State-Backed Threats and Other Risks Not Covered by Cyber Insurance

Whether or not you think it’s an essential cybersecurity requirement, cyber insurance can certainly soften the blow of cyber events like data breaches and ransomware attacks. 

Indeed, with the threat landscape getting more hostile, London insurance company Beazley reported an uptick in customer demand in 2022. Elsewhere in the world, there’s been an increase in first-time buyers of cyber insurance coverage too. 

Yet even though demand for cybersecurity insurance is surging, the overall number of companies that actually end up with coverage is not. According to a survey by SJL Insurance Services, less than 14% of organisations in the UK say they purchased cyber insurance after experiencing a security incident. The total number of companies that invested in cyber insurance had also fallen from 31% in 2019 to 23% in 2021. 

So why, with attacks on businesses increasing, are cybersecurity coverage rates declining, especially among small businesses? 

One reason for the insurance supply/demand detachment is that it’s simply getting harder for companies to buy cyber insurance. A growing number of high-profile attacks and ransomware claims throughout 2021 meant that insurance providers like Munich Re and Lloyds have had to increase their premiums and introduce more restrictive terms. 

Talking to Intelligent Insurer, Gerry Glombicki, senior director at Fitch Ratings, describes a definite tightening in the cyber insurance market “First people were asked: ‘would you like the product?’ Cyber was just thrown in as an add-on. From the add-on it went to a questionnaire as part of the process and now you’re starting to see that you need certain things that are requirements to underwrite the account.”

As increasing requirements and more costly coverage makes value in the insurance market harder to find, it has never been more important for companies to understand what cyber risks are covered under cyber insurance policies—and, just as importantly, what risks might be excluded. 

What Does Cyber Insurance Cover?

Cyber insurance, also known as cyber liability coverage or cyber liability insurance, protects policyholders from the after-effects of breaches and hacks. 

There isn’t a standard cyber insurance offering. Rather, the extent of cyber insurance coverage typically depends on your industry, type of business, type of data you deal with, overall network security, and particular business needs. 

That being said, most policies cover at least the costs directly associated with a hack. These include:

• Security breach investigation.
• Data, systems, and website recovery.
• Ransomware remediation.
• Cyber extortion demands (full or partial).
• Financial losses due to business interruption.
• Public relations expertise.
• Notification services (customers, business partners, and regulatory agencies).

These fall under first-party coverage. But there’s also third-party coverage, which includes things like:

• Claims of negligence.
• Fines for compliance regulations. 
• Legal fees.
• Payment credit card liability and costs.
• Settlements.
• Privacy lawsuits. 

What Cyber Insurance Does Not Cover

Most cybersecurity insurance policies don’t cover:

• Potential future loss of profits due to long-term effects of a security incident/advanced persistent threats (these hackers tend to lurk in an organisation’s systems for a long time). 
• Loss of value as a result of intellectual property theft.
• Costs for improving an organisation’s systems/security following a cyber incident, including upgrades.

Insurance policies can also exclude social engineering and business email compromise (BEC) fraud, and most don’t provide cover for reputational damage. If these things are important to you (for example, if BEC is a serious threat to your organisation/industry), you’ll need to make sure the policy you’re thinking of going with covers them. 

Additionally, with ransom demands on an upward trend, insurers might occasionally ask the victim to pay half of the ransom. 

Some insurers are also moving away from covering the losses of nation-state-backed attacks, including those that happen outside of a war that involves the use of physical force. Earlier in 2022, the world’s largest insurance market Lloyd’s of London, issued a bulletin requesting all insurer groups to exclude state-backed hacks from cyber coverage starting in 2023. The Germany-based reinsurer Munich Re also plans to introduce war exclusions. This comes at a time when the war in Ukraine has significantly raised the likelihood of cyber attacks. 

This isn’t a new development. Following the NotPetya attack in 2017, which impacted tens of thousands of organisations in over 60 countries, a number of insurers denied claims made by those affected. They did so on the basis that the cyber attack was a “warlike act” because it more than likely had the Russian military’s backing. 

In one example, the pharmaceutical company Merck lost about $1.4 billion due to the attack (i.e., hiring IT experts, production outages, etc.) It had a $1.75 billion “all-risk” cyber policy with the insurance company Ace American. However, Ace American refused to cover Merck’s losses, saying the attack was used as a weapon by Russia against Ukraine and therefore subject to “Acts of War” exclusion. 

Merck took Ace American to court, arguing that the language in the exclusion clause was not clear enough and did not mention cyber attacks. In 2021, the New Jersey Superior Court sided with Merck. 

Some experts have warned that with state-backed attacks becoming more common, insurers’ refusal to cover them could lead to fewer companies taking out cyber insurance policies. 

Nation-state attacks doubled between 2017 and 2020, with almost 9 in 10 security professionals saying they believe a nation-state attack has targeted their organisation. Worryingly, less than a third of security pros are confident in recognising such an attack. 

Why Threat Detection, Investigation, and Response Is Crucial 

Whether or not a company decides to take out (or renew) cyber insurance, having effective defence capabilities in place is essential.

With attacks showing no signs of slowing down, insurers are enforcing stricter audit requirements. Organisations must now demonstrate strong security postures and effective incident response plans. A growing number of insurers also request that organisations invest in tools that can protect against lateral movement, like multi-factor authentication or endpoint detection and response (EDR). 

Even for companies not interested in cyber insurance, tools like EDR are critical, as the endpoint is still the number one vector for attack. But it’s not the only one. In a recent study, EDRs from some of the best-known brands failed to detect half of all attacks. 

EDR tools only monitor endpoints, leaving many blind spots. They also return too many false positives. For complete visibility, companies should instead invest in automated threat detection and response tools like SenseOn. 

How SenseOn makes our customers “better quality risks”

Cyber insurance is currently in a “hard market” and there is a flight of capital to the better quality risks. This results in premiums being, on average, 130% higher in 2021 than in 2020. Due to the increase in ransomware the biggest coverage towers (the amount of capital that can be applied to a single event) is shrinking from $800m to $500m meaning there is a capped amount that the very largest organisations could bring to a cyber incident.

With this increasingly limited capacity it is being deployed against the higher quality risks. A better quality risk is measured from an insurer’s perspective as the ability to demonstrate effectiveness of their security outcomes against their critical risk scenarios. Our customers demonstrate this to their insurers on renewal to get the best premium by three core use cases:

Substantially reducing attacker dwell time by autonomously investigating and preventing the escalation of all security observations within the environment using brand new, more effective data that has not been available for detection tooling previously. New customers can make the case that they are substantially more protected than last year to prevent insurers extending the “retention period” (the amount of time before a policy will trigger) of the current arrangement by arguing that dwell time and therefore likelihood of business interruption will also be reduced.

SenseOn’s universal sensor and API integrations with Azure, AWS and GCP increases security, infrastructure, network and IT Ops observability providing the relevant visibility when it comes to supporting assessments for Technology Error and Omissions (E&O) insurance renewals.

Finally, providing the surety to insurers that the security operations team are only focused on what matters because of the demonstrable reduction of noise by our AI Triangulation.

“SenseOn represents a generational leap forward in how we protect organisations”

Peter Armstrong, Senior Subject Matter Expert – Cybersecurity, Munich RE

Start your free trial here.