Cyber Insurance: Is it worth it?
Notes from a recent discussion at Computing’s Cyber Security Festival held in London on 1st May 2024.
The session was talking to Jason Ozin on the highly pertinent topic of cyber insurance. Jason is CISO at PIB Group. He is a former computing CISO of the year and a LinkedIn “Top Information Security Voice”
Jason has many years of experience in all things cyber, including data governance, information security, digital transformation, compliance and, of course, insurance.
In recent research, cyber insurance was third on the list of security solutions being adopted in the face of a massive onslaught of attacks at the moment, which may be surprising, because we've heard a lot about insurance becoming more and more unaffordable and hard to obtain. So, does that surprise Jason at all, that interest in it is so high? This is just behind EDR and identity access management.
Why the renewed interest in adoption?
It doesn't surprise me. After a few years of coverage becoming more expensive and harder to obtain, it is fair to say, that over the last 12 months, the market levelled off, and for those businesses that could evidence good levels of cyber security controls in place, premiums have actually softened. This has certainly helped adoption, together with more and more customers and partners asking people, are you cyber insured? In addition, you now also have regulators and auditors asking similar questions. I wouldn't call cyber insurance a security solution, as it's not the same as EDR. It is for when all else fails, and the worst happens. I think it is a necessity, but not for the reasons that a few people in this room might think.
You do not take insurance to pay the ransom
So why do you take cyber insurance? And I often ask people this, and they often answer, “to pay the ransom”.
Well, realistically it is not to pay the ransom. So, let us look at a typical policy and see the covers within a policy of this sort:
And then there's:
All of those are covers that are typically found within a cyber insurance policy.
It is quite compelling. And the truth is, you, as a security professional, or as a board member, don't pay cyber insurance to pay the ransom. Yes, it is a coverage that is provided under a cyber policy (sometimes subject to a sub-limit), however your reasoning for purchasing cyber insurance should be because on day one, when you get attacked, and your IT department are running around like headless chickens, panicking, ruining all the evidence, your systems are down, and the press are ringing you up for comment, what the hell do you do!?
What you do is you turn to your very trusted panel of advisors that you have bought into via said cyber policy. That is the key. You need to understand who your panel is, and you say, guys help! And they are at your door one hour later, either physically or remotely. And they put an arm around you and say, leave this with us. That includes the solicitors, the PR agency, and obviously the cyber response experts and all the other specialists. Even ransomware negotiators.
That is why you pay insurance. You should be less worried about somehow paying the ransom and more worried about how the blazes you continue business today, tomorrow and rest of the month.
Self-insure?
Companies sometimes say why don’t we self-insure? We can buy all these experts in. But you try to buy them in on that hour, when it actually happens. If you're a big company and you have a good retainer already in place with these specialist cyber incident response, legal and PR firms, maybe you can. And great, do it. As long as you're covering this somewhere. I don't care whether you buy insurance or whether you're self-covering, but can you really self-cover? Is that panel really available at a drop of a hat at 2am on a Saturday night?
Reducing the costs of Cyber Insurance
As far as cost goes, one thing I would say to people is, look at your excess. If you have money in your firm, if you know you can do it, then you can reduce your insurance premium by saying look, we will pay for, say, the first £250,000 pounds of every claim. For a business, it should be less about the money and more about continuing to do business from day two, day three, day four.
If you have a high premium, what else can you do? You must have a good broker that works with you and understands the market. The broker will tell you why you have such a high premium and explain what technical measures you can add to bring that premium down. Plus, the insurance companies will work with you as well. Ask the insurance companies questions. Just going off and getting ISO 27001 will not reduce your premium unless it changes the answers that you are able to provide during the cyber insurance application/renewal process. The insurers and your broker will work with you because they understand the market, they understand the threats and they will know what measures and protections you can implement in order to reduce premiums and become a more attractive risk to insurers.
A good CISO should also leverage the demands, and the questions set by their cyber insurance, to help them with their budget.
Difficult application process
In terms of application forms and expectations from insurers, yes, this is becoming more onerous. You need to look at the history of cyber insurance. About 10 to 12 years ago, when cyber insurance first came out, there was a big form asking you to fill in all your risks and answer a plethora of questions. People weren't buying it. They were thinking, “I am only running a ten-person office. I can’t answer these.” So, insurance companies thought, I know what we'll do. When we provide the insurance, we will no longer ask these questions, but instead, just ask, how big is your company? What is your turnover? How many data records do you have? Brilliant! Suddenly more people bought cyber insurance. Then, suddenly, the cyber insurance companies lost money for ten years. Because everyone got hacked left, right and centre.
When you buy house insurance or car insurance, they want to know, what sort of car you have. Is it prone to getting stolen? Has your house got old, easy to compromise windows and door locks? Likewise, they have reverted to asking risk questions to find out if you're a good risk or a bad risk. And, frankly, these are some great questions. Similar to the respected regulatory frameworks and the certification schemes, like Cyber Essentials and ISO 27001, the questions will make you consider, “are we actually doing this”.
If the answer is ‘no’, you really cannot answer ‘yes’. You cannot lie on your insurance application because you will not be covered. Answer ‘no but we plan to implement’. You will find that it is an excellent driver for security improvement. So, yes, the questions posed by cyber insurers are now a lot more far reaching and the questionnaires can be long, but treat them as an educational exercise.
Recommended by LinkedIn
Does it help to have Cyber Essentials, ISO 27001 or a similar certification?
