Cyber insurance.
Getting the most out of it
- Cyber insurance is a convenient solution for organizations that take their digital transformation seriously.
- Business impact analysis (BIA) can be useful when it comes to picking an optimal insurance plan.
- Insuring cyber risks is especially relevant for medium‑sized and large companies that accumulate massive volumes of sensitive data. Technology startups looking for ways to protect their intellectual property and money can also benefit fr om cyber insurance.
A healthcare provider fell victim to hackers who stole medical and personal records of 850,000 patients. Many of them filed lawsuits against the organization.
A cryptocurrency platform lost $28 million from its hot wallet as hackers had gained access to the company’s wallet server.
A telemarketing company with a 61‑year history was unable to recover after a ransomware attack and had to cease its operations.
These examples show that dealing with the consequences of cyber incidents is a challenge that not every organization can handle. Here are some of the tasks that can be particularly difficult:
- finding the culprit and bringing them to justice
- compensating the actual damage and lost profit
- retaining customers and their loyalty
However, cyber threats are so numerous that securing an organization against all of them is almost impossible. Breaking into a company does not even require advanced cybercriminal skills: hacking tools can simply be rented on the darknet. This is something that may attract, for instance, an unethical competitor. In another situation, a careless employee can trigger multimillion losses by opening an infected email.
The ever‑expanding cyber threat landscape and the increased liability associated with incidents have spurred the emergence of cyber insurance services.
The global cost of cybercrime is constantly rising and is expected to skyrocket to almost $24 trillion by 2027
If such losses are covered by an insurance policy, the victim company can better manage the continuity of its business processes after an attack and allocate resources to get back to normal. For example, the damages payable can include cyber incident investigation costs, third‑party litigation expenses, penalties, and lawsuit settlements.
Insurance policies can cover a multitude of cases, including:
- loss of data or software files
- theft of intellectual property
- spam mailings sent out on behalf of the policy holder
- unauthorized use of corporate resources (e.g., cryptocurrency mining)
- theft of funds or stocks of the policy holder
- damage or loss of insured property
- production downtime
- reputational damage
A perfect insurance case is an incident with a specified amount of losses. For example, a contractor has signed a service agreement that includes sanctions for certain events, wh ere the penalty amounts to a percentage of the contract value. In this case, the risk of having to pay the penalty is measurable and hence can be insured. Therefore, by purchasing a respective plan the contractor will be insuring itself against specific sanctions rather than against some abstract digital risks.
It is important to make sure that your insurance coverage reflects the actual consequences of cybersecurity incidents. This will enable you to undo the damage without overpaying for insurance. Performing a business impact analysis will allow you to choose the insurance plan that covers all the relevant risks and their possible implications.
With the BIA results in hand, you can prioritize the events that have the most severe implications for your business processes. These outcomes will help you answer two key questions:
- What actions are necessary to improve security and mitigate risks?
- Does it make sense to insure against particular situations given the severity of their consequences and related damage?
In addition, you will be able to:
- measure potential damage and use it as a basis to calculate the effective price cap for a cyber insurance plan
- make sure the insurance payout will definitely cover your damages or those of your partner or customer
- prepare a list of specific consequences, scenarios, and incidents which can be insured
- compare the costs of consequences and those of security measures to make an informed decision on whether to insure a particular risk or simply reduce its likelihood
Let us use the cyber risks of a hypothetical cloud service provider as an example.
The company offers two key services with different SLAs
Based on the BIA results and respective SLAs, the provider specifies two essential indicators for data availability—recovery point objective (RPO)
| Archive | Access | |
|---|---|---|
| RPO | <1 day |
365 days |
| RTO | 10 days |
<1 day |
The BIA outcomes also include a business processes assessment and a disaster recovery plan (DRP). These inputs enable the company to establish that:
Hence, the provider can easily calculate the costs it will have to incur in the event of a disruption:
| 100/50 | the percentage reflecting the entire loss of 50 GB |
| 20 | the average number of files per day |
| 1 | RPO |
| 0.4 | the size of all files in GB sent by the customer per day |
| 2 | the compensation for data loss in % per GB |
| 2 | the expected time to recovery in days |
| 1 | RTO |
| 4 | the compensation for downtime in % for each day |
By calculating the compensation charges for each contract and adding these figures for all customers, the provider will establish the total amount of potential damages payable.
