How cyber insurance enhances risk management in today’s digital age

Explore the evolving role of cyber insurance in risk management, covering essential protections, premium influences and recent trends.

In brief:

• Cyber insurance is becoming essential for organizations, aligning coverage with risk management strategies to address unique business priorities.
• Understanding cyber insurance is crucial for CISOs as a robust security framework can lead to significant savings and safeguard against personal liability.

Special thanks to Abhijit Das, Brandon Bapst and John Bates for contributions to this content.

1. Introduction

In today’s rapidly evolving landscape of cybersecurity, cyber insurance is emerging as a strategic tool within an organization’s broader risk management strategy. Rather than simply accepting off-the-shelf coverage, businesses are increasingly taking a more deliberate approach to align cyber insurance decisions with their overall risk posture and defined thresholds for loss. As organizations digitally transform and cyber threats continue to intensify, this shift enables businesses to balance mitigation, transfer and acceptance of risk in a way that reflects their unique business priorities. In this article, we explore the foundational concepts of cyber insurance and the role insurance plays in managing financial exposure and enabling informed business-driven risk decisions.

2. What is cyber insurance?

Cyber insurance provides financial protection and support services against online risks and IT threats, covering direct costs from cyber events, third-party claims and assisting with regulatory compliance. It helps mitigate the financial impact of incidents such as data breaches, ransomware and business interruptions. Essential coverage includes the following:

First-party coverage:

• Data breach response: expenses for breach management, such as notifications and public relations
• Business interruption: lost income from disrupted operations after a cyber attack
• Data recovery: costs to restore or replace lost or corrupted data
• Extortion: payments for ransomware or cyber extortion
• Network damage: repair or replacement of damaged hardware or software

Third-party coverage:

• Privacy liability: lawsuit protection for exposing sensitive third-party data
• Regulatory fines: penalties for data protection failures or noncompliance
• Media liability: issues from electronic content, like intellectual property (IP) infringement or defamation

5. How does cyber insurance relate to D&O and E&O policies?

Cyber insurance can be an important consideration for both D&O and E&O insurance because it can fill in coverage gaps and provide specialized protection against the financial and reputational impacts of cyber incidents. Businesses should work with their insurance brokers or legal advisors to assess their coverage needs and make sure that they have reasonable protection across all relevant areas of risk. As an example, a cyber incident could lead to a lawsuit against directors and officers for failing to implement adequate cybersecurity measures, potentially triggering both cyber insurance and D&O insurance. Similarly, a cyber incident resulting from a professional service error could involve both cyber insurance and E&O insurance.

6. Would cyber insurance cover business interruption due to a cybersecurity breach?

Each policy has its own exclusions and sublimitations, but business interruption resulting from a cyber attack could be covered within a cybersecurity policy. There are also insurance policies exclusively focusing on business interruption, and those could cover a cyber event unless it is explicitly excluded.

7. What are some considerations that may influence cyber insurance premiums?

The insurance industry has seen a significant shift in underwriting, moving from simple questionnaires to detailed documents that are 30-plus pages and on-site audits. Cyber insurance is increasingly shifting toward data-driven decisions, enabling better negotiation of premiums and policy terms. Quantifying risk facilitates transparent discussions about coverage and the risk transfer between insurers and organizations. This shift is crucial as cyber insurance policies adapt to the growing complexity of cyber threats. This change stems from the need to better assess complex risks and provide customized insurance offerings. Initially, underwriters used a limited number of questions to determine risk and premiums. However, as cyber breaches increased and resulting claims grew, the need for in-depth information led to more detailed and objective evaluations covering various risk factors. On-site evaluations and data-driven approaches provide underwriters a more direct view of business operations and the chance to advise on risk management. This thorough approach to underwriting allows for more precise risk assessment, accurate premiums, appropriate coverage limits and improved sustainability in the insurance sector. Here are some considerations that may influence cyber insurance premiums:

