5 Limitations of Cybersecurity Insurance

Share on linkedin
Share on facebook
Share on twitter

Table of Contents

Cybersecurity insurance is a growing sector, as more and more companies are paying premiums that they hope will cover their losses in the event of an incident. Despite this, only a third of organizations have any form of cyber insurance. In fact, market growth has been slowing of late, and for a number of very good reasons. The fact is that there are some significant shortcomings to cybersecurity insurance.

Here are 5 limitations of cybersecurity insurance:

1. Cybersecurity insurance has many limitations

Cybersecurity insurance is very hard to underwrite, which means that most insurers tend to have some very broad limitations. One limitation that often comes up is that they do not cover “acts of war.” This clause has been used as justification to deny coverage for attacks even if they have not been demonstrated as being caused by a foreign government. In fact, most major incidents that occurred in 2019 were not covered due to this clause.

Additionally, insurance only covers the direct cost related to a cyberattack, which means that no insurance can help you recover from the intangible losses in customer trust and reputational damage caused by such incidents. Another major limitation is that cybersecurity insurance generally does not cover physical damage or bodily harm caused by a malfunction of your industrial equipment, should it be hit by a disruptive cyberattack. A threat that has been growing tremendously as of late in the manufacturing industry.

Because these policies are relatively new, it is hard to know what is covered and what is not. Coverage has only been extended to smaller businesses in the last few years, and there is not a huge body of legal precedence to know what insurers may do following a cybersecurity incident.

2. It creates a false sense of security

Furthermore, cybersecurity insurance often creates a false sense of security, leading insured companies to believe that their entire financial losses will be covered following an incident. This leads many of them to neglect their security and to reduce their budgets for IT security, leaving them even more at risk of a cyberattack.

The truth is, the majority of insurers will deny a company’s claim if their cybersecurity measures have been deemed insufficient, just as an insurer may refuse to pay out a theft claim if the thief got through your back door that was propped open with a brick. This means that your cybersecurity risks should never be taken lightly, even if you have insurance, as it could be the main reason why your claim is denied.

3. It forces you to disclose details on your cybersecurity

Before you can be insured, most providers will require detailed information on your cybersecurity management such as your security practices, your policies, the measures you’ve taken to secure your company, etc. This means that your insurer could require you to comply with their security practices before you can be insured, forcing you to create new cybersecurity policies, to raise your budget in IT security, to carry out IT security audits / penetration tests of all your systems and infrastructures on a regular basis and much more. As a result, you might be forced to spend more resources on security controls than necessary, on top of your insurance premium, before you can even benefit from it.

While their strict requirements will often help you mitigate your risks, they will leave you spending more on your Cybersecurity than you could have spent in the first place to prevent any incidents. Even worse, these investments are often wasted as companies will only validate these security controls to comply with the requirements, leaving them aside and neglecting them once they have successfully been insured. This negligence will often be used as justification for the insurer to avoid paying out any claims.

4. It does not cover attacks carried out internally

Moreover, this insurance does not cover the losses associated with an attack or a data breach carried out internally by a malicious actor, an intern or a temporary employee who’s access within the systems had not been carefully secured and validated. This also means that negligence from an employee, such as losing a company laptop with valuable customer data, or getting infected through a phishing attack (the act of sending a coercive email to infect a system or to gain a user’s authentication data) will not be covered by the premium. To make matters worse, nearly 90% of cyberattacks in 2017 were caused by human error, which means that the majority of incidents generally fall under negligence from an employee and are not be covered by this type of insurance.

5. Cybersecurity insurance cannot stop intangible losses

Another shortcoming of cybersecurity insurance is that while it covers the costs needed to recover from an attack (Such as incident response, technical restoration, etc.), it does not cover any long-term intangible losses that inevitably result from a cybersecurity incident. Whether it’s from stolen trade secrets that were potentially sold to your competitors, a loss in trust from your customers, to a drop in your company’s shares, your insurance will only cover a small portion of the overall cost of the incident, which might not even be sufficient for your company to fully recover from it. Hence why you should never rely on it to cover all your losses.