The BIA also determined the severity of potential incidents for each of the two services:
| Plan 1 | Plan 2 | Plan 3 | |
|---|---|---|---|
| Insurance premium | $7,000 | $14,000 | $7,000 |
| Coverage |
|||
| Data tampering (incl. by ransomware) | Up to $500,000 | Up to $750,000 | — |
| Data leak | Up to $500,000 | Up to $750,000 | — |
| Denial of service (incl. due to DDoS attacks) | — | Up to $750,000 | Up to $1,250,000 |
| Plan 1 |
|---|
|
Insurance premium
$7,000
|
| Coverage |
|
Data tampering (incl. by ransomware)
Up to $500,000
|
|
Data leak
Up to $500,000
|
|
Denial of service (incl. due to DDoS attacks)
—
|
| Plan 2 |
|---|
|
Insurance premium
$14,000
|
| Coverage |
|
Data tampering (incl. by ransomware)
Up to $750,000
|
|
Data leak
Up to $750,000
|
|
Denial of service (incl. due to DDoS attacks)
Up to $750,000
|
| Plan 3 |
|---|
|
Insurance premium
$7,000
|
| Coverage |
|
Data tampering (incl. by ransomware)
—
|
|
Data leak
—
|
|
Denial of service (incl. due to DDoS attacks)
Up to $1,250,000
|
In Archive, the files must be backed up at least once a day. At the same time, the SLA allows the service to be unavailable for up to 10 days. Therefore, a denial of service does not pose a major threat to it. Thus, the provider can disregard Plan 3 as it does not cover the risk of data tampering, but only protects against DDoS attacks.
| Plan 1 | Plan 2 | Plan 3 | ||
|---|---|---|---|---|
| Insurance premium | $7,000 | $14,000 | $7,000 | |
| Coverage |
||||
| Critical for Archive: RPO is 1 day | Data tampering (incl. by ransomware) | Up to $500,000 | Up to $750,000 | — |
| Data leak | Up to $500,000 | Up to $750,000 | — | |
| Non-critical for Archive: RTO is 10 days | Denial of service (incl. due to DDoS attacks) | — | Up to $750,000 | Up to $1,250,000 |
| Plan 1 |
|---|
|
Insurance premium
$7,000
|
| Coverage |
|
Data tampering (incl. by ransomware)
Up to $500,000
Critical for Archive: RPO is 1 day
|
|
Data leak
Up to $500,000
|
|
Denial of service (incl. due to DDoS attacks)
—
Non-critical for Archive: RTO is 10 days
|
| Plan 2 |
|---|
|
Insurance premium
$14,000
|
| Coverage |
|
Data tampering (incl. by ransomware)
Up to $750,000
Critical for Archive: RPO is 1 day
|
|
Data leak
Up to $750,000
|
|
Denial of service (incl. due to DDoS attacks)
Up to $750,000
Non-critical for Archive: RTO is 10 days
|
| Plan 3 |
|---|
|
Insurance premium
$7,000
|
| Coverage |
|
Data tampering (incl. by ransomware)
—
Critical for Archive: RPO is 1 day
|
|
Data leak
—
|
|
Denial of service (incl. due to DDoS attacks)
Up to $1,250,000
Non-critical for Archive: RTO is 10 days
|
Access can be shut down for up to one day. Therefore, the risk of a DDoS attack must be covered in the insurance plan. Backups can be performed once a year as the risk of data tampering for Access is not high. This is why Plan 3 seems like the best option for this service.
