Connect with us
Finance Digest is a leading online platform for finance and business news, providing insights on banking, finance, technology, investing,trading, insurance, fintech, and more. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.


Getting the most out of cyber risk insurance

Garry Sidaway, SVP Security Strategy & Alliances at NTT Security

Garry sidaway

Garry sidaway

The number of insurers now offering cyber security insurance policies via Lloyds of London has grown to around 70 today. But insurers often struggle to accurately underwrite and evaluate the financial impact of cyber incidents, while organisations may find their attempts to recoup losses undone by small print stipulations in complex policies.

For business it’s vital to take a proactive, risk-based approach to security, which incorporates rather than relies on cyber insurance.


While organisations come to rely increasingly on cloud, mobile, IoT and other technologies to drive growth, they’re also expanding the corporate attack surface several times over. The result is financial and reputational damage on a growing scale, driven in part by major new regulatory compliance requirements like the GDPR and NIS Directive.

Lloyds of London estimated that a major attack on one of the top three cloud service providers could lead to outages costing US firms alone $19 bn, while another industry report predicted that a global ransomware attack could lead to losses of nearly $200bn.

It is no surprise that cyber insurance is increasingly popular. But it seems that many organisations are confused about what they are (and are not) covered for. Our own 2018 Risk:Value report revealed that just 38% of global firms have a dedicated cyber insurance policy, while nearly half (45%) in the UK UK admitted they didn’t even know if their corporate insurance policy covers security breaches or data loss.

This kind of confusion is increasingly coming back to bite firms as they find policies not paying out after a major incident. For example, Mondelez is locked in a legal tussle with its provider Zurich over a pay-out related to 2017’s NotPetya ransomware worm.

These disputes are a reflection of problems on both sides. Insurance providers see a potentially huge market in cybersecurity. Yet in many ways it’s out of their traditional comfort zone, which is underwriting physical things that get lost, damaged or ill. While they’re able to put together policies quite easily for these, using actuarial data and extensive knowledge of relevant risks, it’s harder for them to define and understand cyber-related risk. Even more difficult to evaluate in financial terms is the impact of damage to reputation and customer loyalty.

Questions to ask

The resulting ambiguity and complexity can lead to the kind of claimant-insurer disputes we’re seeing on an increasingly frequent basis. But part of the problem lies with the policyholders themselves. As an organisation you must provide as much information as possible up front on your risk profile, current IT security strategy, processes and controls. It might be, for example, that a particular policy will only pay out if the organisation has a best practice, or an incident response plan in place.

There are plenty of questions you need to ask of your provider. Does the policy cover data held by third-party providers? Will it pay out even if you haven’t patched all of your systems? How about if the organisation suffers a breach caused by a security issue which predates the start of the policy, but was undetected?

It usually follows that the more comprehensive your security strategy and processes, the lower the premiums and the better the coverage. This requires organisations to be proactive. Start with an annual risk assessment to understand your exposure and follow an internationally recognised risk management standard.

Focus on fixing all known vulnerabilities in line with your risk appetite, training employees regularly in security awareness, and putting in place continuous system monitoring, network security and malware protection. Tight access controls and home/remote working policies and regularly tested incident response plans will also help, as will routine assessments of third-party risk.

It is important to remember that cyber insurance is not a “get out of jail free” card, which absolves you from investing in cybersecurity. For for a policy to be effective if the worst happens, you’ll need to have had in place well documented, best practice security processes and controls. No insurance covers you if you don’t take adequate steps to protect yourself.

According to Hiscox, just 11% of global organisations were certified as “experts” in terms of their cyber readiness. This needs to change, and it will as organisation’s approaches mature. But the industry as a whole also needs to get better at standardising language for policies, and methodologies for quantifying risk and calculating pay-outs.

The focus should be on maximising visibility into your own security processes, and using insurance as a spur to drive-up security standards inside the organisation, rather than treating it as a substitute for making improvements.

Continue Reading

Recent Posts