The control room inside the Paks nuclear power plant in Hungary. Photo: Bloomberg/Contributor
Overview of cyber insurance coverage
Cyber insurance myths and facts
The most commonly cited reason for not buying cyber insurance is the idea that the policy will not pay out. Indeed, there have been high-profile legal cases in which the provider of cyber insurance has chosen to fight a claim in court. However, this is the exception rather than the rule, and insurers would soon cease to exist if they didn’t pay out on claims. Independent reviews of cyber claims data show that most claims are paid and provide insight into what kinds of claims have been made going back to 2011.27
The mean total cost of a security breach between 2014 and 2016 was $394,000, with the median being $56,000.28 Forty-seven per cent of claims came from companies with less than $50 million in revenue.29 The cost of notifications was 176 per cent higher in 2016 than in the previous year.30
Forty-seven per cent of claims came from companies with less than $50 million in revenue.
The second most common misperception about cyber insurance is that it is a waste of security spending. Yet cyber insurance premiums should come out of contingency budgets, not from prevention budgets. It is reasonable for management to ask how much money and manpower can be called on during a cybersecurity crisis, rather than comparing the cost of cyber insurance with that of a full-time prevention team. In short, money spent on firewalls does not contribute to the payment of regulatory fines, and budgeting should reflect a difference between prevention and response spending. Given the above numbers, an organization should be prepared to cover an average of $400,000 in the case of a data breach. If an organization is prepared to do this, then cyber insurance is perhaps unnecessary, though prudent contingency planning might also take into account the possible size of maximum payouts, which are significantly higher.
Types of coverage
The first thing to understand about insurance coverage is whether it is intended to address first-party or third-party exposures. First-party cyber insurance attempts to cover losses to the insured organization specifically, including those arising from extortion via DDoS or ransomware, business interruption from network downtime, notification fees (for example, due to regulatory requirements), theft of money or digital assets, and of course reputational damage.
Third-party cyber insurance is designed to cover costs to the insured party’s customers; the costs of investigating their concerns; liability for the insured organization’s own negligence or the negligence of those providing services to it; and loss of data or system access that prevents others from doing business, for example if the insured party fails to deliver fuel on time.
Note that a computer emergency response team (CERT) typically concerns itself with one of these types of risk over another, and cyber insurance may therefore be useful for the risks the CERT is not prioritizing. Outlined below are a number of different insurance types, many of which will offer both first-party and third-party variations. An organization should consider whether it has capital reserves to cover both the first-party and third-party risks listed.
It is possible to obtain standalone cyber coverage for both first-party and third-party risks. The costs will depend on the particular insured business, and on the desired coverage limit. Most common cyber insurance policies will be suitable for covering disruptions to business operations, but not for material damage arising from an industrial control system (ICS) or SCADA incident. Most standalone cyber policies are designed to cover data breaches, DDoS (a specific cyber risk) or credit card fraud. They are not designed to cover the costs of physical damage to engineering environments.
Most common cyber insurance policies will be suitable for covering disruptions to business operations, but not for material damage arising from an ICS or SCADA incident.
Luckily, engineering lines of insurance, and even some civil nuclear pools, have started to offer cyber insurance tailored towards cyber risk in nuclear environments. Some key questions to ask of any provider offering such insurance are as follows:
- Does the insurance cover incident response and forensic investigation costs for ICS/SCADA environments?
- Does the insurer offer discounted rates or increased limits if the insured facility submits to an audit or security assessment?
- Can the digital forensics and incident response services be delivered at short notice?
- Do these service providers maintain the safety certifications and security clearances required for the civil nuclear regulatory jurisdiction in question?31
Categories of coverage include the following:
Errors and omissions. This category of third-party coverage focuses on the insured party’s liabilities in the event that it suffers a breach. It primarily focuses on payouts to other parties – such as regulatory bodies, personnel, customers or business partners – affected by a cyber event at the insured organization.
Commercial property all risks. This may cover physical damage to a facility from hacking, such as that demonstrated by Stuxnet. Many insurers are increasingly excluding cybersecurity coverage from this line of insurance. However, purchasers can still discuss having cybersecurity risks included, via a process known as ‘write-back’ that involves payment of an additional risk premium. Even if an organization’s existing insurer offers a write-back clause, shopping around for explicit cybersecurity insurance may be advisable, in order to compare prices between one option and the other.
Personal lines insurance. This is less likely to be of interest for organizations, as it usually focuses on homeowners. However, this type of insurance increasingly comes with coverage for cyber risks such as ransomware. Small business insurance can also include similar protections.
