How well does your cyber risk insurance reduce your financial loss in the event of a cyber incident?
This article will explore some of the ways mid-sized companies can benefit from cyber insurance coverage. We will examine the various loss events and loss types covered by most cyber risk insurance policies. And we will also look at how companies can optimize their cyber insurance premiums to benefit from the coverage while also ensuring their coverage is proportionate to the losses companies are most likely to face—this is where Cyber Risk Quantification (CRQ) can be a game changer! CRQ analysis evaluates the potential financial impact of a particular cyber threat.
Cyber Risk Insurance Coverage
MunichRe forecasts that global premiums on cyber insurance will more than double. By 2025, this figure is expected to rise to $22 billion.
Cyber insurance uptake is on the rise as companies increasingly rely on it as a tool to mitigate their financial risks and liability. And because cyber insurance policies are complicated, decision-makers are advised to take a deep dive into the insurance loss types to better understand the breakdown of the policy beyond the total coverage amount.
What we have found in working closely withCISOs, CFOs, and other decision-makers is that cyber risk insurance policies are examined at a high level, from the perspective of total coverage.
• Is our company covered if we take out a €2 million policy for cyber risk?
• Does more total coverage mean that our share of the risk is reduced?
• Is a €5 million policy better than a €2 million policy?
It’s difficult to answer these questions without looking further into the company’s digital value chain and their cyberthreat landscape. There are times when a company can optimize its cyber risk coverage by increasing the amount of total coverage, but it’s also possible to simply negotiate the retention amount per loss type.
Just like with other types of insurance products, cyber risk insurance is designed so that an individual incident is broken down by type of loss. Each loss type will have a retention and a maximum payout amount. Retention refers to the portion of a loss that an insured party is responsible for covering before the insurance policy begins to payout.
It literally pays to read the small print.
The information provided in your policy details precisely what incidents are covered, the exceptions, how to report them, and the various types of loss that are covered as well as the retention amount.
More total coverage doesn’t automatically mean you have a greater protection from financial loss.
Would you like to discuss how to optimize your cyber insurance?
Examine the value of your cyber risk insurance through the lens of cyber risk quantification.
Breaking DownCyber Insurance: Incident and Loss Types
Cyber insurance policies are structured by type of loss. Let’s see how it works for a company with a €3 million cyber insurance policy that experiences a malware rendering part of the company’s IT system unavailable. The incident is reported to the cyber insurer. The malware attack leads to a handful of loss types* covered by the policy:
• Business interruption
• Incident management
• Legal costs
• Forensics costs
Making a claim
The company incurred a €500,000 loss of income in part due to a system being unavailable for 48 hours. Under the terms of the insurance coverage, the policy holder can only claim “business interruption income” losses in excess of €300,000—this is the retention amount.For this loss type, the company will receive a €200,000 payout. This does not include the cost of internal incident management, which was purely the responsibility of the company. This cost can change depending on the circumstances of the cyberattack as well as the size of the company.
In addition to lost income, there are legalcosts related to the malware attack, which totaled €100,000. But again, becauseof the policy’s retention clause, legal costs can only be claimed when theyexceed €90,000. This means that the company can collect €10,000 as part oftheir insurance benefits.
As part of the claim, the company calledupon the services of a cyber forensics specialist recommended by the insurancecompany to investigate the origin of the attack and to verify if all therequired controls were in place to bring the unavailable system back online.The forensics service totaled €50,000 with a retention of €30,000.
To sum up, the malware attack resulted in a total loss of €650,000 broken down as follows:
The company was responsible for €420,000.
The insurance company covered €230,000.
As you can see in our example above, the retention amounts were different for the two loss types. This is characteristic of many policies. And it highlights how important it is to be familiar with your loss types as well as any retention. Another thing to consider is that the premium is likely to increase if a claim is made. So before making any claim a company should weigh a payout against the chance of an increased rate.
FAIR methodology, risk scenarios, and insurance
When we put the FAIR method to work and analyzed the top cyber risk scenarios for one company with an aggregate policy limit of €2 million, we found that the upper range of loss per incident by loss type was around €500,000 for all loss types.
Considering the company’s value chain and digital assets, we assessed the insurance policy’s loss types as they aligned with FAIR loss types. This gave us a deeper and wider understanding of the policy. We developed a table to visualize the loss type exceptions, the Loss Magnitude (see FAIR taxonomy) for each risk scenario as well as the maximum payout for coverable incidents. This information gave the CISO more thorough understanding of how the cyber insurance could mitigate losses in the event of a cyber loss event. And in the case of this company, it was not in their interest to increase total coverage but to renegotiate the retention amounts per loss type.
Cyber risk quantification (CRQ) analysis can draw parallels between FAIR loss types and the insurance loss types in financial and probabilistic terms. CRQ risk scenarios address how often a particular scenario will occur (in years or months) and how much the loss event will cost you (in financial terms).
Some of the most common cyber risk scenarios include:
• Ransomware as a result of phishing
• Data breach
• Supply chain attack resulting in an outage
Insurance coverage negotiated using CRQ methods
Cyber insurance is a risk management tool within a larger risk management strategy. When organizations can understand their cyber risks in financial terms, they are able to make more defensible decisions. Budget decisions become less opaque when cyber risks are expressed in monetary terms as well as the frequency and probability of each loss event. Cyber risk quantification methods identify key assets in a company’s value chain along with several of the most probable risk scenarios for those assets. This model quantifies risk scenarios with a range of frequency (that is, the likelihood of that risk occurring) together with a range of potential losses expressed in financial terms.
With the data from a CRQ analysis with a set of top risk scenarios mapped out, the question of how much or what kind of insurance is easier to answer.
With this quantified information in hand, risk managers, CISOs, CFOs, legal teams or other decision-makers can identify levers to negotiate insurance coverage to get the most value from it. But it doesn’t end there.
If a company still doesn’t have comprehensive coverage, there is an additional way to cover losses: captive insurance or self-insurance.
Insurance products are always changing—in the same way the cyber threat landscape is changing. For this reason, understanding your current cyber insurance policy and knowing your actual financial losses in the event of a cybersecurity incident give you a solid foundation for building your company’s cyber resilience.
If you’d like to find out more on optimizing your cyber insurance or learn more about cyber risk quantification, download an in-depth use case of a how we identified our client’s most important probable losses from cyber incidents, they successfully reduced retentions, and aligned their incident management plan to the terms and conditions of their cyber insurance policy.
What is cyber risk insurance?
Cyber risk insurance is a type of insurance policy that companies can purchase to reduce the financial impact of cyber incidents, including legal and forensics costs, business interruption, data recovery costs, reputational damage, fines and assessments, etc.
Who needs cyber risk insurance?
Cyber risk insurance can reduce the financial impact of a cyber incident for companies of all sizes and in all industries. Mid-sized and enterprise companies, especially, can improve their cybersecurity governance with a quality cyber insurance solution.
What is the major external cyber threat and loss driver for companies?
By 2031, ransomware could cost victims around $256 billion annually, according to a report by Cybersecurity Ventures.
We build scalable solutions to quantify cyber risk in financial terms so organizations can make informed decisions to improve governance and resilience.