Is cyber insurance really worth it?

By on
Is cyber insurance really worth it?
Page 2 of 2  |  Single page

Avoid the overlap 

Care needs to be taken to avoid paying for the same cover twice. There is often overlap between professional indemnity insurance or other liability cover and cyber insurance policies. Aside from wasting money, having double cover for the same risks may result in invalidating one or both of the policies unless fully disclosed at the outset. Insurers are historically uncomfortable having a second firm or policy protecting against the same risks.

Exclusion clauses are the big issue in many cyber insurance policies. Because the risks that are being protected against are often difficult to predict and are in new and inherently complex areas, insurers go to some lengths to exclude risks.

Obtaining protection against fire or flood is straightforward. Companies and insurers understand these risks. In contrast, global security teams at both Verizon and Symantec agree that in 2015, 317 million new malware threats were released into the wild. That’s close to one million new forms of malware released every day of the year. Will a particular policy of insurance cover zero-day attacks? In other words, a new type of attack not previously seen and, as such, not referred to in any cyber insurance policy.

Intel Security’s ‘Grand Theft Data’ report concluded that 43 percent of data loss results from internal actors, of which 50 percent was intentional and 50 percent accidental (the Red Cross breach was in the accidental category). Firms considering cyber insurance need to understand how the policy they are looking at deals with breaches that result from employees or contractors. Are they covered or excluded? If excluded, then based on the Intel stats, this could exclude a large group of potential breaches from being covered.

Another tricky question: does cyber insurance cover pre-existing breaches the organisation doesn’t know about? Mandiant’s M-Trends report in found that in 2015 the average time for a company to detect an advanced persistent threat on a corporate network was 146 days. This period has reduced in recent years as breach detection improves, but it is still a long time. 

For potential purchasers of cyber insurance, this means they may be making declarations to the insurance company that there are no breaches in their networks when in fact a bad actor has ben sitting inside for months. This raises questions: should they have known about the breach, could they have done more to discover it, what is their security posture and do they need to get a vulnerability assessment done before taking out the insurance? These can be difficult questions to answer.

Insurance law imposes heavy obligations on both insurer and insured to make full disclosure. The legal principle of “utmost good faith” applies. It is possible that a pre-existing intrusion, which the organisation was not aware of but should have been, may lead to a denial of cover. 

What are the circumstances in which the insurer will refuse to pay out? The exclusion clauses are often far-reaching and difficult to understand. In many, the costs of the insurance are significant but the circumstances in which the insurer will pay out are narrow. Some of the most common exclusions and exemptions are:

  • Failure by the company to ensure employees and contractors are aware of security issues and the risks their behaviours can create for company and customer data.
  • Failure by the company to maintain an adequate regime to ensure basic security controls are current and are consistent with best practice.
  • Failure to disclose pre-existing risks that have been revealed in vulnerability assessments or penetration testing exercises but have not been fully or effectively rectified.

Cyber insurance policies have been around for more than decade but only recently has the threat landscape and the volume and sophistication of threats and threat vectors increased so dramatically that these policies are now being considered more widely.

Many cyber insurance policies are so heavily conditional that they are not a great investment. In many cases, they do not cope well with the rapidly changing nature of security threats and with the speed at which new attacks can be developed and released by bad actors. Many large companies feel obliged to obtain the cover, but it remains to be seen if they are getting real value. 

Many suppliers of IT-related services and resellers of IT products in Australia are small firms. The value to these companies of the available cyber insurance products is questionable. This may change once we can determine the impact of the new data protection laws, should they be enacted.

Far-reaching disclosure obligations and tough enforcement regimes in other jurisdictions have certainly driven sales of cyber insurance. To date, Australia has had neither a tough data protection regime nor a tough enforcement approach, so the interest in such policies on both sides of the insurance contract has to date been lukewarm. It’s a case of watch this space.  

Adam Davenport is executive chairman of Sydney-based managed security service provider Loop Technology

Previous Page
1 2 Single page
Got a news tip for our journalists? Share it with us anonymously here.
Copyright © nextmedia Pty Ltd. All rights reserved.
Tags:
cyber insurance security

Partner Content

Ingram Micro Ushers in the Age of Ultra
Ingram Micro Ushers in the Age of Ultra
Kaseya Dattocon APAC 2024 is Back
Kaseya Dattocon APAC 2024 is Back
Secure, integrated platforms enable MSPs to focus bringing powerful solutions to customers
Secure, integrated platforms enable MSPs to focus bringing powerful solutions to customers
Channel can help lead customers to boosting workplace wellbeing with professional headsets
Channel can help lead customers to boosting workplace wellbeing with professional headsets
Build cybersecurity capability with award winning Fortinet training from Ingram Micro
Build cybersecurity capability with award winning Fortinet training from Ingram Micro

Sponsored Whitepapers

Easing the burden of Microsoft CSP management
Easing the burden of Microsoft CSP management
Stop Fraud Before It Starts: A Must-Read Guide for Safer Customer Communications
Stop Fraud Before It Starts: A Must-Read Guide for Safer Customer Communications
The Cybersecurity Playbook for Partners in Asia Pacific and Japan
The Cybersecurity Playbook for Partners in Asia Pacific and Japan
Pulseway Essential Eight Framework
Pulseway Essential Eight Framework
7 Best Practices For Implementing Human Risk Management
7 Best Practices For Implementing Human Risk Management

Events

techpartner.news MSP index - Brisbane
techpartner.news MSP index - Brisbane
techpartner.news Channel Leader List / Golf day
techpartner.news Channel Leader List / Golf day
techpartner.news Pipeline Conference 2025
techpartner.news Pipeline Conference 2025
Integrate Expo 2025
Integrate Expo 2025
Security Exhibition & Conference 2025
Security Exhibition & Conference 2025

Most read articles

Australian MSP Index launched

Australian MSP Index launched
Ingram Micro Ushers in the Age of Ultra

Ingram Micro Ushers in the Age of Ultra
Announcing Pipeline 2025 tickets, theme & initial speakers

Announcing Pipeline 2025 tickets, theme & initial speakers
Vic gov to spend $100m on cyber security

Vic gov to spend $100m on cyber security

Log in

Email:
Password:
  |  Forgot your password?