Workers’ compensation, safety and environmental lines of insurance. These are offered by a variety of insurers. Cyber issues are not always considered in these types of policy, but of course cyber exposures remain present and exacerbate the core named risks in ways that cannot always be anticipated. For example, it would not be uncommon for someone to think that environmental risk has no cyber component. However, on closer examination this assumption is mistaken. Much environmental modelling is done using sensors and networks, and data veracity is critical to monitoring and managing an organization’s environmental footprint. Workers also routinely use computers to monitor their exposure time to radiation; denial of access to such data at a critical time can open an employer up to liability.
Cyberterrorism insurance. Cyberterrorism has become a concern in recent years, and both the UK and Australia have developed reinsurance products that cover material damage caused by cyber means. In particular, Pool Re, a UK firm, has created a flexible and adaptive approach that avoids attribution problems and investigation from getting in the way of prompt payouts. This, in turn, gives confidence to those responding to the problem, without burdening them with wider investigations into who was behind a cyberattack until a later time.
Specialist civil nuclear insurance. Specialist providers in this sector have shown an interest in providing cyber insurance to cover a variety of impacts. The civil nuclear pools are likely to be the most suitable places to look for coverage if an organization requires external cyber insurance. Even going through the questionnaire process for such coverage can provide valuable insight into the preparations an organization has made and/or issues it needs to attend to.
Cyber insurance for civil nuclear facilities
Key questions for civil nuclear facilities concern whether to buy cover, how much to buy, and how much is available in the market.
On average across the general (non-civil nuclear) cyber insurance market, a $120,000 premium buys coverage up to a limit of $10 million. Coverage for $50 million or more can be bought for $1 million in yearly premiums, but small and medium-sized companies can get $1 million in coverage for just a few thousand dollars.32 The cost scale may, of course, change over time as risks are recalibrated from actuarial evidence. However, the estimates shown here capture the state of the market as of March 2019. Premiums and coverage specifically for civil nuclear risk may also diverge significantly from these estimates, but the above scale provides a baseline for research and back-of-the-envelope discussions.
One form of cover that is hard to find in standard policies is for environmental damage. It can only be found in 4 per cent of policies,33 yet is a category that should interest civil nuclear facilities and organizations (in particular, within the civil nuclear transport sector). The ability to access liquidity and receive rapid assistance during a transport-related crisis might significantly reduce an incident’s costs.
Policy wordings
The term ‘all risks’ in property damage insurance often used to include cyber coverage, but over time insurers have started removing it. This is because they have seen rising claims, and do not know how to manage the risk unless it is covered by a more specific cyber insurance product. However, for a small additional fee, cyber exclusions can be voided and cyber coverage returned to the same policy (as mentioned, this process is known as ‘write-back’). A commercial property insurance policy that contains a CL380, LMA3030, NMA2912 or NMA2914 clause34 specifically excludes any loss shown to be caused by accidental or malicious technological or computer-related means.
Table 2: Exclusion clauses, with focus and possibility of write-back
Exclusion clause |
Focus |
Write-back possible? |
---|---|---|
CL380 |
Computers/war |
Yes |
LMA3030 |
Computers/weapons |
Yes |
NMA2912 |
Data/virus |
Yes |
NMA2914 |
Data/virus |
Yes |
Before considering cyber insurance, an organization should review its traditional policies to see if any of the above clauses are present. If these exclusion clauses are not present, some cybersecurity risks may be covered already, and it is worth checking whether the insurer covers the specific cyber risk that the purchaser is concerned about. On the other hand, if any of the exclusions are present, it may still be possible to request a write-back or consider buying standalone cover.
Now that it is clear that traditional insurance sometimes covers common cybersecurity-relevant incidents such as computer theft or loss, breach, ransomware and GDPR notifications, it is also necessary to consider in greater detail cyber-specific insurance as well as specialized products for the civil nuclear sector. The latter are specifically designed to cover the impacts of hacking and technological accidents for civil nuclear facilities, whether in generation, research, transport or storage in operations.
Cyber insurance has many varieties in terms of its coverage, including GDPR and incident response assistance after a breach, DDoS mitigation, ransomware clean-up and assistance, financial fraud, CEO phishing, physical damage from hacking or technological accidents, and even cyberterrorism. Insurance tailored to civil nuclear facilities has only recently started coming on to the market. Such products offer tailored security audit and incident response features.