Blog
Does Cyber Insurance Pay Out?
David Anderson
Dec 11, 2024
Over the last decade, one of the most common gripes I’ve heard about cyber insurance is that policies “don’t pay out.” Cyber coverage is often perceived as being illusory and riddled with “gotcha” clauses. This isn’t the reality, and it comes from sources that—I daresay—are never in doubt, but often wrong.
Cyber insurance is an incredibly valuable tool to protect your company’s balance sheet and data—and if you’ve purchased the right policy, it does pay out.
Numbers Don’t Lie: A Look at Cyber Claims Data
First, let’s look at some objective claims data. The NetDiligence 2024 Cyber Claims Study contains information on 10,464 cyber claims over the last four years (nearly 5,000 of which were submitted in 2023 alone). Within that data set, $4 billion in claims have been paid, of which over 400 claims exceeded $1 million in loss. Ransomware claims for middle-market businesses continue to average about $500,000 per event while for large enterprises, the numbers are in the staggering eight-figure loss ranges. Crisis costs (including the costs to engage a privacy attorney to help navigate an incident and establish privilege, a digital forensics incident response firm [DFIR], and specialists to handle public relations, notification, and credit monitoring) average about 52% of expenses.
QBE, a global insurer, recently published its 2024 Cyber Insurance Report, where risk managers and cyber insurance buyers describe their service from insurers as positive. The vast majority confirmed that their insurers supported them in their time of need, with quick claims handling, efficiency, and focus on superb servicing. Only 6% of survey respondents felt insurers were not meeting their needs, with the rest of the population either being satisfied (48%) or having no claims experience (46%). Another important takeaway: Overall, survey respondents appreciated and were satisfied with the incident response planning and support during crises.
And finally, according to JD Power, 97% of businesses with cyber insurance that experienced a cyber attack said their insurance adequately covered their losses. Most companies with cyber coverage gave their cyber insurance programs an overall satisfaction rate of 7.19 out of 10.
When you take a step back and look at the statistics, the background noise collapses under the weight of its own nonsense.
Coverage Matters
One way to ensure that your cyber events will be covered is to remember that coverage matters. Think about some common terms in a cyber policy and whether you understand the breadth of coverage against your company’s unique risks:
- Does the definition of Confidential Data include all the data points your organization collects and stores? Do you carry data beyond the “traditional” legal definition of personally identifiable information (PII) like GPS data, device interactive data, cookies, and biometric data?
- Does your policy’s definition of Insured Computer System include all the components within your enterprise, like operational technology, building management systems, and cloud environments?
If the answer to these questions is “no”—or worse, “I don’t know”—you need to consider whether your current cyber insurance policy is built for you or if it’s an “off the shelf” and commoditized product. Having a customized product is the best way to ensure you’ll be covered for any claims you file.
“Coverage matters” is one of our guiding ethos within the Woodruff Sawyer cyber team. If you want to hear our thought process in action, we go through various iterations of coverage issues with our friends at Lowenstein Sandler on their “Don’t Take No for an Answer” podcast.
Work with Vendors Effectively
One of the most common friction points in claims that I’ve seen in my decade in the business is the misalignment of the cyber insurance policy with the policyholder’s chosen incident response vendors. Most cyber insurance policies include a panel of pre-approved incident response vendors like attorneys and DFIR firms. Insureds usually can’t go off-panel, and if they do and expect to recover expenses from the policy, it results in a terrible claims experience.
However, this same friction point can be turned on its head to be a keystone of strength and agility within the company’s cyber risk management strategy. Your broker should be engaging you and the underwriter in a proactive discussion around your preferred vendors or facilitating introductions to the insured’s panel of vendors so you can clear conflicts, sign or daft engagement letters, and familiarize these vendors with your organization and tech stack. That way, during a cyber attack, where time is always your most precious resource, you and the insurer can focus on getting you back online instead of haggling over vendor rates and contracts.
Furthermore, cyber insurance policies often include various complimentary or highly discounted risk mitigation services. Unfortunately, the majority of cyber insurance buyers are not using these risk management services. Insureds should take the opportunity to meet with potential vendors to become familiar with their skills; these can be leveraged to round out your cyber incident response plan.
Being proactive about your incident response strategy, including insurance resources and requirements, ensures a smoother response after a cyber attack..
Don’t Chase the Shiny New Toy
Finally, keep in mind that the quality of coverage you get is correlated to the premium paid. In the universe of cyber insurance, you do get what you pay for—and a lower rate with an unestablished company isn’t always worth it.
Working with established and mature insurance companies that offer broader coverage, price stability, and experienced and unconflicted claims handlers will make all the difference where the rubber meets the road. In an increasingly “soft” cyber insurance market, it is important to be pragmatic and thoughtful about coverage, including weighing the risks of moving from one carrier to another for one-time premium savings gimmicks or promises of broader coverage at a steep discount.
Review and analyze every option in detail. Ultimately, you may be better off staying with your trusted insurer, paying a bit more premium, or taking a higher deductible instead of running to the shiny new player in the room.
Partner with an Experienced Cyber Broker
Cyber insurance is a complicated and ever-changing insurance product with disparate coverage terms and conditions. With roughly 150 insurance companies writing cyber insurance today, there are at least 150 disparate cyber insurance policy forms. Therefore, it’s imperative to partner with a broker who understands the coverage at a granular level, and, equally importantly, who knows how to guide the buyer through the cyber risk discovery process.
If you want fit-for-purpose cyber insurance coverage that addresses your company’s risks, you need to understand your data, operational, and interruption risks—as well as their financial magnitude. This will allow you to align the right policy with your exposure.
A generalist broker who tries to “wing it” is like a monkey staring at a wristwatch. The watch may be fascinating, but the monkey doesn’t understand what this complex tool is trying to communicate—let alone how to fix it.
The competence of the broker representing you in the marketplace is the most influential factor in the quality and efficacy of the coverage you are paying for.
In the end, this will be the most important factor in how your cyber claims are covered, handled by the insurer, and ultimately paid and settled.
Author
Table of Contents
