More companies today are reaping the benefits of cyber insurance, with almost half of the respondents in Marsh and Microsoft’s 2019 Global Cyber Risk Perception Survey reporting that they have cyber insurance, compared to 34% in 2017. Nonetheless, some naysayers claim that cyber insurance can work against companies since cyber extortionists use it as an incentive to target firms.
In the report, “Cyber Insurance is Supporting the Fight Against Ransomware,” Marsh expert Matthew McCabe outlines why this line of thinking around cyber insurance is incorrect. In fact, the coverage can be a useful tool for a company even before a hack or breach occurs.
“Number one, there’s utility in just going through the application for cyber insurance, in that it acts like a yearly assessment. You have a third party who’s kicking the tires on how you’re protecting your networks and how you’re responding to incidents, and that’s a source of maturation for companies,” said McCabe, SVP and assistant general counsel for cyber policy at Marsh. “Once the exploit hits, the victim has to decide what the best course of action is. For a lot of small and mid-sized companies, they might not have the capability in-house to do that. Through insurance, they can access forensic companies, who might be familiar with the malware that they’ve fallen victim to and even with the specific group who’s making the demand, so the experts retained by the insurance company and paid for by the insurance wind up being the best source of advice from which the company can make a decision.”
If for some reason the extortionist doesn’t return the decryption keys and make good on their promise to restore a firm’s network, resulting in a business’s operations coming to a halt, part of the resiliency offered by cyber insurance is the financial risk transfer element that prevents expenses from piling up and draining a company’s pockets.
“If you lack that backstop of insurance, the company is simply out of pocket,” explained McCabe. “And even if the extortionist is good to their word and they will restore the network, it’s not as if you don’t incur any expenses. It might be less costly, but there are still costs involved with going through the incident.”
Another misconception around cyber insurance is that insurers don’t pay out claims. McCabe cautions that again, this is not the reality. In recent years, with the NotPetya attack and an evolving data and privacy regulatory environment, cyber insurance solutions have developed accordingly.
“Insurance has gone through an evolution – there’s more and more covered and over past years as threats have grown, cyber insurance has actually responded by expanding coverage to adapt to the new types of consequences that companies might suffer,” said McCabe. “There’s nothing more spurious and frustrating than to see articles published with questions like, does cyber insurance pay claims? Of course it does.”
In the recent Marsh and Microsoft survey, it was reported that there was higher than ever confidence in the ability of cyber insurance to pay off, and that’s because so many customers have had claims and the insurance has responded.
“There’s comfort with the coverage,” said McCabe. “I think there’s a comfort that the insurance will be there to pay off the claim and I think there’s an appreciation that the scope of coverage made available really is valuable.”