Examining the Complexities of Cyber Risk Insurance

Could your business be paying too much for the wrong type of cyber risk insurance?

Published on 19 April 2023 (Updated on 15 May 2023)

Cybercrimes make headlines. But the reality is that cyber threats can come from external sources, such as bad actors attempting a DDoS attack, and internal sources, such as an employee who accidentally sends confidential data to the wrong person . And as you can see, not all cyber risks are criminal. Cyber insurance is one of the ways companies reduce risk and manage threats. By taking out a cyber insurance policy, a business can protect itself from financial losses associated with a cyber incident. But not all policies are created equal.

In this article, we’ll look at how mid-sized companies can understand and optimise their cyber insurance premiums while ensuring cover is proportionate to the risks they’re most likely to face.

Cyber insurance cover

Munich Re forecasts that global premiums on cyber insurance will more than double. By 2025, this figure is expected to rise to $22 billion.

Cyber insurance uptake is growing as companies increasingly rely on it to mitigate their financial risks and liability for cyber incidents. However, cyber insurance policies can be complicated and should be understood beyond the total policy amount.

What we have found working with clients is that, in many cases, businesses do not fully understand what their cyber risk insurance policies cover – and that more total coverage doesn’t automatically mean more coverage per loss type.

Breaking down cyber insurance: incident vs loss types

Cyber liability policies are structured by loss types. Let’s say a company with a €5 million cyber insurance policy experiences a data breach. The data breach is a cyber incident, which then leads to multiple loss types*:

  • Business interruption
  • Legal costs
  • Forensics costs.

For the example above, the company incurs a €500,000 loss of income due to a system being unavailable. Under the terms of the insurance cover, with retentions and deductibles, the policy holder can only claim ‘Business interruption income’ losses in excess of €250,000. In addition to lost income, let’s assume that legal costs related to the breach total €90,000 – but again because of the policy retention clause legal losses can only be claimed in excess of €300,000. So only €250,000 of the €590,000 loss is covered.

Some of the most common cyber risk scenarios facing organisations include:

  • Ransomware as a result of phishing
  • Data breach
  • Denial of Service (DDOS) attack
  • Supply chain attack resulting in an outage

When we analysed these scenarios for one organisation, the upper range of loss per incident by loss type was around €500,000. Using these data points organisations can request appropriate deductibles and coverage per loss type rather than focus on the overall policy cover which can be misleading. Understanding that cyber insurance policies are structured by loss type will give you a better understanding of your coverage requirements.

Insurance coverage negotiated using CRQ methods

Cyber insurance is part of risk management. When businesses understand their cyber risks in financial terms, they can make more defensible decisions – including when making decisions on cyber insurance. Cyber risk quantification (CRQ) methods identify key assets in a company’s value chain along with several of the most probable risk scenarios for those assets. This model quantifies risk scenarios with a range of frequency (that is, the likelihood of that risk occurring) together with a range of potential losses expressed in financial terms for each scenario.

With this information in hand, risk managers, CISOs, CFOs, legal teams or directors can identify levers to negotiate more effectively with their insurance provider. They can adjust the aggregate cover, in addition to both the coverage and the deductible by loss type.

Cyber risk insurance is important as part of a well-rounded incident response plan, but it’s important to get the most value from it.

If you’d like to find out more on optimising your cyber insurance or learn more about CRQ methods, email us to receive an in-depth case study of how a financial services company identified its most important potential losses from cyber events, successfully reduced its retention clause by loss types, and aligned its incident management plan to the terms and conditions of its cyber insurance policy.

These loss types are general descriptions that align with the FAIR model.