1. Patch systems regularly – Regularly patching your systems can lead to lower cyber insurance premiums because it demonstrates proactive management of security vulnerabilities.
2. Strengthen identity and access management (IAM) systems and processes – Implementing privileged access management (PAM) and multifactor authentication (MFA) practices and conducting regular access review campaigns can positively affect premiums by making sure only necessary personnel have access to critical systems. In addition, protecting your active directory can lead to lower insurance costs because it is a critical component in preventing a widespread network compromise.
3. Use encryption – Using encryption protects sensitive data, potentially decreasing cyber insurance costs by lowering the risk of data breaches.
4. Create redundant and reliable backups – Creating redundant and reliable backups may influence insurers to offer lower premiums due to the reduced impact of data loss incidents.
5. Implement network segmentation (secure remote desktop protocol (RDP), virtual private network (VPN), operational technology and information technology (OT/IT)) – Implementing network segmentation, including a secure RDP and VPN, can reduce premiums by limiting the spread of breaches within networks.
6. Conduct regular penetration testing – Regular penetration testing can lead to reduced cyber insurance premiums by identifying and allowing for the remediation of security weaknesses.
7. Establish an incident response plan – Establishing a written incident response plan can influence insurers to lower premiums because it shows preparedness to effectively handle security incidents.
8. Implement vendor and supply chain risk management – Implementing vendor and supply chain risk management can result in lower premiums by mitigating the risks associated with third-party service providers.
9. Cyber training and education – Cyber training and education for employees can reduce the likelihood of user-related security incidents, potentially lowering insurance premiums.
10. Background checks – Conducting recurring background checks helps in minimizing insider threats, which can be a factor in negotiating lower cyber insurance premiums.

8. What are the common exclusions in cyber insurance?

• Patent, software and copyright – Cyber insurance policies often exclude patent-, software- and copyright-related scenarios. However, an IP insurance policy can cover patents, software and copyrights.
• Cyber warfare – Business losses stemming from cyber warfare and attacks potentially tied to specific countries or governments are often excluded from coverage because the risks are immense and exceed the capabilities of individual insurers.
• Critical national infrastructure – Losses resulting from disruptions or breakdowns in essential national infrastructure, including power, gas, water, satellite or telecommunications services, are not covered. Like war and terrorism exclusions, the magnitude of the risk surpasses what individual insurers can handle.

9. Recent developments and trends in cyber insurance

• A large life sciences company was hit by the NotPetya cyber attack, affecting 40,000 of its computers that were wiped by NotPetya malware. The pharmaceutical company’s $1.4 billion insurance claim from its insurance company was initially denied citing an “acts of war” exclusion. The pharmaceutical company sued the insurance provider and won in court, with the decision upheld in 2023. The ruling may influence future interpretations of war exclusions in cyber insurance policies.
• An American multinational confectionery, food and beverage company was hit by the same NotPetya ransomware attack, affecting 1,700 servers and 24,000 laptops, disrupting supply chains, and causing significant operational and financial damage. The company sought over $100 million from its insurance provider for recovery expenses. The parties reached a confidential settlement with specific terms undisclosed, highlighting potential gaps in cyber insurance policies regarding war exclusions.
• A mortgage company sued its insurance providers for $30 million over denied cyber insurance claims following a significant cyber attack. The insurers denied the claims, leading to the lawsuit. The dispute centers on policy coverage and exclusions. The case is ongoing, with potential implications for the interpretation of cyber insurance policies and coverage terms.
• Over the years, organizations have significantly enhanced their preparedness levels. It has been observed that many organizations now prefer to recover from backups rather than paying ransoms. This shift is driven by stricter insurance requirements and increased premiums, which have prompted companies to adopt robust measures such as air-gapped backups and thoroughly tested business continuity plans.

10. What is the significance of cyber insurance?

The significance of cyber insurance in today’s digital age cannot be overstated. As cyber threats proliferate, the scrutiny of cyber insurance policies has intensified, leading to a substantial rise in premiums. Consequently, organizations must enhance their security measures to become insurable and potentially reduce their premiums. Implementing measures, such as encryption, PAM, regular backups and network segmentation, can mitigate risks and demonstrate a proactive approach to cybersecurity, influencing insurance premiums positively.

For chief information security officers (CISOs) and senior security leaders, understanding the intricacies of cyber insurance is crucial. A robust security framework can lead to significant financial savings, particularly for large enterprises where premiums can run into millions of dollars. Moreover, the personal liability of CISOs in the wake of cyber incidents has become a pressing concern, with high-profile cases underscoring the potential legal ramifications.

In conclusion, the landscape of cyber insurance is complex and ever changing. By enhancing their organization’s security posture, CISOs can secure better insurance terms and safeguard their professional and personal interests. The insights provided aim to equip security leaders with the knowledge needed to navigate this challenging environment effectively, contributing to a more secure and resilient organizational framework. Companies are re-evaluating the benefits they derive from cyber insurance policies. They are closely examining the extent of the coverage these policies offer, particularly in the event of a cyber incident. Additionally, businesses are exploring alternative methods to manage their risk exposure, beyond solely relying on cyber insurance. This indicates a shift toward a more comprehensive approach to risk management in the face of evolving cyber threats.