Cyber insurance – benefits and uses

Cyber insurance

benefits and uses

Marc Ruef
by Marc Ruef
time to read: 7 minutes

Keypoints

  • Cyber insurance is gaining importance in our society
  • There is a clear distinction between policies for private individuals and for companies
  • Differing terminology makes it difficult to compare policies
  • Many come with a risk catalog which is used to assess the present state of security
  • Cyber insurance is worth considering for companies that wish to limit their active cybersecurity investments

In recent years, a number of different insurers have done their best to draw attention to cyber insurance in the marketplace. There is plenty of discussion about the benefits and uses of such policies, and in this article we aim to provide an overview of whether and to what extent you can profit from this kind of insurance.

Private and business policies

There is an important, fundamental distinction between policies for private individuals and those for companies. Insurance for private individuals focuses on data misuse which may arise in the course of day-to-day use of the Internet. That may include misuse of credit card information or infection of systems with malware. Some insurers also cover cyber-bullying and failed deliveries of goods ordered online.

Policies offered to companies are primarily targeted at small to medium-sized enterprises (SMEs). There, too, coverage is largely focused on data misuse, which may include financial data, as well as infection with malware. Many policies also offer compensation for financial loss, liability claims, and costs arising from data breaches. They may also cover data recovery, forensics, loss of income (through DoS attacks, for instance), as well as crisis and reputation management. Cyber insurance for companies is thus largely an extension of business continuity management (BCM). Most insurers have stipulations on payment of extortion demands resulting from DDoS or ransomware, for example.

Comparing policies

Comparing policy offers from different insurers can be very difficult. The key aspects of a cyber insurance policy can be summarized as follows:

From the various industry definitions in circulation it may be unclear precisely which aspects are covered. On the other hand, effective coverage in the event of damage depends on a number of different factors which can at most be approached in theoretical discussion when taking out the policy.

So while you may be to tell whether malware infections are covered, and what the deductible will be, it may not be readily apparent whether and to what extent self-inflicted damage can be proven and how it will affect payout. Most insurers stipulate that any willful causation on the part of the policyholder part is not covered. Intent, negligence and ignorance can be difficult to tell apart. It is here that we will see numerous attempts at insurance fraud in the future, which will require a great deal of highly technical skill from insurers to resolve. And it is here that insurers first have to determine where they stand.

To achieve comparability of policies, the German Insurance Association (GDV) has published its Model conditions for cyber insurance (German only). These conditions arrange various risks by category, allowing them to be evaluated by both policyholders and insurers. This makes it possible to determine the current state of security and the expected coverage of the insurance. Policyholders are divided into three different risk categories, primarily based on annual revenue. This forms the basis for setting out the requirements of a cyber insurance policy.

Insurers themselves often provide risk documents of this type to allow customers to assess their security situation themselves. For instance, they may ask whether and to what extent security may be improved by the installed anti-virus solution.

It is difficult to assess how much influence the different answers may have on the actual insurance. Implementing further measures may reduce policy fees. At the same time, the insurer will also want to understand why existing measures are unable to provide protection in the event of damage. From the customer’s perspective, this therefore requires a kind of economic balancing act.

Who should consider cyber insurance?

Answering the survey is very difficult for non-specialists, customers and insurers alike. Even among experts, opinions vary greatly concerning risk calculation in terms of probability of occurrence and impact. It is therefore a good idea to talk to cybersecurity experts before taking out a cyber insurance policy and find out whether and to what extent it may be beneficial.

They are best suited to small and medium-sized enterprises that are either unable or unwilling to constantly, actively engage with the issue of cyber security. That means any company that doesn’t have a CISO (chief information security officer) or equivalent position, or where this position is only partially filled. In this case, reductions in internal expenses must be compensated by cyber insurance. Insurance merely transfers risk, but cannot avert or reduce it.

Insurance as treatment strategy in risk management

Whether one strategy is better than another (investing directly or transferring risk) depends on various factors. That includes the exposure of the company and the shareholders’ tolerance for risk. A conservative financial institution or a startup developing small web apps – each will have very different ideas about security.

Completely foregoing security measures will lead to very high insurance costs. So there is no getting around it – either way you will need to invest in personnel, processes and products to actively increase your company’s security. However, the goal should be the right balance between technical risk and financial outlay.

Conclusion

Cyber insurance will soon be an integral part of our society. While this insurance category isn’t yet as widely established in German-speaking countries as it is in the US, even here there is a major increase in the number of policies on offer. Cyber insurance is a valid tool for dealing with risk. Here it is important to understand the context in order to deploy this tool properly. Whether cyber insurance is necessary and beneficial can only be determined by an individual risk analysis and comparison of insurance policies.

About the Author

Marc Ruef

Marc Ruef has been working in information security since the late 1990s. He is well-known for his many publications and books. The last one called The Art of Penetration Testing is discussing security testing in detail. He is a lecturer at several faculties, like ETH, HWZ, HSLU and IKF. (ORCID 0000-0002-1328-6357)

Links

You are looking for an interview partner?

Our experts will get in contact with you!

×
Specific Criticism of CVSS4

Specific Criticism of CVSS4

Marc Ruef

scip Cybersecurity Forecast

scip Cybersecurity Forecast

Marc Ruef

Voice Authentication

Voice Authentication

Marc Ruef

Bug Bounty

Bug Bounty

Marc Ruef

You want more?

Further articles available here

You need support in such a project?

Our experts will get in contact with you!

You want more?

Further articles available here