Is Your Cyber Insurance Keeping Up?

Cyber threats aren't just a concern for IT teams anymore. They’re a serious business risk with financial and reputational consequences. From operational disruption to legal costs, the impact of a cyber event can be widespread and long-lasting. That’s why cyber liability insurance is no longer optional. But with threats becoming more advanced and policies varying widely, many businesses don’t know if their current coverage is enough. If you haven’t reviewed your cyber insurance recently, now is the time.

The Changing Nature of Cyber Threats

Cybercriminals are constantly adapting, using more sophisticated tools and methods. Businesses of all sizes are being targeted, not just large enterprises. Here are some of the most pressing threats heading into 2025:

• Ransomware, Now with Double Extortion: Ransomware continues to be one of the most prevalent and damaging forms of cyberattacks. Attackers not only lock your data but also threaten to leak it unless a ransom is paid. These operations are hitting critical infrastructure and industries like healthcare and financial services especially hard.
• Nation-State Attacks: State-sponsored hackers are increasingly targeting sectors like defense, energy, and logistics, aiming to steal sensitive information, disrupt operations, and gain a strategic advantage. These are often well-funded and difficult to detect.
• IoT Vulnerabilities: The proliferation of IoT devices presents a growing security challenge. As more devices become interconnected, the attack surface expands, providing new entry points for attackers.
• AI-Powered Attacks: Artificial Intelligence (AI) is revolutionizing many industries, including cybersecurity. Criminals are now using AI to automate phishing, evade detection, and analyze stolen data more efficiently.
• Quantum Threats on the Horizon: While quantum computing isn’t an immediate risk, it could one day break today’s standard encryption methods. Businesses should start exploring quantum-resistant solutions.

Common Vulnerabilities That Put Businesses at Risk

Businesses of all sizes are targets for cybercriminals. Small businesses, in particular, may lack the security infrastructure of larger enterprises, making them even more vulnerable to attacks, which often rely on common, preventable weaknesses to breach systems. These include:

• Weak Passwords and No Multi-Factor Authentication: Even a strong password can be compromised if not backed by a second layer of verification.
• Outdated Systems: Software that isn’t updated regularly is vulnerable to known exploits.
• Lack of Employee Training: Most breaches start with a simple phishing email. Without training, employees remain the weakest link.
• Unsecured Smart Devices: Many businesses add IoT devices without fully considering security implications. Unsecured devices can be exploited to gain access to critical systems and data.
• No Incident Response Plan: If a breach happens, do your employees know what to do? Without a clear plan, damage can escalate quickly.

Signs Your Cyber Coverage Might Be Inadequate

Having a cyber insurance policy is one thing. Knowing that it will actually protect you during a crisis is another. Here are some red flags:

• Outdated Policy Language: If your policy doesn’t mention newer threats like AI-driven attacks or quantum computing risks, it might be time to update.
• Low Limits: Cyber incidents can rack up costs fast—from legal fees to business interruption. Make sure your policy limits reflect today’s realities.
• Data Exclusions: Does your policy cover sensitive client data, intellectual property, and financial records? Some policies limit what's protected.
• No Third-Party Coverage: If you rely on vendors or cloud providers, ensure their failures are covered too.
• No Regulatory Protection: Many cyber incidents result in fines or penalties. Look for coverage that includes regulatory defense and settlements.
• Claims-Made-and-Reported Restrictions: Some policies require both the event and the claim to be reported within the policy period. Delay could jeopardize your payout.

Understanding Cyber Coverage Types

Cyber insurance is different from other commercial insurance policies. It’s not ISO-standardized, which means policy language and coverage can vary from carrier to carrier. Here's what to look for:

First-Party Coverage

First-party coverage protects your business directly. This includes:

• Ransomware Attacks: Coverage for ransom payments, data restoration, and business interruption.
• Social Engineering Fraud: Protection against losses from deceptive practices that trick employees into transferring funds.
• Business Interruption: Compensation for economic losses during downtime caused by a cyber event.
• Digital Asset Restoration: Costs to replace, restore, or recreate digital assets altered, destroyed, or stolen due to a security failure.
• Bricking: Coverage for replacing hardware rendered inoperable by a cyberattack.

