How Do Cyber Insurers Assess Risk?

In 2024, one faulty update from cybersecurity software developer CrowdStrike caused more than 8.5 million systems to crash worldwide, causing more than $5 billion in losses.

And while those who follow financial news were fixated by this story, the rest of the world barely noticed. So, what if the company you worked for lost some money as a result of that event? It was insured, right? As it turns out, no. According to Harvard Business Review, cyber insurance covered less than one-third of the damage.

The CrowdStrike glitch underscored the growing urgency around cyber risks for corporate decision makers. As organizations are now evaluating the best strategies for mitigating cyber risk, they are asking more informed and strategic questions. One common question is, “How do you define and quantify that risk?”

Where to even start?

Before we quantify cyber risks, we need to understand safeguards to reduce the frequency and magnitude of cyber incidents. There are essentially three groups of factors:

1. Technical defenses

Technical defenses include firewalls to secure networks, multifactor authentication protocols to secure system access, endpoint protection or anti-virus to secure endpoints, and encryption to protect sensitive data. While those are the most obvious safeguards from an end-user perspective, other technical defenses also include robust backup systems, email filtering and scanning, intrusion prevention, and data access controls.

2. Corporate culture

The most obvious defense from a corporate culture perspective is employee training that regularly reminds employees to use strong passwords and not to open files or links from suspicious emails. We all know that, and yet social engineering and phishing remain the primary entry points for cyberattacks. That’s why visible commitment and support from a company’s executive team regarding cybersecurity measures is every bit as important as communicating those measures.

3. Planning

When it comes to detecting, preventing and mitigating the damage from intrusions, there is ultimately no substitute for planning. These plans, typically called incident response plans, must be tested and refined by simulating real-world scenarios. Testing should account for not just your firm’s security posture, but also that of your vendors, clients, and other third parties with access to your systems.

What are the standards?

When assessing your company’s security hygiene level, there are several standards that can assist you. Depending on your firm’s size and systems complexity, you can choose the standard that seems right for you. No matter what you choose as your benchmark, the key is constant improvement.

There are several guidelines you can follow, such as ISO 27001 and the NIST Cyber Security Framework. Those are complex frameworks, typically adopted by manufacturers or large complex organizations, or those holding highly sensitive data. Smaller companies can likely rely on the full application from a cyber insurer, which largely follows those guidelines in a simpler format. If you can successfully complete the application, you’re doing well enough for insurers to offer you insurance coverage; that’s not a bad litmus test.

They all map to a triad of core principles:

Confidentiality, so that only the intended parties can access an organization’s information
Information integrity, so that data is safe, reliably stored, and protected from damage or erasure
Data availability, so the organization and its clients can access the information as necessary

What’s covered? And how much Cyber insurance coverage should I buy?

Typically, cyber insurance covers losses that are due to security and privacy breaches. From the start of the breach, the policy provides coverage for incident response services, including privacy legal counsel, breach coach services, public relations, creditor monitoring for affected individuals, and forensic services. Coverage is also included for network extortion negotiation and demands (a.k.a. ransomware), business interruption and reputational harm, regulatory compliance, and often additional coverages including social engineering and computer fraud losses. In other words, if an attack results in exposure of clients’ data, a loss of revenue from impacted system, or even stolen funds, the policy would likely respond. So, too, would post-event costs as having to reimburse customers for ongoing credit monitoring.

Deciding how much coverage is required, in the form of insurance limits, can be challenging. It’s hard to know what the cost of a loss will be. In assessing your needs, consider the overall size of your company, how much client data you have, and how sensitive the client data is. What would the financial impact of not being able to work due to a cyber attack for weeks or even months? All these things should factor into your policy limit choice.

In many cases, insurance limits for cyber insurance are not available in the same amounts that coverage for property or general liability insurance are, and premiums have ebbed and flowed over time. Consider what the cost of the coverage is for the limits available, and whether the available limits are even high enough for your risk appetite.

It is possible that some cyber insurance might overlap with standard errors and omissions or crime coverages, so it is worthwhile to have an experienced insurance professional determine if there might be ways to reduce double-spending.

Looking for coverage?

If you’re a Canadian company, and in need cyber insurance, please don’t hesitate to get in touch with our expert team. Otherwise, reach out to your local commercial insurance broker.