There are some very good frameworks and certification schemes out there. But these alone are not enough. Insurance companies want more. Their questions are often wider and deeper. If you have achieved certification of some sort, you can use what you already have put in place to answer the questions. It gives you that first step on the ladder. The insurer is still going to ask you questions. I would say, however, that if you cannot achieve a certification standard like Cyber Essentials, then don't even bother applying for cyber insurance, as you will unlikely be offered terms. However, as mentioned earlier, work with your broker to understand what security measures and procedures you would need to implement in order to be eligible to purchase cyber insurance. They should be more than happy to advise you.
Other requirements
Depending on the risk assessment by the insurer, you may find that the question set is not enough. Many law firms (who are seen as high risk – because of client money), for example, find that they have the insurer coming in for lengthy discussions in response to their answers. For such entities, this is just the cost of doing business.
The insurer may also undertake penetration testing as well as network and attack surface scanning.
Is insurance to blame for increased ransom demands and should you pay the ransom?
It is difficult to argue that ransomware payments have not gone up because of cyber insurance. Demands used to be in the 100s of thousands but are now in the millions.
There are many experts pushing to make ransomware payments illegal. But it is nuanced. There will be times when you need to pay the ransom if you want your business back up and running. For example, if you run a critical fuel supply chain and you need to get that fuel to the depots, and the only way you can do it is by paying the ransom, then making it illegal to do so adds complexity and cost, certainly from an insurance point of view. It is a tough argument, very difficult.
Free Cyber insurance with security tools
There are a few vendors out there who say they offer free cyber insurance if you buy or renew their security tools.
Keep in mind that they will offer limited insurance for threat remediation. They will not cover all the other services mentioned previously. It is a very different offering. Those warranties may be good. However, we have no record of anyone actually using such a warranty, so we cannot assess its effectiveness and accuracy.
Do cyber insurers place restrictions on how money can be used?
If you trigger a claim under your cyber insurance, the insurer runs the show in partnership with you. They will tell you whether they are prepared to pay and for what. They have almost got a veto on what we can and cannot do. In short, they do place restrictions, but they don't stand in the way because it is in their favour for them to get you back into business as soon as possible.
What invalidates cyber insurance?
The insurance companies are usually quite accommodating. For example, if you have claimed that you patch vulnerabilities and you have a patch review process, and you can prove you have, but somehow this one fell through the gap, it is unlikely they will penalise you for that. However, if it is obvious that you were lying on your proposal forms, you will have issues.
Be open and honest to your insurers. Tell them where you don’t comply and what your plans are going forward to address the shortfall.
There are headline cases, such as where an insurer refused to pay a shipping firm when they had an attack. The insurer claimed it was due to an act of war (collateral damage in the Russia, Ukraine war). The insurer settled that case in the end, but in the main, they are quite accommodating.
If I am attacked, does my premium go up?
In the main the insurer does not just consider the attack, they look at what you have done after the attack, what measures have you implemented to prevent a further attack, and your insurer should provide help with that. It is unlike car or house insurance in that respect. They will look at your business on a case-by-case basis.
Can I reduce my premium mid-term?
If you take on cyber insurance and within the year improve your security posture, will the insurer reevaluate during the contract?
Here again, it is about partnerships. It depends on your policy and depends on your relationship with the insurer. You certainly should tell the insurer about everything that happens, good and bad. And you can ask for a premium decrease. It is a marketplace at the end of the day. It might be in the terms and conditions that premiums only vary every year, but if the insurer wants your business next year, they will talk to you depending on the size of your business and whether you're a valuable customer. Have that partnership with them. Insurers are a lot more collaborative and open to partnerships nowadays than they were previously.
How do I work to reduce my company’s risk profile?
Have an honest internal reporting mechanism. Take something like the NIST cyber security framework and, for smaller firms, even the Cyber Essentials Framework. Answer it internally, truthfully. Very, very truthfully.
Use those answers as your framework for improvements and to help you get a budget line. It is a brilliant method to judge your own performance and your own capabilities.
Regional Sales Director at PIB Insurance Brokers and trustee of Bedspace Trust Ltd
7moHospitals, banks & major hospitality all hit this week…….!
CEO at WWCS; Award-Winning IT Consultancy in London. Trusted to provide unrivaled Technology & IT Support Services
7moGood insight, thank you Jason Ozin - As part of the Trust X Alliance of IT Businesses we are always looking for a Cyber Insurance solution to recommend to for our clients... but are yet to find something that ticks the boxes.. (and is worth the paper its written on..!)
Chief Information Security Officer (CISO) | Cyber Resilience Expert | AI/ML, OT/ICS, CMMC, OSINT, & Threat Intelligence Specialist | SOC & Cyber Fusion Leader | Advisor for Regulated Industries | Risk Assessment Pro
7moGood write!! You just shocked me with 2025, looks like a typo.
PIB Insurance Brokers Ltd
7mo@JasonOzin a very thorough, helpful and step by step guide to Cyber. Your summary provides an expert view on #cyberinsurance with a powerful underlying message on the wider value of this increasingly customer led cover requirement. The focus you place on prevention and setting the scene as to what insurers might expect as a minimum level of protection is valuable information. An excellent read. 👏👏 #pibinsurance #cyberliability
I work with people who deserve honesty from my consulting approach to improving their security stance. This way, they can feel secure and have definite clarity about what is needed to protect their value creation.
7moI may just cite you in my insurance piece I’m writing 😉 Very good piece!