| Plan 1 | Plan 2 | Plan 3 | ||
|---|---|---|---|---|
| Insurance premium | $7,000 | $14,000 | $7,000 | |
| Coverage |
||||
| Non-critical for Access: RPO is 365 days | Data tampering (incl. by ransomware) | Up to $500,000 | Up to $750,000 | — |
| Data leak | Up to $500,000 | Up to $750,000 | — | |
| Critical for Access: RTO is less than 1 day | Denial of service (incl. due to DDoS attacks) | — | Up to $750,000 | Up to $1,250,000 |
| Plan 1 |
|---|
|
Insurance premium
$7,000
|
| Coverage |
|
Data tampering (incl. by ransomware)
Up to $500,000
Non-critical for Access: RPO is 365 days
|
|
Data leak
Up to $500,000
|
|
Denial of service (incl. due to DDoS attacks)
—
Critical for Access: RTO is less than 1 day
|
| Plan 2 |
|---|
|
Insurance premium
$14,000
|
| Coverage |
|
Data tampering (incl. by ransomware)
Up to $750,000
Non-critical for Access: RPO is 365 days
|
|
Data leak
Up to $750,000
|
|
Denial of service (incl. due to DDoS attacks)
Up to $750,000
Critical for Access: RTO is less than 1 day
|
| Plan 3 |
|---|
|
Insurance premium
$7,000
|
| Coverage |
|
Data tampering (incl. by ransomware)
—
Non-critical for Access: RPO is 365 days
|
|
Data leak
—
|
|
Denial of service (incl. due to DDoS attacks)
Up to $1,250,000
Critical for Access: RTO is less than 1 day
|
Finally, thanks to the BIA, the company can make a balanced decision: either to purchase Plan 1 for Archive and Plan 3 for Access or opt for a combined Plan 2.
| Archive | Archive + Access | Access | |
| Plan 1 | Plan 2 | Plan 3 | |
| Insurance premium | $7,000 | $14,000 | $7,000 |
| Coverage |
|||
| Data tampering (incl. by ransomware) | Up to $500,000 | Up to $750,000 | — |
| Data leak | Up to $500,000 | Up to $750,000 | — |
| Denial of service (incl. due to DDoS attacks) | — | Up to $750,000 | Up to $1,250,000 |
| Plan 1, Archive |
|---|
|
Insurance premium
$7,000
|
| Coverage |
|
Data tampering (incl. by ransomware)
Up to $500,000
|
|
Data leak
Up to $500,000
|
|
Denial of service (incl. due to DDoS attacks)
—
|
| Plan 2, Archive + Access |
|---|
|
Insurance premium
$14,000
|
| Coverage |
|
Data tampering (incl. by ransomware)
Up to $750,000
|
|
Data leak
Up to $750,000
|
|
Denial of service (incl. due to DDoS attacks)
Up to $750,000
|
| Plan 3, Access |
|---|
|
Insurance premium
$7,000
|
| Coverage |
|
Data tampering (incl. by ransomware)
—
|
|
Data leak
—
|
|
Denial of service (incl. due to DDoS attacks)
Up to $1,250,000
|
Let us also assume that, according to the BIA, an attack on Archive will have no impact on Access as the two services are located in different network segments. To reduce the cyber risks, we recommend considering the following measures:
| Archive | Access | |
|---|---|---|
| Data tampering | Full data replication: $65,000 per year |
— |
| Data leak | — |
— |
| Denial of service | — |
DDoS protection service: $4,000 per year |
What do these measures mean for each of the services?
Thus, maintaining data safety and integrity is essential for Archive, while ensuring availability is of utmost importance for Access.
In our example, the company offers two services that significantly differ from each other in terms of associated cybersecurity risks. In the real world, organizations have many more processes, systems, and IT assets, which makes it impossible to assess the impact of incidents intuitively. Performing a BIA will help to determine whether your cyber insurance plan is enough to protect your business against key incidents. You will also be able to distinguish between the risks that make more economic sense to insure and the ones that can be mitigated through other measures.
Whether you decide to insure your digital risks or not, it is important to strengthen the overall cyber resilience and work on improving cyber maturity. This will help to minimize the risks and reduce the current or future cost of insurance.