Businesses are being warned to carefully check their cyber insurance policies and their appropriateness as many do not provide important cover for common attacks, such as the damage to revenue and profits from ransomware attacks.
Analysis by CybeDecider, the cyber insurance comparison engine that covers policies accounting for 80% of the UK market, found that the variability of policies meant many businesses will be getting insurance that does not cover them for such key risks.
For instance, CyberDecider’s research shows that about a quarter of cyber insurance policies reviewed would not adequately cover businesses for the loss of revenue from such attacks, yet for many organisations this is likely to be by far the biggest cost.
A recent Lloyd’s of London report “Closing the gap: Insuring our business against evolving cyber threats” found that ransomware was one of the three biggest cyber threats to businesses in such sectors as: IT, professional services, healthcare, public sector, education, media, transport, hospitality and utility sectors.
Examples of problems organisations and their brokers currently face when dealing with cyber insurance policies:
a) Policies often use different definitions and terms for the same thing, or include the same thing under different headings and sections – making policy comparison both time-consuming and laborious.
b)Often policies use different definitions, right down to the most basic elements like “what is a computer”. For instance, some policies include industrial control systems in their definition and some don’t, a pretty vital distinction for many businesses!
c) There is a high and surprising variability of what is covered between different policies. For instance, while most policies are pretty similar in their coverage of privacy issues, there is a lot of disparity around business interruption issues.
The WannaCry ransomware attack in May of this year was reported to have infected more than 230,000 computers in over 150 countries (Wikipedia), it was followed in June by the ransomware NotPetya, which also severely disrupted numerous large organisations internationally (Wikipedia).