Cyber Insurance - is it worth paying?
www.remora.co.uk #cyberinsurance #cybersecurity #cyberattacks

Cyber Insurance - is it worth paying?

The validity of some cyber insurance policies being offered in the UK is currently under increasing scrutiny.

Insurance companies have throughout 2022 changed underwriting requirements, increased rates, and limited coverage. In response to loss ratios over 100%, where insurers paid out more in claims on policies than premiums written. Some other insurers have issued endorsements at renewal that seek to limit coverage for “widespread events,” or those that may impact many different insureds, such as the recently discovered Log4j vulnerability.

Lloyd’s of London has suggested major changes to coverage, including proposing four exclusionary endorsements that attempt to limit or preclude coverage for otherwise covered losses arising out of actions

?“by or on behalf of a state to disrupt, deny, degrade, manipulate or destroy information in a computer system of or in another state.”

When a policyholder gets a new cyber insurance quote, they can discover that the coverage is now vastly different from earlier quotes. Insurance companies have added ransomware sub limits or coinsurance clauses, which means that coverage for all ransomware-related losses is restricted to a lower limit than other policy coverages or that the policyholder is responsible for a portion of all such losses. For example, some policies require the policyholder to pay 50% of all such losses while the insurer covers the remaining 50%, subject to a sublimit.

The message from insurers to policyholders is clear, that they should not expect the same coverage at renewal as the market is moving so quickly. Some organisations should now consider if new pricing and new endorsements that may limit coverage should begin the renewal process as soon as possible, or even if they should move away from insurance and consider alternative services from cyber security firms.

Companies should examine their other policies that may offer coverage after a cyber attack, such as errors and omissions, general liability, kidnap, ransom and extortion, crime, directors and officers, and occasionally commercial property policies, in addition to auditing their cyber insurance policies to ascertain the extent of coverage following a cyber attack.

A service I will provide for free.


Companies must consider their programme when obtaining or renewing insurance to make sure that new coverage gaps are understood such as the potential costs and liabilities the firm might now incur following a cyber attack. It is now more likely that cyber insurance coverage may result in patchwork coverage with restrictions or holes in protection for cyber-related hazards.

When renewing, care must be taken to cover these gaps. Corporate policyholders should consider the following as they evaluate their coverage:

  • A privacy breach-related claim that is otherwise covered should not be subject to exclusions for invasion of privacy.
  • To lessen the effects of any cyber attack, consider optional coverages like reputation loss or public relations and crisis management coverage.
  • Check that exclusions for terrorism and war do not apply to common cyber attacks and that any provisions for cyber terrorism are clearly defined.
  • Make sure that contractual liability exclusions include a carve-out for payment card claims, fines, and penalties if your company is subject to payment card industry data security regulations. These claims ought to be covered, but they might not be if policyholders haven't taken steps to make sure coverage.
  • To cover damages resulting from social engineering scams and compromised corporate emails that result in fraudulent transfers, add express social engineering coverage to your company's crime insurance policy.

These coverage gaps are only a few of the pitfalls that lurk for the unsuspecting insured. The best way for businesses to optimise coverage for the organisation, board, and executives in the event of a cyber disaster is to review coverage and remedy gaps in collaboration with knowledgeable insurance coverage counsel and insurance brokers.

In their dealings with clients and vendors, many businesses are compelled to make contractual representations or warranties about their cyber security policies or standards. Yet this is not something now that insurance companies seem keen to expect of their own clients.

This is the overriding factor in understanding the broken nature of the cyber insurance market, it is because the insurers have long ignored the regulators and have almost steadfastly chosen to not utilise the tools that have been placed before them, by regulators, and the cyber security industry.

Regulators

The Bank of England has long been implementing a strategy of simulation phishing exercises, penetration testing, and international cooperation to assist companies in reducing the risk of cyber crime since Andrew Gracie set out the policy in 2015 under the auspices of the Regulation, Risk, Policy, Enforcement and Supervision Committee of the Bank of England. In what was designed to be a twelve-year programme, a programme now rolled into the Prudential Regulation Authority. The programme now on its third lead, Duncan Mackinnon, has changed the focus to operational resilience.

Despite the Bank of England’s best attempts to assist companies in enhancing their operational resilience, a lack of fundamental cyber hygiene still leaves most companies vulnerable to criminal attacks. The Bank of England has been trying to roll out the programme through the financial and insurance sectors but pick up has been slow. Therefore, although cyber resilience is increasing overall, it is not increasing as quickly as cyber criminals are evolving, leaving far too many companies who continue to have fundamental security flaws, including improperly managing vulnerabilities and information storage, designing IT infrastructure, and mismanaging user accounts and passwords.

Due to the lack of cyber preparedness for many companies the spectre of an attack is never too far away, and therefore cyber insurance is becoming more important than ever before. Which makes the lack of synergy between the insurance sector and its clients a much bigger problem.

