Mis-sold and Misinformed: The Problem with Cyber Insurance?

The devil is in the detail when it comes to sourcing the right cyber insurance policy

The cyber insurance market is booming, having almost tripled in size over the past five years, according to Munich RE. That’s unsurprising when 70% of UK mid-size and 74% of large businesses suffered a breach over the past year. For some, a serious security incident can be an existential challenge. One Kettering logistics firm, KNP Logistics, was forced to close with the loss of hundreds of jobs after a ransomware attack. And yet, amid increased corporate demand for cyber insurance, potential risk lurks.

A combination of mis-sold policies, coverage small print, and generalist brokers threaten to do more harm than good. It’s time for CISOs to better understand and mitigate cyber insurance risks.

What’s wrong with cyber insurance?

Cyber insurance has never played a more critical role in corporate risk management. The threat landscape is volatile, dynamic, and on the cusp of an AI revolution which will spark a new phase in the never-ending arms race with network defenders. One vendor (Trend Micro) blocked 161 billion threats in 2023 alone. Of these, ransomware remains the most significant threat facing UK businesses, according to the National Cyber Security Centre (NCSC).

In this context, cyber insurance is now a well-established means to mitigate and transfer financial risks stemming from a severe security breach. But although the industry is rapidly maturing, challenges remain. Assured co-founder and head of broking, Ed Ventham, explains that policy language and mis-selling continue to be an issue, although they are not as pronounced a problem as two years ago.

“Generalist brokers are often unaware of the small print because they’re dealing with so many other lines of insurance” Ed Ventham 

“We have had cases where businesses who have bought cyber insurance for £5m would ask us to review their policy and there’d be a clause saying ‘if a certain event happens, like ransomware, it will only pay out 20%.’ We’d flag this, and it would be brand-new information to them. It’s a huge fault with the industry,” he explains.

“It should be on the broker to explain, ‘this is what you’re covered for’. But generalist brokers are often unaware of the small print because they’re dealing with so many other lines of insurance,” continues Ventham. “Businesses need someone to take the time to go in and get that information for the client so they can make an informed decision about a policy.

“Sometimes, the language of policies compounds these challenges, Ventham adds. Coverage might appear the same but policy language can often be nuanced and the intent of policy coverage falls onto the way it is worded. It is important to understand what restrictions a policy might have in place through the way the insuring clauses are worded.,” Ventham continues.

Ilia Kolochenko, a partner and cybersecurity practice lead at Platt Law LLP, lays more of the blame at the door of the insurance carriers than the brokers.

“The key problem is that cyber insurance policies tend to be complicated and riddled with exceptions and exemptions hidden in annexes and legalese,” he tells Assured Intelligence.

“Insurance companies often fail to explain all the intricacies and nuances to their clients, let alone third-party brokers. Marketing materials are frequently in bright contrast with reality. As a result, brokers unwittingly sell cyber insurance on exaggerated promises,” he says of generalist brokers.

The worst day of your career

A mis-sold or otherwise problematic insurance policy could have a disastrous financial and reputational impact on the insured organisation. The average cost of a data breach, according to IBM’s Cost of a Data Breach report, is $4.5m (£3.5m). Major ransomware attacks have cost breached organisations much more, not to mention the long-term impact on customer loyalty and brand.

Tom Draper, head of insurance, UK, at Coalition, explains that the role of the cyber insurance specialist is to help policymakers “during what could be the worst day of their business careers”.

“As the owner or operator, that firm is likely their livelihood and the source of their pension. For a junior finance team member, for example, authorising a fraudulent bank transfer based on what appeared to be an email from the finance director could spell the end of their career,” he tells Assured Intelligence.

“A policy that does not respond in a cyber incident will exacerbate the negative impacts of an already bad day. Not to mention, an uninsured client has no specialist to call in the event of a cyber incident and no financial backstop, exposing their lines of credit and assets.”

What to look for

So what should CISOs, CTOs and their colleagues look for in a policy? According to Assured’s Ventham, there are four pillars of cover: third-party, first-party, incident response and cyber extortion (i.e. ransomware).

“If a business wants comprehensive cyber coverage, each of those four should be present within a policy. And the organisation must understand what potential restrictions are in place around these pillars. The insured should look at any exclusions in the policy which might come into conflict or are unclear, such as infrastructure failure or biometric data. Most exclusions are standardised but it is important to review them to ensure their intent is clear. If you don’t take the time to look at exclusions, they slip through the net. If you have a claim, this can really kick you in the teeth.”

Next, businesses should assess the policy conditions one by one, with the CISO or equivalent checking technical language and the CFO reading the document from a financial risk perspective, he continues. This is where collaboration with a specialist cyber insurance broker comes in handy.

“A policy that does not respond in a cyber incident will exacerbate the negative impacts of an already bad day” Tom Draper

“Again, general brokers, managing multiple lines of insurance, will find it very difficult to go into detail for every single policy – it’s almost impossible,” explains Ventham. “But due to the speed at which cyber claims happen, this attention to detail is critical. You need to take the time to properly understand your policy at the early stages because those claims happen overnight. In contrast, most other lines of insurance play out over a much longer timeframe, sometimes years (for professional liability, for example).”

Finally, organisations should look at the insurer’s claims-paying ability and their financial stability, as well as the services on offer, he explains. For example, how useful will that free tabletop exercise be in enhancing incident response preparedness?

Ultimately, a good cyber insurance policy should work as a carrot and stick combined. By stipulating minimum security controls, insurers can arguably force improvements in baseline security posture far more effectively than industry education and government outreach. In this way, insurers work alongside policyholders to enhance cyber resilience and reduce the cost of premiums. Specialist cyber insurers also “provide enterprise-level assessment and security support to SME and midmarket companies,” explains Coalition’s Draper.

“Businesses should look for insurance providers that offer more than a policy – such as the opportunity to run through claims scenarios, so the business can understand how the insurance policy will support it should a nightmare situation unfold,” Draper continues.

“Dedicated cyber insurance policies should also come with additional education opportunities and onboarding to help insureds understand the claims and incident response processes, so they are prepared if the day comes when they need it,” he concludes.