Editorial

Is Your Cyber Insurance Policy Actually Worth The Paper It’s Written On?

In a new exclusive opinion piece, Bill Mew of new Cybersecurity advisory group The Crisis Team explains where are we with Cybersecurity insurance—which he thinks, frankly, is not in a good place at all

Posted 25 March 2020 by Gary Flood


When it comes to Cyber insurance, the fact is that most companies don’t have it. Coverage is only 40% in the US, and a shockingly low 10% in the U.K. Elsewhere, it’s even lower.

Part of the problem here is the quality of the products we’re being asked to buy. You don’t just need to take my word for it. Even Warren Buffet, a major investor in the insurance sector, has said  “I don’t think we or anybody else really knows what they’re doing when writing cyber [cover],” 

Many Cyber insurers boast that they can provide an insurance quote in under an hour. If they are able to provide cover for such a complex policy in such a short period of time, then this should risk alarm bells! You should be concerned with their ability not only to accurately assess your risk position, but also to price the policy accurately.

The reason that they can probably afford to do this is that most Cyber insurance policies include a host of provisions and exclusions that in effect make it impossible to claim for almost any incident of any kind. If they want to refuse to pay out, they’re probably going to find a way of justifying this. Indeed almost the only reason they would pay out at all is to encourage other clients to sign up. In other words, if there is a global cyber crisis, they may well refuse to pay out on any policies and consider withdrawing from the market entirely.

Examples of common cyber insurance terms or exclusions policies are as follows:

  • They tend to only cover ‘a hacker who specifically targets you alone’. Unfortunately, cyberattacks are rarely focused on a single victim. Often either the same attack vector is used on many victims in a scattergun approach (e.g. phishing attacks) or malware is used that is contagious in nature (e.g. WannaCry)
  • Most tend not to cover ‘any failure…by a cloud/infrastructure provider…unless you own the hardware and software’. Unfortunately, this would not only exclude almost all cloud use, but also exclude almost anything other than hosted services that exclusively use kit that you actually own
  • They’re often worded so as not to cover incidents involving a ‘third party…not unduly restricted or financially limited by any term in any of your contracts’. This is meant to ensure that the insurer is able to pursue any third party involved for unlimited damages. Unfortunately, this excludes almost all service providers as they themselves tend to specify some kind of limitation to damages in their contracts, such as damages being limited to the value of the contract. No service providers these days offers unlimited liability
  • Policies tend not to cover incidents involving ‘any individual hacker within the definition of you’. Unfortunately, this would exclude all insider threats!
  • The ones we’ve seen also tend not to cover ‘the use by you of any software or systems that are unsupported by the developer’. This clause rarely specifies that the unsupported software needs to be part of the attack vector, which means that you could be excluded if you had a single instance of something like Windows XP on your technology estate, even if this was not part of the attack at all
  • Insurers tend not to cover incidents ‘attributable to any failure…by the Internet Service Provider (ISP) that hosts your website, unless such infrastructure is under your operational control’. Unfortunately, this would exclude all incidents involving any ISP as it is unheard of for ISP infrastructure to be under your operational control
  • No-one wants to cover ‘acts of foreign enemies, terrorism, hostilities or warlike operations (whether war is declared or not)’ which could exclude most attacks originating from Russia, China, North Korea or Iran, but unfortunately these are sources of the majority of all attacks
  • Wording is designed not to cover ‘any error or omission arising out of the provision of negligent professional advice or design’. Unfortunately, if at any time you have tested or assessed your security (as is required under GDPR), but then failed to implement all the resulting recommendations then your cover could be void. So, if you have had penetration testing or certification audits (for ISO 27001 or PCI say) then you need to address every single recommended revision or recommendation or you risk voiding your cover
  • And finally, they tend not to cover ‘anything likely to lead to a claim, loss or other liability under this section, which you knew or ought reasonably to have known about before we agreed to insure you’. This is the pre-existing condition provision, but that means that if in any business case that your team makes for adopting cyber insurance, you cite potential vulnerabilities as reasons for this adoption, then these very vulnerabilities could then be excluded from any cover.

For these reasons, here at The Crisis Team we have already seen that some claims are not being paid. For example, several major insurers have declined to pay for damages caused by the NotPetya ransomware attack a few years ago. The reason given was that it was a “hostile or warlike action”, and therefore not covered.

On top of this other claims have only been paid in part. For example, Norsk Hydro received an insurance payout of $3.6 million… great, but that’s only about 6% of the overall damage (total estimated to be as much as $71 million).

As a result of these weaknesses, it’s high time the global Cyber insurance industry got its house in order and went back to the drawing board. Given the real danger of another global crisis as bad as the Great Recession but spawned this time by a Cyber incident, it’s actually a well-overdue action.

The big lesson here is that you can’t count on cyber insurance to cover your losses, especially if there is contagion and the insurers are facing a lot of claims and looking for a way out. A good broker will find you a policy that is a best fit for your business, but relying on this alone is folly. Instead, you also need to focus on both prevention as well as crisis preparedness and incident response to be able to cope if things go wrong.

Bill Mew is the Founder and CEO of a cyber crisis management firm, The Crisis Team, set up to help brands mitigate against, prepare for and, if necessary deal with the impact of cyber incidents. (He has posted a very good introductory video explaining some of the ideas behind Crisis Team on his Twitter account, @BillMew).

One of the world’s top campaigners for digital ethics and a former global leader for IBM’s Financial Services Sector as well as strategist for UKCloud, Mew has extensive expertise in fintech to public sector IT and has been profiled as one of the top global influencers on Privacy by Onalytica as well as being listed as one of the top 10 global govtech influencers, and the only one in the top 10 from the UK, by NodeXL (part of the Social Media Research Foundation).

We recently interviewed Bill about his vision for his new company here