Third-Party Coverage

Third-party coverage deals with liabilities arising from breaches affecting others' data. This includes:

• Network and Information Security Liability: Coverage for claims related to security failures and data breaches.
• Privacy Liability: Protection against claims for failing to disclose a security breach or comply with privacy policies.
• Regulatory Defense and Penalties: Coverage for defense costs and penalties from regulatory proceedings.
• Funds Transfer Fraud: Protection against fraudulent instructions directing the insured or their financial institution to transfer funds.

Real-World Claim Scenarios

Business Email Compromise

In a typical scenario, a phishing email allows a cybercriminal to gain access to a company’s email system. The attacker monitors the system, learns the communication patterns, and eventually sends a fraudulent email with instructions on how to send settlement payments to a new account. The company representative complies, and the fraud is discovered only when they follow up on their settlements.

Cyber Extortion and OFAC Compliance

Cyber extortion coverage can vary significantly between policies. Some carriers offer to pay on behalf of the insured, while others provide reimbursement. Extortion expenses typically include money, securities, Bitcoin, or other virtual currencies paid at the direction of the extortionist, with prior consent from the insurer.

The Office of Foreign Assets Control (OFAC) plays a significant role in cyber insurance, particularly in ransomware claims. If a threat actor is on the OFAC Specially Designated Nationals (SDN) list, neither the insurer nor the policyholder can legally pay the ransom. Insurers must ensure compliance with OFAC regulations, adding a layer of complexity to the claims process.

Best Practices for Cyber Risk Mitigation

Insurance is only part of a solid cyber risk strategy. Strong internal practices can lower your risk and make your coverage more effective:• Backup and Recovery: Schedule frequent backups and test your restoration process to ensure your recovery plan is effective.

• Advanced Threat Detection: Security Information and Event Management (SIEM) systems and Endpoint Detection and Response (EDR) tools can help detect issues before they spread.
• Employee Training: Educate employees about cybersecurity best practices and the latest threats. Regular training sessions can help employees recognize and respond to phishing attacks, social engineering tactics, and other cyber threats..
• Secure IoT Devices: Limit access, keep firmware up to date, and segment networks. Conduct regular security assessments to identify and address vulnerabilities in IoT devices.
• Monitor Vendors: Make sure your partners meet your security standards and have measures in place to protect your data.
• Use AI Defensively: AI isn’t just for hackers; incorporate AI and Machine Learning to identify anomalies and improve threat response.
• Prepare for Quantum Risks: Begin evaluating quantum-resistant encryption methods. Collaborate with cybersecurity experts to develop strategies for protecting data against quantum-powered attacks.
• Have an Incident Response Plan: Create a comprehensive incident response plan that outlines the steps to take in the event of a cyberattack. This plan should include roles and responsibilities, communication protocols, and procedures for containing and mitigating the attack.

Partner with the Right Insurance Broker & Risk Advisor

Cyber insurance isn’t plug-and-play. It takes a knowledgeable partner to help you:

• Understand Policy Details: Definitions matter. So do exclusions, sublimits, and conditions. In addition, a broker with experience in your industry will have a better understanding of the specific cyber risks you face and can tailor coverage to meet your needs.
• Services and Coverage: Your broker should offer comprehensive services, including risk assessments, policy reviews, and incident response planning to help your business proactively identify and mitigate cyber risks. In addition, your broker can benchmark your coverge so that you know how your limits and protections compare to peers in your industry.
• Coordinate Response Services: Look for a broker with a proven track record of helping businesses recover from cyber incidents. A well-connected broker can provide access to a network of cybersecurity experts, legal professionals, and crisis management firms.
• Adapt to New Risks: Your broker should be knowledge about the latest cybersecurity trends to help you evolve your coverage as threats change. They should also provide recommendations for enhancing your cyber risk management strategy.

Investing in cybersecurity measures, staying informed about emerging threats, and adopting a proactive approach to risk management are to ensuring that your business is protected. Remember, cybersecurity is not a one-time effort but an ongoing process that requires vigilance, adaptation, and continuous improvement.

Not sure if your cyber coverage is up to date? Let’s review it together. Contact our Cyber & Risk Advisory team for a consultation.