Cyber Insurance And Reassessing The Cyber Business

By Brian Greenberg and Cameron Laghaeian
Originally appearing at Forbes on 5/16/2022.

As incredible as it may seem, people have been getting insurance for thousands of years. The Code of Hammurabi, written in 1755 B.C., is the first known legal text to describe the concept of insurance. Today, people and companies alike purchase insurance to protect themselves from financial loss. It’s a way to manage the risk that we experience in everyday life, such as auto insurance for car accidents or health insurance for when we get sick. Companies purchase insurance to manage the risk of running a business, like protection in the event of a fire with commercial property insurance or a workplace accident with workers’ compensation insurance. We use insurance to hedge against the risk of significant loss. These days, companies have been buying and exercising their cyber insurance policies for more than anyone would like or would have imagined.

What Is Cyber Insurance?

Cyber insurance is a special kind of insurance that protects organizations from the costs of technology-based risks such as ransomware, hackers, data breaches, etc. These kinds of threats are usually not included with traditional insurance policies.

A cyber insurance policy should include coverage for hacking, theft, the destruction of data and denial-of-service attacks, as well as protection against losses caused to others, including public relations costs, security audits and investigative expenses. Cybersecurity insurance is in addition to all the other steps that a business should take to protect an organization’s digital assets. To qualify for cybersecurity insurance and control the insurance costs, organizations usually have to complete a checklist of their cyber defenses, not unlike having smoke detectors, sprinklers and fire alarms when applying for insurance in case of fire.

What Does It Cover?

Typically, insurance companies write policies based on well-defined situations, such as a flood or fire event or how a person should operate a motor vehicle. These familiar situations allow insurers to cover specific risks based on their likelihood, allowing them to write policies that have a relatively predictable exposure for payouts. Cybersecurity, on the other hand, has not been defined in any static, meaningful manner as the technology landscape and the threats are constantly evolving.

With exposures such as zero-day vulnerabilities, organizations can’t eliminate the possibility of data loss or business disruption. Every organization should opt for cybersecurity insurance as a sound business practice similar to fire insurance. The challenge is understanding the policy’s language to understand their coverage for the types of cybercrimes they may experience. There are four broad categories of potential losses due to cybersecurity breaches: business and operational disruption costs due to recovery activities, ransom demands, legal liabilities and lawsuits.

It is essential to have specific language to address the recovery expenses and the loss of income for ransomware events. An insurance policy may only cover the cost of the ransom, which could be minimal compared to business losses due to the operational disruptions and the effort to recover the systems.

Insurance Companies Refusing To Insure?

Well-crafted cyber insurance will clearly define each category that will outline the coverage and spell out the risk assessment and necessary controls and systems for policy compliance and any potential exemptions. Several possible scenarios might cause an insurance company to refuse coverage in case of a cybersecurity event:

  • Failure To Maintain: One potentially confusing aspect of cyber insurance is defining what is necessary for the policy to be valid. For example, traditional policies for fire have specifically outlined equipment and procedures for testing and certification of fire prevention equipment and processes. However, cybersecurity is an ever-evolving domain. Due to new, yet to be deployed attack vectors by hackers, it is difficult to define the minimum requirements necessary for prevention. Therefore, an insurer can claim any blanket “failure to maintain” exclusion to deny coverage. There is another challenge to businesses where there has not been an actual breach of any systems caused by “failure to maintain.” There have already been a few lawsuits filed against some businesses when their clients discovered already published security vulnerabilities that they had not remedied. Unless this type of event is explicitly covered, a typical cyber insurance policy will not cover any expenses related to the lawsuits.
  • Act Of War: Political conflicts may affect a business in several unexpected ways. An “act of war” can be interpreted in various ways, making space for another possible exemption clause resulting in a denial of coverage. This clause, and its lack of clear definition for cybersecurity, can claim a breach was an act of war if the hackers are related to state-sponsored activities. This reasoning can also be applied if the group demanding the ransom can have suspected links to terrorism, making it illegal for insurance companies to make the actual payments. That would put them in violation of specific laws against funding terrorist organizations.

Cybersecurity insurance should be another item on every organization’s checklist next to secure backups, especially as cybercriminals employ more sophisticated methods to access organizations’ digital assets. This way, they will be able to ensure that if and when their business-critical systems and information are compromised, they have the proper safeguards to minimize the financial impact of any security breach.

One thought on “Cyber Insurance And Reassessing The Cyber Business

About Brian Greenberg

Brian Greenberg is a technology and product leader, Forbes contributor, and is a member of the Forbes Technology Council. He lives in Chicago and has been working at companies of all sizes from the Fortune 100 to startups for over 30 years including international experience as an expatriate in Japan and Europe. In addition to being part of the Adjunct Faculty in the College of Computing and Digital Media at DePaul University, Brian Greenberg is an award winning CIO & CTO, considered a dynamic, entrepreneurial, and visionary leader, accomplished at strategic planning, process improvement, product development, and reengineering of key business processes. Highly successful in achieving financial results through strong customer loyalty and long term relationships with suppliers and vendors. Ability to achieve business results through strategic application of technology to business challenges. Readily pursues "stretch goals", not afraid to take risks, and is grounded in a strong teamwork approach. Regarded as a skilled communicator, team builder and negotiator who maximizes efficiencies and productivity through boosting employee morale and performance. Brian Greenberg has expertise in digital transformation, automation, turnaround management, security, data storage, and data protection. He is also a storyteller and an improvisor in Chicago’s comedy community.