products and services directly on the internet, or that collect data on their internal network.
  • Technology Errors and Omissions: This protects businesses who provide or sell technology services and products. It generally covers costs of defending against a negligence claims made by a client, and damages awarded.

When choosing the right cyber insurance policy, there are some important factors that organisations should consider. The first consideration is their responsibility of making reasonable efforts to maintain the security of the company’s network. When an organisation makes a claim against their cyber policy, the provider requires them to answer questions regarding the steps it had taken to protect data and infrastructure. If the insurer deems the measures inappropriate, it can refuse to pay.

Much like insurers wouldn’t cover the eventuality of a theft caused by the owner parking their car in a street leaving the keys in the ignition, or pay-out to someone who forgets to lock doors and windows, cyber insurers often refuse to pay-out to policy holders that don’t demonstrate ‘reasonable care’ of their network’s security. In fact, providers have a specific exclusion for negligence written in their policy language, but the majority would cite a “failure to maintain” or a “failure to follow” as the ground for a rejected claim.

To avoid this eventuality, companies are expected to monitor their security standpoint on a regular basis.

Monitoring your security

Although many cyber security policies require regular monitoring, a large number of organisations don’t regularly screen the security of their systems. In fact, the 2019 edgescan Vulnerability Statistics Report found that 3,000 networks in Europe and North America still have an unpatched vulnerability that was first discovered in 1999. Although 3,000 enterprises may seem like a small number in the grand scheme of things, the presence of a 20-year-old vulnerability depicts a serious oversight from a cybersecurity standpoint, one that could cost those organisations greatly and a non-pay-out that could cripple their business.

Even more worryingly, most of the vulnerabilities discovered on non-public internet facing systems were at least five years old, with 25 per cent being known since 2005. Public internet facing systems did a little better with 20 per cent of the vulnerabilities first being detected in 2015, but three years is still a long time to leave a backdoor unlocked.

Many businesses approach security practices under the erroneous assumption that internal-systems security is less important than security of external-facing systems. In fact, once inside a network, weaponised malware (e.g. Wannacry, NotPetya, EternalBlue) can wreak havoc, destroy data and render systems inoperable. Should an enterprise fall victim to one of these attacks, the failure to patch even non-internet-facing systems may result in the denial of their insurance claim.

Remarkably, more than 7.5 per cent of all the high risk and critical risk vulnerabilities discovered in 2018 could have been entry points for NotPetya CVE’s (CVE2017-0144, CVE-2017-0145), Windows SMB Remote Execution Code Vulnerability.

To further complicate the matter, when an organisation outsources data processing to a third party, the risks associated with a breach to the contractor are usually still a concern of the organisation itself. Insurance providers can refuse a claim if the third-party provider is breached, even though the reputational and financial damages affect the insured directly.

So, how can enterprises make sure they are fully covered in the event of an attack?

The six principles

There are six principles of cybersecurity that organisations should follow to avoid a ‘failure to maintain’ claim denial: 

  • Regular scanning of hardware and software within the computer network for potential risks, and appropriate updating of security settings and access controls. Periodic/continuous vulnerability assessment to identify exposed entry points, patching shortfalls and needlessly exposed services
  • Regular evaluation of incident response plan
  • Encryption and protection of information at rest, secure storage of passwords and protection of information in transit
  • Maintenance of reasonable policies and procedures for all information practices regarding data retention, internal audits, security incident tracking reports and vulnerability assessments
  • Vetting of third-party service providers to ensure that their cybersecurity standpoint is up to standard
  • Regular training of the workforce on cybersecurity best practice

Of those listed above, the best piece of advice is to constantly monitor their security standpoint. Given the frequency of new vulnerabilities being discovered and speed at which threats evolve, a continuous approach to security and vulnerability assessment provides up-to-date situational awareness and visibility and ensures that enterprises keep pace with change. The ability to demonstrate to insurers, compliance, and regulatory bodies that you are maintaining and following leading cyber security practices is invaluable from a liability and reputational perspective.

Eoin Keary, CEO and co-founder, edgescan
Image source: Shutterstock/MaximP

Eoin Keary, CEO and co-founder of edgescan.