Cyber insurance, sometimes referred to as cyber liability insurance or cyber risk insurance, is a type of insurance that transfers a policyholder’s financial liability to cybersecurity and privacy events such as cyberattacks, data breaches, and acts of cyberterrorism, or regulatory violations.
What does a cyber insurance policy provide?
Much like the cyber threat landscape itself, the cyber insurance market is constantly evolving. While there can be a great deal of variation from one cyber insurance policy to the next, most leading cyber insurance underwriters will provide the same core first party and third party insuring agreements that have become commonplace for over 10 years.
It’s important to note that cyber insurance is not a replacement for a strong cybersecurity strategy and posture, as it is not intended to cover a company’s gross negligence for ignoring their cyber risk. Rather, it is intended to cover risks that exist even after reasonable efforts have been made to minimize those risks. For more information on this distinction, please read our related blog post, Cyber Insurance Is Not a Substitute for Cybersecurity
Cyber Insurance Insuring Agreements
There are two distinct components of a cyber insurance policy:
- First-party cyber insurance, which covers the costs associated with investigating and responding to a cyber event and the financial impact of on an organization’s business operations
- Third-party cyber liability insurance, which provides the organization with financial indemnity as a result of claim for damages as a result of a cyber event.
While the specific terms of each policy will vary from business to business and insurer to insurer, typical first-party insuring agreements include:
- Forensic investigations: Many first-party cyber policies include support services from a reputable cybersecurity vendor that will help the target organization identify and categorize the attack, assess the damage and clean and restore all affected systems, accounts and endpoints. These ancillary services are absolutely critical to helping the organization contain the attack and minimize damage, as well as accurately assess the affected areas of the business and develop a comprehensive recovery plan.
- Breach Legal counsel: In the event of a breach, organizations usually need to invoke the support of counsel to ensure they comply with legal requirements, which can vary by country, region or even state. Most first-party policies will include the support of legal counsel to outline the steps that organizations are required to take by law following a breach or cyberattack.
- Notifications: In the event of a data breach, organizations bear the responsibility for identifying and notifying victims to inform them that their personal information is at risk. This can include theft or exposure of personally identifiable information (PII), such as customer or employee social security numbers, addresses, bank details, credit card numbers, driver’s license numbers, health records and more. The organization will also be responsible for notifying the relevant authorities and government agencies of such a breach and providing any necessary or requested documentation thereafter.
- Victim credit monitoring: In some states, organizations may also be responsible for covering the cost of the credit monitoring or otherwise helping affected customers restore their identities in the event of a breach.
- Cyber extortion: Ransomware attacks — which are some of the most common attack types in the current landscape — require companies to pay a ransom to regain access to their networks, data or other assets. Robust policies will include protection specifically against ransomware attacks and outline support services and funds available to the policy holder.
- Data recovery, business interruption and loss of revenue: Many major cyberattacks result in disruption of business-critical activities and customer services and loss of data that, in turn, leads to loss of revenue. Many cyber policies will help organizations calculate lost revenues and offset such costs during the affected period, as well as manage the cost of restoring data or other assets.
- Reputational harm: Following a breach, many organizations will need to invest in marketing and public relations efforts to help restore the brand and rebuild its public image. A robust cyber insurance policy could help cover the cost of relevant activities that focus on reputation-building and restoration.
Third-Party Liability Coverage
Third-party cyber insurance is designed to transfer an organization’s financial risks it relates to a cyber event that it is responsible to prevent. It is also very important to note that a breach does not need to happen on an organization’s network. As such, organizations may often become liable for their error, omission or act of negligence that led to a security event impacting a third-party that is unrelated to an event on their own network.
Third-party cyber insurance is of particular importance for any organization that manages PII or that is responsible for another party’s network security.
Like first-party policies, there is some variety as to what is covered by a third-party cyber insurance policy. Coverage may include:
- Network security and privacy liability: Protection for an the insured against losses incurred by a client, customer, partner or vendor as a result of errors, omissions and negligence by the insured as a result of a cyber event
- Regulatory liability: Coverage for legal expenses to defend violations of privacy regulations
- PCI Fines: Coverage to pay for fines, and penalties issued by Payment Card Industry Data Security Standard (PCI DSS).
