Why cybersecurity still trumps a great cyber cover policy

By Ekaterina Khrustaleva

July 10, 2022

undefined mins

Ekaterina Khrustaleva, COO of ImmuniWeb, discusses the challenging climate of cyber protection in the insurance space

Cyber insurance is all changing as 2022 showcases new fintech trends and risks. Financial institutions and banking organisations know that cyber insurance should not replace cybersecurity measures. But, as 2022 rolls on, new trends in cyber insurance and risks that are mitigating smart cyber strategies are causing concern amongst the fintech community. Ekaterina Khrustaleva, COO of ImmuniWeb, discusses why cyber insurance alone should not be relied upon to replace cybersecurity and data protection.

"Global digitalisation has brought new cybersecurity challenges for businesses and organizations across all sectors, fueling the demand for cyber insurance - also known as cyber risk insurance or cyber liability insurance - that covers losses caused by cyber incidents.

While the global cyber insurance market is expected to grow from $7.60bn in 2021 to $36.85bn in 2028, some experts warn that an escalation in the Russia-Ukraine armed conflict could trigger malicious cyber activity from either side targeting companies and critical infrastructure in an effort to inflict economic damage without resorting to direct military conflict. And this could lead to an increase in cyber insurance claims as Western companies are at a high risk of being targets of cyber-attacks if Russia decides to strike back in revenge for sanctions imposed by the US, EU and allies.

US and European cyber insurers are already overwhelmed by the ransomware crisis, prompting many providers to drive up prices, limit coverage and be more selective about who they accept as clients. Now they could face multi-billion insurance claims from victims of hacking following Russia’s invasion of Ukraine.

If Russia carries out a massive cyber-attack that affects several countries, it could lead to claims worth more than $20 billion, insurance industry sources have warned.

Furthermore, war exclusions within cyber insurance policies will not prevent insurers from paying out, after the US pharmaceutical giant Merck & Co.‘s victory in a legal dispute with insurers over coverage for $1.4 billion in losses caused by the devastating 2017 NotPetya ransomware attack. The attack, which was attributed to Russia’s military intelligence agency impacted thousands of companies all over the world, destroyed data on more than 40,000 Merck computers and took the company months to recover.

According to a 2022 State of Ransomware report, 66% of organisations were hit with ransomware in 2021, up from 37% in 2020, and 46% of victims paid the ransom. The report also notes that many organizations (83%) implement cyber insurance policies to help them recover from a ransomware incident. In 98% of ransomware incidents where the victim had cyber insurance that covered ransomware, the insurer paid some or all the costs incurred (with 40% overall covering the ransom payment).

94% of organisations with cyber insurance admitted that their experience of getting it has changed over the last 12 months, with higher demand for cybersecurity measures, more complex or expensive policies, and fewer insurers offering protection.

The use of cyber insurance to pay the ransom is rather bad than good. It will likely encourage other would-be victims to regard insurance as a panacea, disregarding their cybersecurity and data protection. Moreover, in light of such an alarming trend, cyber insurance companies will inevitably raise their premiums thereby hurting innocent companies and making insurance far too expensive for others.

Companies looking to secure their supply-chain - can oblige their suppliers by gaining the ISO 27001 certification for example, or providing a solid and unconditional insurance policy to cover any data breaches and data leaks, including direct and consequential damages.

As demand for cyber insurance has been increasing, organizations that do not have proper documentation and/or don’t have required security controls in place (multi-factor authentication for remote access and admin/privileged controls, EDR, secured, encrypted and tested backups, PAM, email filtering and web security) may not be considered for cyber insurance cover or may face higher premiums or lower coverage limits to offset added risks. It is estimated that by 2025 cyber premiums worldwide will increase from $9.2bn (in 2022) to approximately $22bn.

Experts predicted that 2022 will be extremely challenging, with ransomware, supply chain attacks and attacks on critical infrastructure dominating the cyber threat landscape. Many insurers note that organizations who want to buy cyber insurance are most concerned about business interruption caused by ransomware and then data breaches or misuse of data.

As cyber criminals continue to evolve the sophistication of their attack techniques, no organization can be fully protected against a cyber-attack. While cybersecurity insurance won’t prevent cyber incidents, it can minimize the impact on a business and its clients due to cybercrime-related events.

A cybersecurity insurance policy can cover an organisation’s expenses related to interrupted business processes, ransomware attacks, recovering or replacing records or data, crisis management, and monitoring, liability and loss of third-party data, legal claims, etc. However, cyber insurance is not a one-size-fits-all policy, and each insurer will not offer the same cover, so it can be a little tricky for organizations to understand what cyber insurance offers, what it covers, and how to purchase the right cyber insurance plan.

Securing cyber insurance

The insurance policy selection process is a highly complex matter. All covered cases, as well as all the exceptions thereto, should be unambiguously enumerated in a contract. Caps on various types of damages should be clearly defined: including legal costs, recovery and forensics costs, notification and compensation to victims, and fines imposed by regulatory authorities.

An experienced lawyer is always recommended to inspect all the nuances: for example, compensation for breach notification may be contractually limited to a specific type of notification that may be insufficient or even unlawful in a specific state, making the insurance pointless. Another example is the exclusion of international litigation or limited cover thereof, while even an insignificant number of foreign individuals affected by a breach may bring the victimized company to a foreign court.

Many insurers require specific security controls to be implemented as a starting point, so securing a cyber insurance policy may depend on what cybersecurity practices an organization already has in place. Furthermore, organizations poorly protected against cyber-attacks, or those who have previously experienced a hack or a data breach would likely get charged more for a cyber insurance policy.

Before applying for any cyber insurance, an organization should take some steps which will help get the cover it needs, including updating cybersecurity practices to current standards and assessing the true risk tolerance (what data and systems must be protected at all costs)."

About the author: Ekaterina Khrustaleva is the COO of ImmuniWeb, where she leads a team of experienced sales and marketing professionals. Her background is in the banking industry, which helped tailor ImmuniWeb's award-winning application security and security rating solutions to deliver sustainable value and high ROI.