Cyber insurance: safety net or false sense of security?

The cover provided for ‘damage caused to you’ is often an extension of the helpline and involves, among other things, bringing in specialists who, after addressing the initial concerns, work to get the company back on track. ‘Sometimes that can take just a few days,’ continues Van Britsom, ‘although it can in other cases it can last up to six months, which is when the costs incurred are often the highest. For instance, you might have to reprogramme and reimplement a whole range of systems, meaning that your business cannot be operational during that time. If a ransom has been paid in the event of a ransomware attack, the insurer will reimburse the cost of any cryptocurrency offered by the professional negotiator.’

‘With insurance, financial compensation is the most obvious benefit. But that assistance is also extremely useful from a legal perspective,’ says Peter Vergote, Legal Advisor at DNS Belgium. ‘Suppose that, in addition to the damage you have suffered as a result of a cyber incident, you also receive various claims from companies that have suffered damage as a result. In that case, your insurer's expertise will help you deal with this. At the time of an incident, you want to focus primarily on urgent matters, such as getting your business back on track.’

As you would expect, insurers require you to take appropriate measures yourself to prevent cyber incidents from occurring. Details can vary, but cover is usually based on these five requirements:

• Multi-Factor Authentication (MFA)
• Backups stored in two physically separate locations
• Endpoint Detection & Response (EDR) and Managed Detection & Response (MDR)
• Vulnerability management
• Security awareness training & testing (with other training courses and phishing tests)

If, for example, your company does not yet use MFA, it will likely be more difficult to find an insurer. But Van Britsom emphasises that you can still be insured. ‘If you haven’t yet got all your ducks in a row,’ he says, ‘you will still be eligible for cover, but your premium will be higher, or you will only be insured up to a certain amount.’ But once all of your security processes are in place, your premium is also likely to fall.

‘The cost or effort involved in these precautions is not a deal breaker for cyber insurance,’ adds Vergote. ‘They help arm you against hackers and ensure that you are prepared for the recovery that must take place after a cyber incident.’ The nuance here is that such insurance does not prevent hacking. ‘It's like medicine. It won't prevent a virus from entering, but it will help you recover more quickly.’

Yet despite all the measures you may take, there are a number of elements that are not covered by cyber insurance. However, these exclusions can be nuanced and include:

• War and terrorism
• Fraud by own staff
• Deception by staff
• Systems that are insufficiently secured
• Reputational damage or falling stock prices.

Terrorism is something of a broad concept in this context. So, does that mean that a cyberattack by a hostile country or terrorist group is never covered? ‘War and terrorism are excluded as standard from insurance policies,’ says Van Britsom. ‘But a cyber insurance policy does include cover for cyber terrorism. We have seen companies infected by NotPetya ( malware that encrypts data and is believed to have been deployed from Russia) for which businesses have been able to make a claim under their policy. Even though the hackers are operating on behalf of a state in this instance, this does not fall under the category of “war” for insurance purposes.’

Breaking into the system versus getting inside your head

If an employee commits fraud or uses the company systems to cause damage, this is not covered. With deception, the nuance lies in the way the deceit is perpetrated. If an employee inadvertently clicks on a phishing link, enabling a hacker to gain access to the company systems, this is covered by cyber insurance. The same thing applies if that same employee is persuaded to click on the phishing link or enters their login details via a fake page, giving the perpetrator access to the company systems and allowing them to misuse this information. ‘If that’s the case, then it’s the perpetrator, not the employee, who tampers with the systems or carries out payments,’ explains Van Britsom. ‘This constitutes malicious use and so is covered by cyber insurance.’

If a hacker manages to persuade that same employee to make a payment, then the employee is the victim of deceit and so it is fraud. Van Britsom again: ‘That, as it were, constitutes “getting inside your head” and so is not covered by cyber insurance, but by fraud insurance. It’s the same when a criminal uses an email, phone call or deepfake video or audio call to impersonate the CEO and request an urgent payment. It’s the employee who makes the payment and this is covered by fraud insurance. Trouble is, there’s a lot of confusion about this.’

In countries such as the US and UK, businesses are more familiar with cyber insurance and it’s relatively common, even in small companies. We have been insuring companies against cyber risks in Belgium and Europe since 2010 and the market has been growing steadily since 2020. Van Britsom: ‘Looking at our client portfolio of Belgian organisations with more than fifty employees, one in two has cyber insurance in place. In organisations with fewer employees, this figure is lower, although we are seeing interest rising across all sizes and sectors. In some instances, policies are also taken out for the entire sector.’

