Cyber security insurance is risk transference. It represents a purely reactive incident response activity and does not negate the need for investment in prevention and recovery, but it can be an important part of a comprehensive cyber security programme. Technology leaders must understand cyber insurance’s intended role, the costs associated with it and the limitations inherent in the cover.
Executive leaders must be included in and aware of discussions with cyber security insurance providers. They will be required to submit responses to security questionnaires. Also, the insurer will have incident response requirements that need to be adhered to in the event of a security incident.
Cyber security insurance is entirely a reactive product. It will not prevent a cyber security breach or immediately reduce the impact on the delivery of services to your users. Therefore, you must continue to invest in your security programme alongside your cyber security insurance considerations.
Cyber security insurance is designed to offset recovery costs that an organisation would have to pay in the event of a security incident. It can also offset a variety of non-IT business costs associated with a cyber attack, such as reputational damage (through the use of PR firms/breach coaches) and legal fees. These are some of the qualitative benefits of cyber security insurance.
Another qualitative benefit often provided by cyber security insurance is accessibility to experts employed by, or contracted to, the underwriter and/or broker. Not only are these incident response or forensic services, but many cyber security insurers also have direct access to security experts for legal, PR and law enforcement contacts. Some insurers also provide expertise and resources in planning, response and recovery strategies. These resources can augment your existing team, or in cases where they don’t exist in-house, improve your ability to respond and recover.
With cyber insurance, it is extremely important to understand the exclusion clauses of any given policy. Research shows that there is often a disconnect between a client’s expectations and an insurer’s coverage in terms of what types of incident are covered and which are excluded.
Two current examples of where these clauses have affected organisations are the NotPetya attacks against Mondelēz International and Merck. Experts claim NotPetya was developed by a nation-state-backed organisation. As a result, the insurance companies deemed that the ransomware incident triggered the “act of war” clause in the policy. Each of these organisations engaged in legal battles with their insurers to pay out on their cyber insurance policies.
Before purchasing a cyber insurance policy, consider asking a series of questions to understand the exact limitations of coverage.
Determine insurer-provided services
Some insurance providers offer incident response services as part of their policy. These can be valuable, time-saving resources during a security incident. However, you need to fully understand their scope of work because it may also negatively impact any claim settlement.
The incident response provider is contracted by the insurer and you must understand what information is shared with the insurance provider. Is the provider also leveraging these contractors to identify any existing deviations in your security posture that may reduce the amount of or eliminate any settlement? If your provider has forensic or incident response services as part of its policy, you should ask the following questions:
- Do the provided responders work solely for you, the client, or do they work for the insurance company? For example, do they share any data with the insurer, and if so, what?
- Are the provided responders required to be transparent with their findings and share all information with the insured party? What is the response time for the deployment of services after reporting a cyber attack?
- Is it mandatory to use the services of the insurance provider or can you select your own service provider? Consider requesting a pool of money to be allocated in the policy to pay for the forensic/incident response services of your choice.
Gartner recommends you update your incident response plan with the appropriate contact information for the approved incident response/forensic services organisations that will be utilised, and consider additional insurance products.
It is also important to know and understand all the insurance policies your organisation has. Different policy types may include a cyber security or business interruption provision. Some cyber insurance policies only cover the costs of recovery from a security incident and not any business interruption losses. You may have the opportunity to trade expensive cyber coverage for much less expensive criminal coverage, as both may be applicable during a significant incident.
Be careful not to over-insure or have overlaps in coverage. For example, if you have a separate business interruption insurance policy (with a cyber security rider) and cyber security insurance, you should find out whether both policies will pay out in case of a security incident. It may be that only one will pay a settlement, resulting in a situation where you are over-insured. In a similar way, there is often an overlap between cyber and criminal coverage. Most large incidents, such as ransomware, are quickly deemed a criminal act.
Bear in mind that some organisations may need to implement multiple insurance products to meet their business risk management goals.
Have robust security in place
Cyber security insurance does not replace the need to invest in an appropriate security programme of controls. If you do not have a good security programme, you should invest in one before seeking insurance. Insurers have been known to deem organisations uninsurable because of a lack of minimally acceptable security controls.
To ensure adequate coverage and fully address business risk, you will need input from various groups in the organisation. Reach out to other stakeholders, including compliance, legal, risk, finance, information technology and information security.
You will be asked to make representations about your cyber security capabilities – typically through a questionnaire – as part of the process. Be prepared with audit/compliance/pen test reports, existing policies, governance, awareness training success and supplier/third-party management processes. If your representations are found to be inaccurate after a breach, the carrier may deny your claim.
Gartner urges IT security chiefs to meet with the underwriters. This enables you to articulate your security posture and the improvements you are implementing. This meeting provides an opportunity to highlight your successes and roadmap to mitigate risk. It adds clarity and colour to the simple “yes/no” answers in a questionnaire. Providing this added level of detail may have an impact on your premium.
When considering cyber insurance policies, above all, don’t rush the process. Policy purchases or renewal activities should begin 90 to 120 days ahead of the active date. This will give you enough time to collect multiple quotes and make an informed decision. Your insurance carrier will have specific conditions that must be met to be compliant with your policy during an active incident. Gartner recommends making sure these conditions are addressed in your incident response plan and acted on.
This article is based on the Gartner report An executive leader’s guide to cybersecurity insurance, published in April 2021.
Paul Furtado is a vice-president analyst at Gartner and Jim Mello is a director in the internal audit and risk management practice at Gartner.