In this piece, we look at some common misconceptions about Cyber Insurance and consider why it really is of benefit to most companies.
We have invested heavily in IT – surely Cyber Insurance is redundant?
Raising Cyber Insurance with clients can often be perceived as an insurance broker putting the IT department on the back foot. A relatively common reaction is essentially “why is this insurance broker warning us, the experts, about potential system breaches?”
The answer, of course, is because not every eventuality can be prepared for, as the human element always turns out to be the tricky bit, or the “fly in the ointment” as it were. You can have undergone a comprehensive system upgrade, and have superb backups / security but, as we know, those pesky humans are unpredictable!
Who would have predicted that a motorist deciding to pull off the road because of a smoking air-con system would have driven to the part of a shopping centre that would suffer the maximum amount when the car actually ignited!
Or, back on topic, that a CFO who implemented a company-wide dual verification procedure would himself fail to follow that procedure – and lose around €100,000 to cyber criminals in the process.
Insurers do everything possible not to pay claims
Okay, this one isn’t specific to Cyber Insurance. Claims being paid rarely make the news. However, below see a recent claim settlement on behalf of a client.
The company in question was hacked, the criminals emailed all of their client base with updated bank details. Some individuals who owed money relied on this email and transferred funds to the criminals – one particular couple lost €45,000. They claimed for the money and also for stress as the lost money cost them a house deposit, which they alleged led to divorce!
During the course of the claim, it became apparent that the company were hacked in May, were warned that they had firewall issues, but did nothing about it. They were hacked again in August which led to this loss. The insurer settled the claim for €45,000 plus another €10,000 in damages. Cheapest divorce in history I hear you say!
The other example above – where the CFO didn’t follow his own dual verification procedures – was also going down the route of a paid claim, but thankfully the funds were recovered in time.
Many Insurers would likely either have looked for another insurance policy to pay (namely Professional Indemnity Insurance due to negligence by the firm), or worse they would simply have declined cover under their policy terms due to the company ignoring the warning from their IT provider.
Policy wordings vary, and different insurers have different approaches to paying claims; that is where your insurance broker comes in, by providing advice between the various options. Cyber policy wordings vary more than any other policy types, so you really do get what you pay for. Conversely, you do not get what you do not pay for!
The policy won’t pay GDPR fines, so what is the point?
This is likely correct – we won’t know without court precedent in each jurisdiction around Europe, but the best advice we can give is that it is unlikely GDPR fines will legally be insurable, no matter what a policy wording says.
However, at the time of writing there has only been one Irish entity fined under GDPR. Many more have had data breaches. The hidden costs of these breaches can cost significant money. For example:
- Forensic IT costs to get to the source of a breach and to rectify the issue
- Notifying those affected
- Dealing with investigations from the Data Protection Commissioner
- Credit monitoring and / or identity theft monitoring, if necessary
- Setting up a call centre to handle enquiries
- Systems restoration following an incident
- Claims from those affected by a breach
- Public Relations costs to prevent adverse publicity
All of the above are covered by a good Cyber Insurance policy.
We have another example for you from one of our clients. A third party used by our client was hacked, and the details of around 7,000 clients were stolen. The data taken was limited to names, emails and some addresses. Our client’s insurers dealt with the claim as if it were a loss to our client, and the DPC closed their file while no claims were made by those affected.
A rival company did not fare so well; some of those affected notified the media – that company was in the national news as a result. The cost of adequately handling this breach was just shy of €40,000 – money well spent!
Having Cyber Insurance increases the amount of Ransomware being requested.
We first became aware of this line of thinking last year. On the face of it, it may have merit. However, there are some important points to factor in.
Firstly, the amount of ransom – which really is extortion – being demanded has been increasing for some time. There has been a trend whereby the focus is moving from a standard ransomware amount that a percentage of firms will pay, to ransomware attempts targeted at certain industries or even to specific companies. The criminals tailor their ransom demands to whatever funds they deem the company can afford to pay. A recent report by Coverware put the average ransom payment at over $84,000 in Q4 of 2019.
Secondly, insurers will only pay the ransom if there is no other choice. They will do everything they can to work from backups or, if they are unavailable, to recreate data from scratch. Some even use consultants whose sole job is to identify which criminals are likely to hand back the data after payment of the ransom, as opposed to those that won’t.
There are other considerations, such as some insurers not being able to pay ransoms if there is a fear they will breach sanctions (e.g. paying terrorist organisations), but these are outside the scope of this piece.
It’s too expensive!
The average cover limit taken out by clients is between €500,000 and €1m, and the average premium is under €2,500. When we focus on companies with under €10m of turnover, that average premium reduces to €1,800.
As well as claims, payment of a premium gives clients access to specialist firms to seek their advice after an incident, including solicitors, IT security experts, data protection consultants and others. Many solicitors also offer additional risk management tools for free.
Myth…busted?
So there you have it – we hope this at least gives food for thought. As an industry, our aim is ultimately the same as many of yours – to protect companies as best we can.
If you have any other items you would like us to address please leave a comment below and we would be happy to respond.