- Regulatory Fines and penalties: If the breached organization is found to have violated privacy laws or other government or industry standards, the business may be subject to fines or other penalties. Media liability: Finally, third-party insurance provides coverage against defamation, libel, slander, IP theft and copyright infringement.
A Few Important Exceptions
It’s important to note that there are a few exceptions to many cyber insurance policies. Many cyber underwriters have scaled back or do not cover financial fraud from social engineering techniques, which exploit and manipulate employees, vendors or other people within the organization to wire funds to unauthorized accounts. While coverage of this nature may be offered as an extension to an existing policy, many companies overlook this risk and fail to protect the business. This underscores both the need to train network users on safe and acceptable online behaviors, as well as carefully review and assess the policy and any gaps with a trusted cybersecurity expert.
Another area not usually covered in cyber insurance policies is the cost of strengthening a system after an attack. While the cyber services and support may identify areas of improvement as part of their forensic analysis, the cost of upgrading, patching or hardening the security architecture will not be covered by an insurance policy.
Finally, many policies secured outside the United States may have geographic restrictions, especially for US based operations. It is important to identify ant uncovered entities especially given that cyber threats are not bound by country borders. It is important for organizations to work with a cybersecurity team to weigh their risk and assess the likelihood of being the victim of a foreign adversary that targets specific nations.
Why Cyber Insurance Is More Important than Ever
Attacks Are on the Rise
According to the 2021 CrowdStrike Global Security Attitude Survey, 66% of organizations suffered at least one ransomware attack in 2021, and as shown in the CrowdStrike 2022 Global Threat Report, ransomware-related data leaks increased 82% from 2020 to 2021. This is fueled in part by the growing availability of hackers “as a service” that makes ransomware and other malware attacks available to those who lack the technical expertise to personally carry out such an attack.
Ransomware attacks are typically among the most costly cyber events to remediate in that they not only disrupt business operations and require significant resources during the recovery process, but also often involve payment of the ransom demanded by the hackers.
Work from Home Increases Risk and the Attack Surface
The shift to a remote work model, accelerated by the COVID-19 pandemic and stay-at-home orders, has dramatically increased the attack surface for organizations. As employees access applications, assets and systems through private networks and personal devices, they expose the organization to a new level of risk. Further, the proliferation of connected devices and Internet of Things (IoT) technology, provide a plethora of entry points for cybercriminals.
Most existing cybersecurity strategies and toolsets simply were not equipped to handle this new way of working, which has resulted in the introduction of new security gaps and shortcomings.
Breach Recovery Costs Can Decimate an Organization
Ransomware remains one of the most profitable tactics for cybercriminals. According to the 2021 CrowdStrike Global Security Attitude Survey, the average ransom payment is $1.79 million USD. The victim company must also cover the cost of cleaning and restoring affected systems, as well as legal, security and public relations services.
It is important to keep in mind that even when a ransom is paid, that is no guarantee that the organization’s systems, data and other assets will be restored.
Who needs cyber insurance?
Given the increase in cyberattacks, as well as the high cost associated with remediation, cyber insurance is a necessity for any digital business. One of the primary targets for hackers and cybercriminals is data, including PII, such as the names, addresses, social security numbers, bank account information, credit card numbers and other information that can be used to carry out fraud, advance secondary attacks or be sold on the dark web.
While many small or mid-sized businesses or organizations may assume that their relative obscurity will protect them from cybercrime, in fact, our analysts have found that many cybercriminals see these organizations as easy targets because they often do not have robust cybersecurity measures in place.
On the other end of the spectrum, large and prominent organizations can be the target of big game hunting, a type of cyberattack that usually leverages ransomware to target large, high-value organizations or high-profile entities. Victims are chosen based on their ability to pay a ransom, as well as the likelihood that they will do so in order to resume business operations or avoid public scrutiny.
