Cyber Insurance is not a Cybersecurity strategy

Up until recently, companies were leaning on their cyber insurance policy as their business continuity plan and cyber defense strategy. It was an excuse to not invest in good security practices and products because the policy would cover financial losses meaning they could cut IT investment.

This is coming to an end.

The insurance carrier AXA announced that it would stop covering ransom payments under its cyber insurance policies in France and other carriers are following suit. Even if they stay in the game, premiums are already on the rise.

Reportedly, bad actors searches the systems it infiltrates — prior to encrypting them with ransomware — to find information about the victims’ cyber insurance coverage, and adjusts ransom demands accordingly.

First, let’s look at what cyber insurance policies do not cover

  • They will not pay out if the business has not taken normal and adequate care to secure their property against the threat
  • Your reputation and reputation damage
  • If you are a non-profit, monetary contributions that donors haven’t made yet
  • Upgrades. If you decide to upgrade as part of the restoration process to prevent future vulnerabilities, your policy may not cover this
  • Getting rid of attention from regulators
  • Future profits
  • Decreased valuation due to electronic theft of intellectual property

What does your cyber insurance policy cover?

  • First-Party Expenses: Incident response and digital forensics services, PR services to manage reputational damage caused by a breach, notification to affected parties, credit monitoring services and other expenses.
  • Third-Party Expenses: Defending liability claims and/or fines and penalties assessed by regulating authorities. Think legal fees and HIPAA fines.
  • Cyber Crime Costs: Financial losses resulting directly from criminal activity.

What to look for in a policy?

  • What type of events are covered? DDoS, Ransomware, Malware, Electronic Theft, Deletion of Data, Cyber extortion, etc…
  • Does it cover social engineering attacks such as phishing and spear phishing?
  • Does it cover legal fees and penalties?
  • Notification to affected parties?
  • Forensics and professional services
  • Incident response coverage
  • Loss of income due to disruption of operations and how long does the disruption have to be before the policy kicks in?
  • What are the requirements to make a claim? If you can’t provide certain data and evidence, you may not be able to make a claim

What should you prepare for when shopping or renewing your policy?

Each provider will require a questionnaire and supporting evidence as proof to satisfy that your answers are truthful and accurate.

Here are a few examples:

  • Do you use multi-factor authentication for email and server login?
  • Do you maintain daily offsite backups of all critical data?
  • When was the last time you tested restoration of the offsite backup?
  • Is any part of your IT infrastructure outsourced to third party providers?
  • Disclose previous cyber incidents
  • IT operational and capital expenditure on security last year
  • Percentage of infrastructure managed in-house vs outsourced
  • How many dedicated employees in an IT security role?
  • Who is responsible for IT security?
  • Describe the type, nature and volume of the data stored on your network
  • Total unique individuals you hold data on
  • Data retention policy and how often you purge records
  • Describe your data backup policy in detail including frequency of backups, technology used, type of backups, storage method, how often you backup, how often you test restores
  • Do you use RDP?
  • Describe your process for patching OS and applications
  • How often do you conduct vulnerability scanning?
  • How often do you conduct penetration testing of your network architecture?
  • What security controls are currently in place? IDS, IPS, WAF, Firewalls, DDoS mitigation, employee training, Encryption, etc…

Expect more scrutiny of your program, and possibly the involvement of auditors to validate your claims. Check your insurance policy to see if investing in a certification program — such as ISO 27001 or HITRUST might decrease your policy premium. If you are a cloud or managed services provider and/or are part of other organizations’ supply chains, you should expect to receive more scrutiny from your insurer on the strength of your cyber security program

Take advantage of any educational opportunities your provider offers on cybersecurity best practices and improvements. This could also lower your rates.

Unfortunately for policy holders, cyber insurance can come with fine print, loopholes and gaps that may result in claims not being paid.

While cyber insurance can be essential to helping your organization recover, it should not take the place of a strong cyber security program. At minimum your cyber security program should include a

  • Cyber Security Plan,
  • Business Continuity
  • Disaster Recovery Plan
  • Incident Response Plan.

These plans should be tested, reviewed and updated at least annually along with your penetration test and vulnerability assessment from a qualified third party.

Cybersecurity plus cyber insurance equals balanced risk management. It’s not one or the other. No cybersecurity program can eliminate all cyber risk to a business. That’s why you also need cyber insurance, to pick up where the security program leaves off by providing coverage for risks that cannot be mitigated.

15 minutes won’t only save you 15% on your cyber insurance, it can also save your company :)




Principal Site Reliability Engineer. Cyber Security Professional. Technologist. Leader.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

{UPDATE} Iron Marines Hack Free Resources Generator

GOLDENEYE: 1 Kernal Exploit [Without Metasploit]

The Business of Security vs. Security of Business

TryHackMe — Easy Peasy

Mastering Basic Attention Token (BAT)

Oops… I guess I’m not safe!

Alternative Risk Financing: Rise of the Captives

Bypassing EPP — Chapter 1

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Dale Frohman

Dale Frohman

Principal Site Reliability Engineer. Cyber Security Professional. Technologist. Leader.

More from Medium

Unleash Innovation in Your Organization by Not Tolerating Cynicism.

This month audiences will have the opportunity to screen Hearts of Steel on the Planet Classroom…

The Yellow New Deal: Factory 01 will start an era of sustainable protein production

Goodbye Brian Kelly