5 Cybersecurity Insurance Limitations | Vumetric
Cybersecurity Insurance Limitations

5 Limitations of Cybersecurity Insurance

Share on linkedin
Share on facebook
Share on twitter
Table of Content
    Add a header to begin generating the table of contents

    Cybersecurity insurance is a growing sector, as more and more companies are paying premiums that they hope will cover their losses in the event of an incident. Despite this, only a third of organizations have any form of cyber insurance. In fact, market growth has been slowing of late, and for a number of very good reasons. The fact is that there are some significant shortcomings to cybersecurity insurance.

    Here are 5 limitations of cybersecurity insurance:

    1. Cybersecurity insurance has many limitations

    Cybersecurity insurance is very hard to underwrite, which means that most insurers tend to have some very broad limitations. One limitation that often comes up is that they do not cover “acts of war.” This clause has been used as justification to deny coverage for attacks even if they have not been demonstrated as being caused by a foreign government. In fact, most major incidents that occurred in 2019 were not covered due to this clause.

    Additionally, insurance only covers the direct cost related to a cyberattack, which means that no insurance can help you recover from the intangible losses in customer trust and reputational damage caused by such incidents. Another major limitation is that cybersecurity insurance generally does not cover physical damage or bodily harm caused by a malfunction of your industrial equipment, should it be hit by a disruptive cyberattack. A threat that has been growing tremendously as of late in the manufacturing industry.

    Because these policies are relatively new, it is hard to know what is covered and what is not. Coverage has only been extended to smaller businesses in the last few years, and there is not a huge body of legal precedence to know what insurers may do following a cybersecurity incident.

    2. It creates a false sense of security

    Furthermore, cybersecurity insurance often creates a false sense of security, leading insured companies to believe that their entire financial losses will be covered following an incident. This leads many of them to neglect their security and to reduce their budgets for IT security, leaving them even more at risk of a cyberattack.

    The truth is, the majority of insurers will deny a company’s claim if their cybersecurity measures have been deemed insufficient, just as an insurer may refuse to pay out a theft claim if the thief got through your back door that was propped open with a brick. This means that your cybersecurity risks should never be taken lightly, even if you have insurance, as it could be the main reason why your claim is denied.

    3. It forces you to disclose details on your cybersecurity

    Before you can be insured, most providers will require detailed information on your cybersecurity management such as your security practices, your policies, the measures you’ve taken to secure your company, etc. This means that your insurer could require you to comply with their security practices before you can be insured, forcing you to create new cybersecurity policies, to raise your budget in IT security, to carry out IT security audits / penetration tests of all your systems and infrastructures on a regular basis and much more. As a result, you might be forced to spend more resources on security controls than necessary, on top of your insurance premium, before you can even benefit from it.

    While their strict requirements will often help you mitigate your risks, they will leave you spending more on your Cybersecurity than you could have spent in the first place to prevent any incidents. Even worse, these investments are often wasted as companies will only validate these security controls to comply with the requirements, leaving them aside and neglecting them once they have successfully been insured. This negligence will often be used as justification for the insurer to avoid paying out any claims.

    4. It does not cover attacks carried out internally

    Moreover, this insurance does not cover the losses associated with an attack or a data breach carried out internally by a malicious actor, an intern or a temporary employee who’s access within the systems had not been carefully secured and validated. This also means that negligence from an employee, such as losing a company laptop with valuable customer data, or getting infected through a phishing attack (the act of sending a coercive email to infect a system or to gain a user’s authentication data) will not be covered by the premium. To make matters worse, nearly 90% of cyberattacks in 2017 were caused by human error, which means that the majority of incidents generally fall under negligence from an employee and are not be covered by this type of insurance.

    5. Cybersecurity insurance cannot stop intangible losses

    Another shortcoming of cybersecurity insurance is that while it covers the costs needed to recover from an attack (Such as incident response, technical restoration, etc.), it does not cover any long-term intangible losses that inevitably result from a cybersecurity incident. Whether it’s from stolen trade secrets that were potentially sold to your competitors, a loss in trust from your customers, to a drop in your company’s shares, your insurance will only cover a small portion of the overall cost of the incident, which might not even be sufficient for your company to fully recover from it. Hence why you should never rely on it to cover all your losses.

    In conclusion

    None of this means that it is necessarily a bad idea to take out a cybersecurity insurance policy if you can find one that is affordable and meets your needs. However, you need to be fully aware that there are limitations to cybersecurity insurance, that it can only help with some losses and that it shouldn’t be a reason to neglect your IT security.

    Much better is making sure that you have a good security plan in place to nullify the need for insurance coverage in the first place. Protecting yourselves, your employees, and your customers require taking all the necessary actions, even if you are insured. Reach out to an experienced specialist to learn more about how you can mitigate your cybersecurity risks to prevent any incidents.

    Want to know how we can help?

    Recent Vumetric Blog Posts

    How to Improve Office 365 Security
    How to Improve Office 365 Security With 9 Tips

    Office 365 is a valuable productivity and collaboration tool. It offers businesses numerous benefits, including easy collaboration, remote …

    Isometric Personal Data Information App, Identity Private Concept. Digital data Secure Banner. Biometrics technology vector illustration for personal identity recognition and access authentication.
    Why Automated App Pentests Are Not Enough

    With the ever-growing amount of applications provided to customers, the prospect of performing Application Penetration Testing on each …

    Cybersecurity Covid 19 Coronavirus Remote Work
    9 Cybersecurity Best Practices for COVID-19 Remote Workers

    Amidst the coronavirus pandemic, many organizations have opted for remote work for the next following weeks to prevent …

    Cybersecurity Statistics
    20 Cybersecurity Statistics You Should Know

    Cybersecurity has become increasingly important across every industry due to the massive transition to digital operations. Businesses can …

    Benefits of PCI Compliance
    5 Benefits of PCI-DSS Compliance

    Are you thinking of accepting credit or debit cards as a form of payment?  Have you started accepting …

    Assess Your Cybersecurity Risks

    A specialist will reach out in order to:

    • Understand your needs
    • Determine your project scope
    • Provide a cost approximation
    • Send you a detailed proposal
    • This field is for validation purposes and should be left unchanged.
    stay informed!
    Subscribe to stay on top of the latest trends, threats, news and statistics in the cybersecurity industry.
    • This field is for validation purposes and should be left unchanged.