Hacked? Got insurance? No Payout!!

SCMagazine story on January 3rd. makes you think about the efficacy of cyber insurance.

The problem is the government fines and some of the details in the contract language:

“The attorneys general of Utah and Oregon reached a $200,000 settlement with Avalon Health, which also requires the provider to develop and implement practices that aim to bolster its information security for both patient and employee data.

In April 2020, the skilled nursing, therapy, senior living, and assisted living provider reported an email-related incident affecting 14,500 Avalon employees and patients. A threat actor gained access to an email account 10 months earlier in July 2020, after an employee fell victim to a phishing attack.”

And another instance:

“Scripps Health to pay $3.5 million after 2021 ransomware attack

In the wake of the months-long outage and subsequent data theft impacting 147,267 patients of Scripps Health, multiple breach lawsuits were filed against the California health system. The $3.5 million settlement will resolve those legal filings, while requiring Scripps to add certain security elements. “

I think the problem may be in trying to gauge cyber attacks. If you search for ‘cyber insurance pitfalls’ I see Harvard Business Review article of “Cyber Insurance has a big problem”

2020 changed a lot of things including more cyber attacks so the nascent cyber insurance market also could not have predicted this.

‘Ultimately, though, all these drivers boil down to one simple fact: There just isn’t enough money in cyber insurance. And it’s hard to tell right now if there ever will be.’

The problem that most companies face is in determining how much cyber insurance they need. But, it’s difficult for insurers to understand demand when the buyers themselves are still trying to figure out both their exposure and their buying appetites.

There seem to be many unknowns and this makes insurer and and client wary.

 

Then there are the actual problems, where 250 companies buy $200 million in protection and only 5 failures can shoot the whole budget for insurers. This makes making any money very difficult.

This may be why the insurer will try and find any reason not to pay out partially or at all. It behooves the customer of a cyber insurance policy to read the fine print and make sure that there are few if any loopholes for the insurer.

And finally:

“Thirty years of history have shown us that cyber risk is difficult to understand, problematic to hedge, only likely to grow, and characterized by a continually changing threat environment. Tomorrow’s cyberattacks may not look much like today’s — as evidenced by 2020’s spate of ransomware compared to the breaches of 2015 to 2017.”

Even though the Harvard business review article is from February 2021 it seems applicable today more than ever.

There is not enough money in cyber insurance and we are still in the early years, not like property insurance or car insurance which is well developed with up to 100 years with some of the data.

The data for ransomware depends on the defense of the company trying to be insured. There is no free lunch. If you spend money to defend yourself you might have a better chance of collecting on a ransomware that made it through the defense. It seems a bit counter-intuitive?

Contact us to discuss

Summary (from Harvard Business Review article).   

There are worrisome trends in cybersecurity: Attacks are more sophisticated, ransoms are rising, and uncertainty is growing. But while companies might look to cyber insurance to protect themselves from these growing risks, there’s another problem: There might just not be enough money in the still emerging sector to cover their needs. So what can companies do? They should still invest in coverage, in part to help the market grow, but they also need to look for other ways to cover their potential exposure, including self-insurance mechanisms that range from simply carrying additional capital to address future cyber attacks through the creation of specific risk-financing activities that function like insurers.

 

Here is also an interesting video snippet from the techcheck show on cnbc.    At about 2 minutes the CISA(Cisa.gov) director Jen Easterly discusses the cybersecurity topic in a general way. I.e. products are built insecure and thus makes our lives harder.

 

In case you were wondering what the openai GPT said… here it is:

What are the pitfalls of cyberinsurance?
 

 
"Cyber insurance can provide valuable protection for businesses and individuals against the financial consequences 
of cyber attacks, data breaches, and other digital threats. However, there are a few potential pitfalls to be aware of when it comes to cyber insurance:
Limited coverage: Cyber insurance policies can vary widely in terms of the types of threats they cover 
and the amount of protection they provide. It's important to carefully review the terms of a policy to make sure it covers the specific risks you are concerned about.
       Exclusions and limitations: Many cyber insurance policies have exclusions and limitations that can limit the scope of coverage. 
For example, a policy may exclude coverage for certain types of attacks, or it may limit the amount of damages that are covered.
Cost: Cyber insurance can be expensive, particularly for businesses with a high risk of cyber attacks. 
It's important to carefully consider the cost of a policy relative to the potential financial impact of a cyber incident.
Complex claims process: Filing a claim for a cyber incident can be complex and time-consuming, particularly if the incident involves a large amount of data or multiple parties. 
It's important to understand the claims process and be prepared to provide the necessary documentation to support your claim.
Compliance issues: Some cyber insurance policies may require businesses to meet certain security standards or comply with specific data protection regulations in order to be eligible for coverage. 
Failing to meet these requirements could jeopardize your ability to file a claim.