NIS2 and liability

The new EU legislation, in the form of the NIS2 Directive, requires companies to protect themselves against cybersecurity threats to the essential services they provide. One striking feature about the legislation is the explicit and personal liability of management and directors for compliance with the directive.

In order to comply with its responsibilities, management must:

• Approve the risk management measures relating to cybersecurity
• Monitor implementation of the directive
• Take responsibility for compliance with the directive

This means it is important to take proactive measures regarding cybersecurity and to remain alert to potential threats. Cyber insurance offers additional protection, but only if basic security measures are in place.

‘Cyber insurance, including the helplines that go with it, fits in with the NIS2 strategy,’ says Van Britsom. ‘There too, you need to prepare and have your plan of action ready. As a result, for many organisations, cyber insurance is part of their business continuity plan and cyber incident response plan.’

Vergote: ‘You can plan all the preparations, you are better prepared for an incident. That means that not taking out cyber insurance, especially for a technical body such as DNS Belgium, would be almost negligent.’

Does insurance that pays a ransom do more harm than good?

Although ransomware is just one of the situations in which cyber insurance comes in handy, it’s the type of incident that tends to get most coverage in the media. Companies have to be quick in choosing between paying large sums of money, usually in cryptocurrency, or losing their business data or seeing it published elsewhere.

At the same time, some cyber experts urge people never to pay ransom demands without questioning it, as this encourages criminals to continue their attacks. So, if they pay, does cyber insurance merely keep the criminals’ cash registers ringing?

‘If there’s no other way out, the professional negotiator will make the cryptocurrency available through the insurance company,’ says Van Britsom. ‘However, if we look at the figures, on average one victim in two pays the ransom in cases of ransomware. Among organisations that have cyber insurance, it’s one in four.’

The cyber expert from Vanbreda Risk & Benefits now refers to the helpline with its specialists who can help assess the situation. ‘Many organisations panic and rush to pay in the hope of being able to get back to business quickly. But paying is not always the best or fastest solution,’ he explains. ‘At the beginning of this year, we spoke to a client whose data had been encrypted. During our investigation, we discovered that the key had also been encrypted. So in that instance, paying would not have made any difference. We then decided to rebuild everything from scratch, which was the best solution.’

So just because you get your data back immediately, it doesn’t mean you’ll be back up and running the next day. ‘If you pay the ransom and restoring everything takes three months, or you don’t pay and the rebuild takes four months, then you that’s a decision you can make,’ states Van Britsom. ‘As a result, negotiating and exploring the various possible avenues together with our specialists ensures that, on average, fewer ransom payments are made.’

See here what NIS2 means for registrars and resellers

What about cyber insurance for private individuals?

As a private individual, you can also take out insurance against damage caused by cybercriminals, although the range of options available in Belgium is limited. Often, it’s part of a family insurance policy or digital protection that provides cover for: 

• Online fraud
• Identity theft
• Reputational damage
• Hacking

These policies are not yet as common as they are among businesses, which means that they may sometimes still have gaps or are not fully tailored to the needs of private individuals.

Vergote: ‘The key question for private individuals is how far the cover extends. Are you covered if a cybercriminal manages to deceive you and steal thousands of pounds from your account? And to what extent does that cover lapse if you have been careless yourself, for example by reusing passwords?’

He also makes an important distinction between businesses and private individuals: 'A business has a certain reputation, which can be shattered in the event of a cyber incident and have consequences for its turnover. The situation is different for private individuals; no one will look down on you if you become a victim. Moreover, the chance of causing damage to others is also small.' 

What can you do yourself as an individual?

Although cyber insurance may provide a useful safety net for private individuals, you are still primarily responsible for your own online security. You can keep your systems secure by being aware of the risks, making optimal use of existing resources and by keeping your devices and apps up to date.

• Use two-step verification (2FA, also known as multi-factor authentication or MFA). In addition to your password, you also need to enter a code (sent by email, text message, or an authenticator app). This way means that a hacker who is able to guess or intercept your password cannot simply access your account.
• If you receive a phone call “from the bank” or a WhatsApp message from an unknown person claiming to be a friend or family member, this could be an attempt at fraud.
• If you receive an approval request from Itsme when you are not expecting one, decline it.
• Use a different and preferably difficult password for each account. A password manager can help you store your different passwords for each website.
• Change your passwords regularly, especially for accounts that do not have 2FA. It is advisable to do this at least annually or more frequently.

The cloud makes our work easier and more efficient, but it also brings new challenges. How can you ensure your data and systems stay secure in the cloud? In our next article, we’ll explore key considerations and best practices for effective cloud security.