Recent analysis from CrowdStrike reveals that big game hunting continues to be a major security concern for large organizations, regardless of location or sector. The CrowdStrike eCrime Index (ECX), which is a proprietary tool that provides a composite score for tracking changes within the threat universe, shows that while there was a brief decline in activity in the summer of 2021, big game hunting activity appeared to return to near peak levels by September of the same year. The latest edition of CrowdStrike’s annual Global Threat Report confirms this analysis, revealing that “the growth and impact of big game hunting in 2021 was a palpable force felt across all sectors and in nearly every region of the world.”
Cyber Insurance Choices
In this landscape, organizations have three basic options when it comes to cyber insurance:
|Insurance Risk Transfer||Self-Insurance||No Insurance|
|Efficient and reliable risk mitigation leveraging the commercial markets to achieve an acceptable risk posture||Reliance on cash reserves to fund a multi-million dollar breach response and third-party liability||No formal plan to fund a potential breach response or third-party liabilities|
Cyber Insurance As a Supplement
It is important to note that cyber insurance is a net-new insurance product meant to cover gaps within traditional insurance policies, such as general liability insurance (GCL) and errors and omissions insurance (E&O). In both cases, existing policies were not designed to protect against the likes of the modern threat landscape. Most do not have specific language that address cyberattacks or cyberterrorism, which generally means that claims stemming from such activity will not be covered or that support will be limited.
What factors affect the cost of cyber insurance?
The cost of a cyber insurance policy is most heavily influenced by the level of coverage the organization wants or needs. As with traditional insurance policies, there is a wide range of coverage options to fit each organization’s budget based on their risk tolerance.
Several factors determine how cyber insurance premiums are calculated. These include:
- Company revenue
- Number of customers
- Level of sensitive data or PII stored
- History of insurance claims
- History of cyber events
- Adequacy of security-related technical controls, procedures and protocols
- Evolution of the current threat landscape and advancement of threat actor tactics, techniques and procedures (TTPs)
- The regulatory landscape, specific to each organization’s geographic location, industry and data
- Macroeconomic factors, including business expenses (e.g.,employee total compensation), compliance and inflation
The rise in ransomware, in particular, has had a direct bearing on cyber insurance premiums and coverage. The increase in cyber insurance premiums (ranging from 10% to 30% during the latter half of 2020 and an average of 56% in Q2 2021) and recently 79% in Q2 2022 has been directly attributed to an increase in insurer losses caused by ransomware attacks that occur with accelerating sophistication and severity. Another fallout of this rise in ransomware attacks has been reduced coverage limits, specifically in high-risk industries such as healthcare and public entities.
What is the most common underwriting evaluation criteria for cyber insurance?
Insurance criteria have become more strict due to the increase in volume and severity of ransomware and other cyber-related events. Over the last two years, insurance companies experienced increased losses related to cyber claims. As a result, insurers have strengthened their insurance requirements to better protect their loss ratios.
Underwriters are requiring greater transparency into security programs to gain a better view of the true exposure and increasing their emphasis on proactive measures that insureds must take to better protect their business from cyberattacks.