In conclusion

None of this means that it is necessarily a bad idea to take out a cybersecurity insurance policy if you can find one that is affordable and meets your needs. However, you need to be fully aware that there are limitations to cybersecurity insurance, that it can only help with some losses and that it shouldn’t be a reason to neglect your IT security.

Much better is making sure that you have a good security plan in place to nullify the need for insurance coverage in the first place. Protecting yourselves, your employees, and your customers require taking all the necessary actions, even if you are insured. Reach out to an experienced specialist to learn more about how you can mitigate your cybersecurity risks to prevent any incidents.

A penetration test is a simulated hacking attempt that identifies opportunities for real hackers to break through your defences and perform various malicious acts. It generally leverages tools used by hackers and various professional methodologies to replicate the steps that modern hackers would take to intrude into your IT systems.

A pentest attempts to exploit your vulnerabilities to determine their potential impact, should they be used in a real hacking scenario. They provide a list of vulnerabilities with their respective level of severity, as well as technical recommendations to help your team apply corrective measures and focus on the most critical vulnerabilities.

These services allow your organization to answer the following questions, among several others:

  • Can a hacker gain access to any sensitive information?
  • Can a hacker hijack my technologies for any malicious acts?
  • Could a malware infection spread through the network?
  • Can an attacker escalate access to an administrative user?

Learn more about penetration testing →

There are many contexts in which a penetration test should be performed.

Here are some common use cases for a pentest:

  • As part of the development cycle of an application. (To test the security of a new feature/app)
  • To comply with security requirements. (3rd-parties, PCI, ISO27001, etc.)
  • To secure sensitive data from exfiltration.
  • To prevent infections by malware. (Ransomware, spyware, etc.)
  • To prevent disruptive cyberattacks. (Such as denial of service)
  • As part of a cybersecurity risk management strategy.

All businesses are advised to conduct a penetration test at least once a year, as well as after any significant upgrades or modifications to the company network. Given the rapid rate at which new exploits are discovered, we generally recommend that quarterly tests are performed.

Various steps are taken over the course of the project to prevent the potential impact of our tests on the stability of your technological environment and the continuity of your business operations.

For this reason, a communication plan will be put in place at the beginning of the project to prevent and mitigate any potential impact. A representative of your organization will be identified to act as the main point of contact to ensure rapid communication in the event of a situation directly impacting the conduct of your daily operations, or if any critical vulnerabilities are identified, for which  corrective measures need to be implemented quickly.

While we use a simple 4 levels risk rating approach (Critical, High, Moderate, Low), our risk assessment is actually based on the Common Vulnerability Scoring System (CVSS) standard. Two main criteria are considered when  assessing the risk level of each vulnerability:

  • Potential impact: The potential impact of an attack based on a vulnerability, combined with its  potential effect on the availability of the system, as well as the confidentiality and integrity of  the data.
  • Exploitability: The potential exploitability of a vulnerability; a vulnerability that is easier to  exploit increases the number of potential attackers and thus the likelihood of an attack.  Different factors are considered when evaluating the exploitability potential of a vulnerability  (e.g.: access vector, authentication, operational complexity, etc.)

Related Vumetric Blog Posts

Cyberattack impact

How Cyberattacks Impact Your Organization

A cyberattack is a malicious assault by cybercriminals aiming to damage a computer network or …

Read The Article
penetration test vs bug bounty

Penetration Testing vs Bug Bounty

Due to the recent spate of ransomware incidents, organizations and nervous IT administrators are wondering …

Read The Article
How Wordpress Gets Hacked and How to Prevent

How WordPress Sites Get Hacked And Fixes to Prevent it

WordPress sites get hacked on a regular basis, as it is by far the most …

Read The Article


We've Earned Internationally-Recognized Certifications

Contact a Certified Expert

Talk with a real expert. No engagement. We answer within 24h.
penetration testing provider

Stay Updated on Cyber Risks!

Subscribe to the Vumetric Monthly Bulletin to keep up with breaking news in the cybersecurity industry.

Want to Prevent Cybersecurity Incidents?

or give us a call directly at: