Insuring against cyberattacks is a market as complex as it is unpredictable.
C2 Cyber has been told of one insurer paying out £32 million for cyber losses in a single claim, while aluminium giant Norsk Hydro had to double the amount it is claiming for a devastating ransomware attack from $40 to $80 million as the extent of its losses became clear.
The company was struck in March 2019 with an attack that started in its U.S. facilities then spread, disabling part of its smelting operations. It did not pay the ransom demand, instead isolating all plants and operations and switching to manual procedures.
Yet Norsk Hydro's cyber insurer paid out just a quarter of its breach-related losses in the year after it was hacked, a total of c. $20 million. In other cases insurers have compensated only 10% of a claim because they judged that clients hit by cyber breaches did not take enough precautions to prevent the attack.
This situation has led to litigation against insurance providers accused of refusing to settle “legitimate” claims.
Monitoring and assessing cyber risk
The key is for businesses, their insurance brokers and the underwriters to be able to monitor and assess the risk of cyberattacks:
- Underwriters understandably want to bound the risks they are ensuring. This is difficult, however, because the cyber threat is evolving and changing all the time.
- Brokers seeking ways to negotiate down the insurance premiums that underwriters charge their customers need to be able to prove that those customers have robust cyber security in place.
- Most businesses have little understanding of their cyber estate, the risks they are running and particularly the impact of third party supply chain risk. This is a growing threat many companies find hard to evaluate.
In fact, 70% of cyber security data breaches now involve a third party supplier of some sort. All it takes is for an employee at a vendor to click on the wrong email or forget the antivirus update and ransomware attackers have a fast track into shutting down every unprotected business that vendor supplies.
Focusing on the greatest threat
The business imperatives of companies seeking cyber insurance, brokers and underwriters are all aligned.
Monitoring and assessment of cyber risk needs to be constant because of the fast-moving threat. In an insurance market led by heavily matrixed large companies that are not adept at rapidly building new propositions, it is paramount to understand where the risks lie.
And it is essential that cyber security costs and effort are matched to the degree of risk. Businesses need to focus their limited resources on the suppliers that present the most danger. This is the advantage of C2 Cyber’s proprietary COBRA platform, which allows our clients to identify the supply chain risks that pose the greatest threat.
After it was attacked, Norsk Hydro said its cyber insurance policy, led by AIG, was “solid.” That confidence needs to be built on the intelligence that comes from pinpoint monitoring and assessment of cyber risk.
C2 Cyber are experts in cyber security and vendor risk management. To find out more, call us today on +44 (0) 20 7965 7597 or book your appointment.