The insured’s cyber tech stack is one of the biggest factors in determining the cost of the premium. While there is no single tool or combination of controls that guarantees security, there are some best practices that will help reduce the company’s risk profile. This includes:
- Multi-factor authentication (MFA): A multi-layered security system that grants users access to a network, system or application only after confirming their identity with more than one credential or authentication factor
- Next-generation antivirus (NGAV): An enhanced antivirus technology solution that uses a combination of artificial intelligence, behavioral detection, machine learning algorithms and exploit mitigation, so known and unknown threats can be anticipated and immediately prevented
- Endpoint detection and response (EDR): An endpoint security solution that continuously monitors end-user devices to detect and respond to cyber threats like ransomware and malware
- Patch management: The process of identifying and deploying software updates, or “patches,” to a variety of endpoints, including computers, mobile devices and servers
- Vulnerability management: The ongoing, regular process of identifying, assessing, reporting on, managing and remediating cyber vulnerabilities across endpoints, workloads and systems
- Identity security: A comprehensive solution that protects all types of identities within the enterprise — human or machine, on-premises or hybrid, regular or privileged — to detect and prevent identity-driven breaches, especially when adversaries manage to bypass endpoint security measures
- Zero trust security: A security framework requiring all users, whether in or outside the organization’s network, to be authenticated, authorized and continuously validated for security configuration and posture before being granted or keeping access to applications and data
- Cloud security posture management (CSPM): Automates the identification and remediation of risks across cloud infrastructures, including infrastructure as a service (IaaS), software as a service (Saas) and platform as a service (PaaS)
- Cloud workload protection (CWP): The process of continuously monitoring for and removing threats from cloud workloads and containers
- Email security: A security solution designed to specifically protect email communication and any data or sensitive information from unauthorized access or compromise
IT Hygiene Best Practices
In addition to strengthening the organization’s cybersecurity tech stack, organizations can also adopt IT hygiene best practices to further reduce their risk profile. This includes:
- Performing regular, secure and encrypted backups of all sensitive data
- Conducting robust incident response (IR) planning and testing
- Offering comprehensive cybersecurity awareness and social engineering awareness training to all employees and vendors or partners that have access to the organization’s network
- Conducting a full supply chain risk management audit
Insurers Want Greater Visibility
As the security landscape continues to evolve, some organizations are facing significant premium increases for their existing coverage, while others may not be able to renew their policies without proving that they have made investments in their tech stack and strengthened IT hygiene.
Overall, insurers are becoming more discerning of who they agree to take on as a client and how to calculate their premium. Having comprehensive and complete visibility into the attack surface will become increasingly important not just to the security of the organization, but its insurability. This is because the lack of visibility into identity-based incidents increases the dwell time — the time an adversary goes undetected inside the network — making it difficult for organizations to detect and remediate the incident before the damage is done. Companies should also take steps to provide higher levels of protection around their most valuable assets and data.
How CrowdStrike Can Help Improve Insurability
The key to improving insurability lies in the organization’s ability to demonstrate comprehensive security coverage. The CrowdStrike Falcon® platform is designed as a highly modular and extensible solution that helps clients reduce risk and improve their security standing. Our platform includes:
- Falcon Identity Protection. Built around a continuous risk-scoring engine that analyzes the authentication traffic, Falcon Identity Protection focuses on the most common attack vector — identities — to enable real-time threat prevention and IT policy enforcement using behavioral and risk analytics on all identities, including human and service accounts, and not just privileged accounts. For more information on how Falcon Identity Protection helps organizations improve their insurability, please read our companion paper Accelerate Your Cyber Insurance Initiatives with Falcon Identity Protection or watch our video, Prevent Ransomware Attacks and Improve Cyber Insurability.
- Falcon Insight™ endpoint detection and response. Falcon Insight continuously monitors all endpoint activity and analyzes the data in real time to automatically identify threat activity, enabling it to both detect and prevent advanced threats as they happen.
- Falcon Prevent™ next-generation antivirus. Falcon Prevent offers the ideal AV replacement solution by combining the most effective prevention technologies with full attack visibility and simplicity.
- Falcon Spotlight™ vulnerability management and detection. Falcon Spotlight provides real-time visibility across the enterprise — giving customers relevant and timely information they need to reduce their exposure to attacks with zero impact on endpoints.
- Falcon Overwatch.CrowdStrike’s managed threat hunting service, built on the CrowdStrike Falcon® platform. OverWatch provides deep and continuous human analysis, 24/7, to relentlessly hunt for anomalous or novel attacker tradecraft that is designed to evade standard security technologies.
CrowdStrike understands the intricate nuances of cyber insurance because we have a team dedicated to working with the cyber insurance community. This team is comprised of experienced insurance professionals that previously underwrote and brokered cyber insurance. This team spends a tremendous amount of their time educating insurance underwriters and cyber insurance brokers on the value of CrowdStrike products and services and how our solutions help our clients to better qualify for cyber insurance.