Blog: Cyber Liability Insurance

Cyber liability insurance, you need it, and here’s why…

consultant-placeholder10 Ken Munro 11 Feb 2014

If your company bank account was raided and funds stolen, would your theft insurance policy cover the loss? Probably not. Seriously!

I spend a lot of time investigating compromised bank accounts. Often through use of keyloggers or back doors in the accounts payable department, passwords are stolen and money is taken, quickly transferred to countries where the funds can’t be recovered.

Then comes the difficult conversation – the bank won’t cover the loss, unlike most thefts from personal bank accounts. The insurer won’t cover the loss (see below) so the company is in a very difficult position.

First party cyber insurance cover is critical

Cyber liability insurance suddenly looks quite attractive! Traditional theft policies often require evidence of a physical break in to a business. Why? I guess it’s to ensure that the theft wasn’t an inside job, which might be covered by a separate crime policy. No physical evidence of break in, no cover…

It’s a common misconception that cyber policies are only about hackers stealing your customer data (3rd party loss), hence the policy pays for the cost of their credit monitoring, writing grovelling letters etc. That’s where all the media attention is – covering businesses in the event of loss of client data, primarily owing to the US-centric media hype as a result of class actions and punitive damages.

Invoice fraud

Another example: invoice fraud – a plausible letter arrives at accounts payable. It states that bank details have changed for a large supplier of yours. No-one verifies it, and the next payment goes to the fraudster.

Again, no physical break in. No insurance cover in many cases.

I’ve investigated numerous cases of the above frauds, resulting in many £Millions stolen.

Calculating risk and premiums

We spend a lot of time sharing our experience of risk assessment in the field of cyber liability underwriting. How do you calculate the exposure of an organisation to a compromise? How do you figure out how likely an attack is?

Then, how on earth do you calculate the cost of an attack and related data loss?

It’s straightforward in the field of marine, household and car insurance. People have been crashing cars for over 100 years, and insured ships have been sinking for a lot longer than that. There’s a huge volume of claims history that can be used to work out the likelihood of that claim, the approximate loss, so you can figure out a price for your policy.

The quality of risk assessment in the cyber insurance field has been surprisingly weak in places. I’ve seen some send out proposal forms that ask if the client has a firewall and anti-virus in place, and that’s about it. No doubt there are some cyber skeletons in insurance cupboards, some risks that people now wish they hadn’t underwritten at the time. I wonder who underwrote eBay and Target?

But at the same time we’ve seen beacons of excellence in underwriting; some very well informed underwriters and brokers who truly understand cyber risk. Maybe they were the bleeding edge and had to pay some of the early claims around hacking incidents, or maybe they looked outwards to some of the security standards that have been around for a while. ISO27001 and the like.

Check that you have a cyber insurance policy

In my view, cyber liability policies are remarkably good value for the cover they provide. Do you fancy having to explain why the company bank account is empty tomorrow morning; the payroll can’t be met, and there’s no insurance to cover it?