Cyber insurance is a relatively new field. As such, it’s open to all sorts of confusion and misunderstanding.
That’s what the Virginia-based National Bank of Blacksburg is learning.
The bank and its insurer, Everest National Insurance Co., are in the midst of a legal battle over the insurer’s refusal to pay out on a cyber policy. Two separate cyber security hacks on the bank led to a loss of over $2.4 million. However, the theft was ruled by Everest National to fall under provisions for card-related fraud since it involved malware installed on a system inside the bank that allowed the removal of protections on ATM withdrawals, including withdrawal limits. The card-related fraud coverage limit is $50,000, while the hacking provisions limit is a much more appropriate $8 million.
How Does Cyber Insurance Work?
Insurers typically base the probability of an incident affecting a potential insuree on masses of historical data and detailed analysis of possible protections. But in the digital world, there isn’t much history to analyze and the data that is available is flawed.
Even measuring mitigations is difficult. Cyber threats are constantly changing, so the exact benefit of a cutting edge cyber security system or stringent set of policies is almost impossible to measure accurately.
Add to that the time-dependent nature of testing in the security space. The detection of an anti-malware product varies from hour to hour, making an accurate measure of effectiveness outrageously expensive.
As the insurance market matures, if insurance firms can successfully sell cyber-specific policies with enough exclusions to avoid payouts for standard cyber threats, they certainly will. This results in a lot of pressure on buyers to ensure their policies are actually worthwhile. Insurance companies are infamously cautious and of course make every effort to minimize payouts, relying on complex nesting of coverage and exclusions to make sure they only have to pay out when the exact requirements of a policy are met.
The pressure is on for insurees to understand the dense legal language of an insurance policy. Only the largest firms can afford to keep someone on staff with both the legal skills to be able to decipher policy text and the technical expertise to relate it to the company’s specific IT infrastructure and requirements. However, with GDPR’s heavy penalties for digital security and privacy failings, which also need to be insured against, the investment may be well worth it.
Invest Now, Stay Secure Later
Cyber attacks cost organizations millions of dollars every year. Your organization’s best defense is a staff prepared to defend your system. IEEE offers two cutting-edge online course programs to help make sure everyone in your organization understands the basics of cyber security. These two courses, Cyber Security Tools for Today’s Environment and Hacking Your Company: Ethical Solutions to Defeat Cyber Attacks, are designed to provide your entire technical staff and company leadership with the foundational skills and knowledge needed for today’s ever-changing cyber security landscape.
Lee, Kenny. (3 Aug 2018). Is cyber insurance keeping up with banks’ digital threats? Ecommerce Daily News.