Divergence

It is the divergence of messaging between regulators and those that it regulates which breeds confusion. The Bank of England’s operational resilience strategy, if adopted, would make insurers more profitable if they worked together. The Bank of England wants to deliver CBEST, CBEST is a framework to deliver controlled, bespoke, intelligence-led cyber security tests. The tests replicate behaviours of threat actors, assessed by Government and commercial intelligence providers as posing a genuine threat to systemically important financial institutions. As part of the threat intelligence and a risk assessment the Bank of England has developed CBEST as a threat-led penetration testing framework-CBEST-to assess organisational resilience. CBEST has become its flagship cyber resilience testing program and is on its second cycle. CBEST constantly evolves to mirror the "very dynamic nature" of cyber risk and is now focusing more on malicious insider and supply chain risks.

Follow the regulator

If insurers asked policyholders to prove that they were following CBEST, a framework which is a single test that is less time-intensive than traditional penetration testing and offers a comprehensive evaluation of a financial services or infrastructure provider's cyber capabilities, it would allow insurers to understand what policyholders’ potential threats are, and they could be given cover commensurate with their actual cyber security posture.

If insurers used this as a benchmark it would not only strengthen the position of those who underwent CBEST, but it will also help identify areas that require improvement for their clients and enable the cyber security to recognise and take appropriate action against the threats, vulnerabilities, and risks that would be identified.

????????????????????????????????????????????????????????????????????????????????????????????The Future

This is a critical time for the sector's future. Given the volatile threat environment, recent losses, and immature commitment of insurers, a new wave of cyber attacks this year would have significant effects on the insurance industry. So, if the insurers believe that CBEST is not yet established, they could look at other options from the cyber security industry that they could ask policyholders to implement to reduce premiums or increase cover. such as cyber security awareness training or security controls assessments.

The excuse given by insurers are that the dangers are exceedingly intricate, highly erratic, and variable. The security dangers posed by using technology changes along with it. The widespread adoption of remote work and the cloud exposed numerous security flaws that hackers gladly exploited. As true as that is, if insurers who offer cyber insurance understood that they could be part of the solution, and that by being part of the solution they would become more profitable, then things would change for the better.

If insurers want to be part of the solution they must adapt and they can do this by embracing frameworks set out by regulators, and by working with the cyber security industry. If they do not adapt, the market will adapt, and it will be at the expense of the insurers.

The present

Why this is important, and why I have brought this to your attention is that I have been working with a client to attempt fund retrieval following a hack for which they are insured. Yet the insurer has refused the claim based on the exemption that the hack utilised electronic communication, that would be email, and according to this insurer they exempt any hacking claim that involves email!!!!!!!!

When asked what hacking attempts, they do not exempt, the insurer replied

“that's hypothetical”

要查看或添加评论,请登录

Chris Merchant的更多文章

  • New devices can cause cyber threats

    New devices can cause cyber threats

    5% of under 30’s in the UK received or bought a mobile phone for Christmas. The cyber security implications of a new…

  • Why you should be concerned about your ex-employees

    Why you should be concerned about your ex-employees

    January is the busiest month for job changes. The number of job changes in January may have reached a 10-year high.

  • Crypto Exchanges without cyber security must be shorted like crypto miners

    Crypto Exchanges without cyber security must be shorted like crypto miners

    Cryptocurrency is receiving a great deal of attention from investment companies, especially more conventional funds…

  • FTX Investors were negligent

    FTX Investors were negligent

    In the last couple of weeks we have all come to learn about the cryptocurrency exchange FTX which filed for Chapter 11…

    1 条评论
  • Cyber Monitoring prevents ICO fines

    Cyber Monitoring prevents ICO fines

    The Information Commissioner's Office (ICO) fined Interserve Group Ltd. £4.

  • Revolut and TAP herald a new leapfrog attack

    Revolut and TAP herald a new leapfrog attack

    A leapfrog attack occurs when hackers obtain passwords, valid email addresses, or ID information in one attack and then…

  • T-Mobile hack to cost $500m

    T-Mobile hack to cost $500m

    T-Mobile hack to cost $500m “Keeping our customers’ data safe is a responsibility we take incredibly seriously and…

  • Can data analytics predict a football season?

    Can data analytics predict a football season?

    Without a world cup this summer, using my time unwisely is more difficult to justify, so I wondered if it was possible…

  • Cyber Threats to Online Gambling Platforms

    Cyber Threats to Online Gambling Platforms

    Customers are at the core of every aspect of the gaming industry and without them the industry simply would not exist…

  • FCA want better disclosure on Cyber Incidents

    FCA want better disclosure on Cyber Incidents

    What happens in the event of a cyber data breach? Today at a Private Equity Event, the FCA reminded regulated firms…

社区洞察

其他会员也浏览了