One of the most important cyber risk management activities is to obtain cyber security insurance. In risk management terms, having the right cyber security insurance effectively transfers the risk of a successful cyber attack to the insurance company.
Just like any other insurance, be very careful of what you purchase, ensuring to review the small print. The latest statistics on cyber insurance are rather revealing.
More than 40% of claims are rejected by the insurer due to the claimant not having accurately stated their true level of security posture. This is often not done deliberately, it’s typically due to a lack of understanding of the insurance prerequisites that are stated in the policy.
Note – we help you validate your policy requirements and implement any services or solutions to fill the gaps.
Many policies require companies to maintain specific cyber security measures (e.g., multi-factor authentication, encryption, endpoint protection). Claims may be denied if:
For Example: A company suffers a ransomware attack, but they had not enabled MFA for remote access. The insurer denies the claim because MFA was a policy requirement.
If a company misrepresents its cyber security practices or fails to disclose past incidents, insurers may reject claims.
For Example: A company claims they have an incident response plan but in reality, they don’t. When a cyber attack occurs, the insurer denies the claim due to false statements in the policy application.
Some policies have exclusions for certain types of attacks, including:
For Example: A company falls victim to a business email compromise (BEC) scam, transferring funds to a fraudulent account. If the policy doesn’t cover social engineering, the claim is denied.
Claims must be filed within the required timeframe, with proper documentation. Common mistakes:
For Example: A company takes months to report a data breach, preventing the insurer from investigating properly. The claim is rejected for late notification.
Organisations must take reasonable steps to prevent further losses after an attack. Claims may be denied if:
For Example: A company ignores recommendations from cyber security professionals and allows an attack to spread, increasing the damage. The insurer refuses to cover costs due to negligence.
Some policies do not cover third-party damages (e.g., if a client sues due to a breach). Claims can be denied if:
For Example: A cloud provider suffers a breach affecting multiple businesses. A company tries to claim under their cyber security policy, but it’s denied because the breach occurred in a third-party system.
We can help you by reviewing what you currently have in place, assessing the gaps and how best they can be filled.
We take a realistic and pragmatic approach to ensuring that our clients can demonstrate compliance and benefit from risk reduction.
We offer a free 30 minute consultation to discuss your security and compliance status.
If you wish to engage our services, this is done on a time and materials basis, documented within a Statement of Work.
Our consultancy rates are very competitive and affordable. Contact us for more information.
