Managing Cyber Risk Without Cyber Insurance Coverage: Strategies and Options

Cyber insurance is now considered a must-have for corporations due to the rise in cyber threats against organizations large and small, but some organizations can neither afford nor qualify for cyber insurance.

In such cases, companies can consider other options, such as using existing insurance policies, self-insurance funds, and policies and procedures for handling cyberattacks.

“There are other forms of insurance that may respond to some aspects of the types of losses or claims that companies are likely to see if they are the victim of an attack,” said J. Andrew Moss, a partner at Reed Smith LLP’s Insurance Recovery Group.

Assess Existing Insurance Policies

Organizations should not overlook the insurance policies they already have. For example, if your organization has standard property and casualty (P&C) insurance, along with kidnap and ransom coverage – an unusual but generally available additional policy – and other corporate insurance policies, it might cover the fallout of a basic cyberattack, Moss noted.

“There are many industries where errors and omissions or professional liability would come into play,” he added.

Discussions with insurance brokers can provide insurance stress-testing services to advise on coverage limitations, said Peter Hawley, vice president of insurance at London-based risk management company Axio.

Related:How To Fight Security Tool Sprawl

“Most disputes over insurance policies come down to the understanding of what is meant by the terminology,” Hawley noted. “This is an important step in assessing what insurance options suit the organization’s risk appetite.”

Risk managers, cyber security teams, and the C-suite should work together to address cyber risk and ensure operational resiliency through mitigation, failover strategies, and business continuity planning, Hawley said.

What To Do When Cyber Insurance Is Unavailable

In today’s chaotic cyber insurance industry, it is not uncommon for organizations to lose cyber insurance due to a breach, fail to qualify for a renewal, or not be able to afford or qualify for a new policy.

Reasons for failing to qualify could include falling behind on the necessary changes and upgrades to cybersecurity controls and filing multiple cyber insurance claims during a year.

If you can’t get cyber insurance, Mario Rodriguez, president of the Boston-based risk management firm Forseti Protection Group, suggested doing three things: implement strong cybersecurity policies and procedures; conduct a semi-annual risk assessment; and develop and test an incident response and business continuity plan.

These, at minimum, should help the company provide at least basic defenses in case of a cyberattack.

Additionally, consulting with a third-party vendor to assist in this process can help identify risks, collect data, and protect critical assets.

Cyber Insurance Should Not Replace Security Controls

Moss agreed that implementing security controls is essential, but he cautioned against buying an inexpensive, inefficient control just to check the box on an insurance form.

Citing the case of Travelers Property Casualty Company of America v. International Control Services Inc. in 2022, Moss noted that underwriters now ask more questions about the quality and effectiveness of security controls in a real-life situation. Just having two-factor authentication, for example, is insufficient if the control is outdated or unable to provide expected results.

“We're seeing a lot of follow-up questions from insurance underwriters,” Moss explained. “Many companies will say, ‘Look, we're always upgrading,’ ‘We're always trying to better ourselves,’ and things like that. I tell them to be careful about promising that because you don’t know whether you’re going to follow through with that, and there may be very legitimate reasons why you’re not going to.”

For instance, the risk landscape may change or your company may undergo corporate changes – e.g., your company gets acquired or acquires another company – affecting your security posture.

Hawley stressed that cyber insurance is not a replacement for the fundamental security controls all businesses should have. Cyber insurers are unlikely to provide a policy to an organization that does not have these controls in place.

“It’s better to see insurance not as a product that is being sold to you but as a service where you are paying someone to take away risk you don’t want,” Hawley said.