Examining the Complexities of Cyber Risk Insurance

Is your business paying too much for the wrong type of cyber risk insurance?

Cybercrime is a pressing concern in today's digital economy, and it is growing at an unbelievable rate. The chance of your company being the target of a cybercrime is on the rise as the cyber threat landscape is constantly changing. External cyber threats such as ransomware carried out by criminal hackers lock up to your data or leak it publicly unless you pay. For companies with sensitive data, this could come at a high price. Companies also face internal cyber threats. This could be an employee who accidentally sends a mass email with PII data to external stakeholders. No matter the origin of a cyber incident, your company can face financial loss. Many mid-sized and larger companies take out cyber risk insurance to reduce the total loss of a cyber incident. But not all policies are created equal. And there are many things to consider when taking out a cyber risk insurance policy. It’s not just the total amount of coverage that needs to be reviewed.

Christophe Forêt

An article from

Christophe Forêt
President and co-founder of C-Risk
Published
August 16, 2023
Updated
August 16, 2023
Reading time
minutes
Complexities of Cyber Risk Insurance

How well does your cyber risk insurance reduce your financial loss in the event of a cyber incident?

 

This article will explore some of the ways mid-sized companies can benefit from cyber insurance coverage. We will examine the various loss events and loss types covered by most cyber risk insurance policies. And we will also look at how companies can optimize their cyber insurance premiums to benefit from the coverage while also ensuring their coverage is proportionate to the losses companies are most likely to face—this is where Cyber Risk Quantification (CRQ) can be a game changer! CRQ analysis evaluates the potential financial impact of a particular cyber threat.

 

Cyber Risk Insurance Coverage

 

MunichRe forecasts that global premiums on cyber insurance will more than double. By 2025, this figure is expected to rise to $22 billion.

Cyber insurance uptake is on the rise as companies increasingly rely on it as a tool to mitigate their financial risks and liability. And because cyber insurance policies are complicated, decision-makers are advised to take a deep dive into the insurance loss types to better understand the breakdown of the policy beyond the total coverage amount.

 

What we have found in working closely withCISOs, CFOs, and other decision-makers is that cyber risk insurance policies are examined at a high level, from the perspective of total coverage.

 

•   Is our company covered if we take out a €2 million policy for cyber risk?

•   Does more total coverage mean that our share of the risk is reduced?

•   Is a €5 million policy better than a €2 million policy?

 

It’s difficult to answer these questions without looking further into the company’s digital value chain and their cyberthreat landscape. There are times when a company can optimize its cyber risk coverage by increasing the amount of total coverage, but it’s also possible to simply negotiate the retention amount per loss type.

 

Just like with other types of insurance products, cyber risk insurance is designed so that an individual incident is broken down by type of loss. Each loss type will have a retention and a maximum payout amount. Retention refers to the portion of a loss that an insured party is responsible for covering before the insurance policy begins to payout.

 

It literally pays to read the small print.

 

The information provided in your policy details precisely what incidents are covered, the exceptions, how to report them, and the various types of loss that are covered as well as the retention amount.

 

More total coverage doesn’t automatically mean you have a greater protection from financial loss.

Would you like to discuss how to optimize your cyber insurance?

Examine the value of your cyber risk insurance through the lens of cyber risk quantification.

Breaking DownCyber Insurance: Incident and Loss Types

 

Cyber insurance policies are structured by type of loss. Let’s see how it works for a company with a €3 million cyber insurance policy that experiences a malware rendering part of the company’s IT system unavailable. The incident is reported to the cyber insurer. The malware attack leads to a handful of loss types* covered by the policy:

 

•   Business interruption

•   Incident management

•   Legal costs

•   Forensics costs

 

Making a claim

 

The company incurred a €500,000 loss of income in part due to a system being unavailable for 48 hours. Under the terms of the insurance coverage, the policy holder can only claim “business interruption income” losses in excess of €300,000—this is the retention amount.For this loss type, the company will receive a €200,000 payout. This does not include the cost of internal incident management, which was purely the responsibility of the company. This cost can change depending on the circumstances of the cyberattack as well as the size of the company.

 

In addition to lost income, there are legalcosts related to the malware attack, which totaled €100,000. But again, becauseof the policy’s retention clause, legal costs can only be claimed when theyexceed €90,000. This means that the company can collect €10,000 as part oftheir insurance benefits.

 

As part of the claim, the company calledupon the services of a cyber forensics specialist recommended by the insurancecompany to investigate the origin of the attack and to verify if all therequired controls were in place to bring the unavailable system back online.The forensics service totaled €50,000 with a retention of €30,000.

 

To sum up, the malware attack resulted in a total loss of €650,000 broken down as follows:

The company was responsible for €420,000.

 

The insurance company covered €230,000.

 

As you can see in our example above, the retention amounts were different for the two loss types. This is characteristic of many policies. And it highlights how important it is to be familiar with your loss types as well as any retention. Another thing to consider is that the premium is likely to increase if a claim is made. So before making any claim a company should weigh a payout against the chance of an increased rate.

 

FAIR methodology, risk scenarios, and insurance

 

When we put the FAIR method to work and analyzed the top cyber risk scenarios for one company with an aggregate policy limit of €2 million, we found that the upper range of loss per incident by loss type was around €500,000 for all loss types.

 

Considering the company’s value chain and digital assets, we assessed the insurance policy’s loss types as they aligned with FAIR loss types. This gave us a deeper and wider understanding of the policy. We developed a table to visualize the loss type exceptions, the Loss Magnitude (see FAIR taxonomy) for each risk scenario as well as the maximum payout for coverable incidents. This information gave the CISO more thorough understanding of how the cyber insurance could mitigate losses in the event of a cyber loss event. And in the case of this company, it was not in their interest to increase total coverage but to renegotiate the retention amounts per loss type.

 

Cyber risk quantification (CRQ) analysis can draw parallels between FAIR loss types and the insurance loss types in financial and probabilistic terms. CRQ risk scenarios address how often a particular scenario will occur (in years or months) and how much the loss event will cost you (in financial terms).

 

Some of the most common cyber risk scenarios include:

 

•          Ransomware as a result of phishing

•          Data breach

•          Denial of Service (DDOS) attack

•          Supply chain attack resulting in an outage

 

 

Insurance coverage negotiated using CRQ methods

 

Cyber insurance is a risk management tool within a larger risk management strategy. When organizations can understand their cyber risks in financial terms, they are able to make more defensible decisions. Budget decisions become less opaque when cyber risks are expressed in monetary terms as well as the frequency and probability of each loss event. Cyber risk quantification methods identify key assets in a company’s value chain along with several of the most probable risk scenarios for those assets. This model quantifies risk scenarios with a range of frequency (that is, the likelihood of that risk occurring) together with a range of potential losses expressed in financial terms.

 

With the data from a CRQ analysis with a set of top risk scenarios mapped out, the question of how much or what kind of insurance is easier to answer.

 

With this quantified information in hand, risk managers, CISOs, CFOs, legal teams or other decision-makers can identify levers to negotiate insurance coverage to get the most value from it. But it doesn’t end there.

 

If a company still doesn’t have comprehensive coverage, there is an additional way to cover losses: captive insurance or self-insurance.

 

Insurance products are always changing—in the same way the cyber threat landscape is changing. For this reason, understanding your current cyber insurance policy and knowing your actual financial losses in the event of a cybersecurity incident give you a solid foundation for building your company’s cyber resilience.

 

If you’d like to find out more on optimizing your cyber insurance or learn more about cyber risk quantification, download an in-depth use case of a how we identified our client’s most important probable losses from cyber incidents, they successfully reduced retentions, and aligned their incident management plan to the terms and conditions of their cyber insurance policy.

FAQ

What is cyber risk insurance?

Cyber risk insurance is a type of insurance policy that companies can purchase to reduce the financial impact of cyber incidents, including legal and forensics costs, business interruption, data recovery costs, reputational damage, fines and assessments, etc.

Who needs cyber risk insurance?

Cyber risk insurance can reduce the financial impact of a cyber incident for companies of all sizes and in all industries. Mid-sized and enterprise companies, especially, can improve their cybersecurity governance with a quality cyber insurance solution.

What is the major external cyber threat and loss driver for companies?

By 2031, ransomware could cost victims around $256 billion annually, according to a report by Cybersecurity Ventures.

In this article
Cyber Risk Quantification for better decision-making

We build scalable solutions to quantify cyber risk in financial terms so organizations can make informed decisions to improve governance and resilience.

Related articles

Read more on cyber risk, ransomware attacks, regulatory compliance and cybersecurity.