Guest blog: Cyber insurance, is it for you?

Posted by   Virus Bulletin on   Aug 14, 2014

Sorin Mustaca looks at how companies trading online can insure the risks they run.

Throughout its 25 year history, Virus Bulletin has regularly published technical analyses of the latest threats and defensive methods, and will continue to do so (with the material now available free of charge). We will also continue to post thought-provoking opinions from security experts, to encourage debate and discussion.

Today, we publish a guest blog by Sorin Mustaca. Sorin is well known to many in the industry and has regularly written for VB. In this post, he looks at the topic of cyber insurance.


If you own a car, you probably have car insurance, and if you own a house, you will have several kinds of insurance against almost any kind of damage that can affect your property - insurance against theft of items in your property, insurance against damage by flood, fire or accidental damage, and so on. Meanwhile, in various professions it is mandatory to have specialized insurance cover to protect customers against damage through negligence or failure to provide the appropriate level of service.

But what about a company's digital assets? Or the private customer data that is stored by a company? Should they also be insured? And if so, how?

What about security breaches? Should companies that store customer data take out insurance to protect them and their customers against loss of that data?

In this article I will discuss some of the pros and cons of what a cyber-insurance policy might cover. (Note that I am neither an insurance expert nor a lawyer, and I am not in any way involved in the insurance business.)

What is cyber insurance?

With the recent tremendous increase in data breaches, companies are starting to look for insurance products that will cover them in the event of such a breach - to cover the costs of recovery, business interruption, and any losses incurred in case of a law suit. Companies seeking such insurance policies are also driven by an increase in official regulations.

In order to mitigate losses (in this case, to transfer the risk) from cyber incidents and breaches of cyber regulations, the concept of 'cybersecurity insurance' (CI) was created more than 10 years ago.

As with any kind of insurance, the company that creates the insurance product must cover certain risks with a specified amount of money. In car insurance, for example, the risks are quite clear and the maximum amount covered is the value of the car. There are also insurance policies that cover the people in the car, but here too a fixed amount of money is usually specified.

In the case of health insurance, an assessment may need to be completed before the insurance policy is drawn up in order to assess the status of the client's health. Using statistical data, a policy may be sold or denied, and the price of the policy is determined accordingly. Additionally, customers may be offered various benefits if they follow a certain programme which is intended to reduce the customer's risk and hence the insurer's future costs. This way, both the client and the insurer benefit.

But how does this apply to cyber risks?


A cyber risk can have consequences outside of the immediate area of an event. Let's consider a breach where the company loses some business opportunities, invests time and resources in investigating and fixing the problems, and has to refund customers that might have been affected. If news of the breach goes public, then there are further factors that will cost the company money, such as loss of reputation.

Let's start with the most obvious:

  • If customer data gets stolen or destroyed, not only is the company affected, but also its customers. The risk can be measured by analysing statistical data from similar previous events, and the risk can be covered.
  • Loss of reputation is something that can have a long-term impact, and in some cases it can even cause the affected company to go out of business. This is very hard to measure because the process of losing opportunities is a very slow one.

Insurers have yet to develop an evidence-based method to assess a company's cyber-risk profile. This can result in high premiums, low coverage, and broad exclusions of risks.

However, what I like most about many types of insurance is the fact that they motivate clients to act with caution and to take steps to mitigate risk in the area in which they are providing cover. As with health insurance, cyber insurance could become less expensive if the company taking out the policy can prove it follows certain security practices that might reduce the chance of it having to make a claim - for example:

  • Hardening systems, including software patching and updating
  • Installation and running of security systems on all devices (client and servers, including gateways)
  • Having security policies in place (certain password strength, password expiration, blocked USB ports, etc.)
  • Constant use of a vulnerability scanner
  • Network and/or host intrusion prevention systems
  • Backup and contingency plans in place
  • Existence of a product and/or computer incident response team, depending on the company being insured
  • Continuous monitoring of exposed services against suspicious usage (possibly with an application firewall)

But how do the insurance companies assign a price tag to the risks, considering that the business value of the companies they insure can vary widely?

They likely have a coefficient of risk which is independent of the financial value of the risk insured. For example, the website of an online shop has a higher likelihood of being compromised than that of a car dealer. Additionally, there will be a factor which is dependent on the company's cybersecurity profile. A company that follows many of the security practices listed above is likely to be deemed a much lower risk than a company that does not follow the same security practices.

Together, these two variables can help determine the impact of a certain risk on a company. If you want to know more, the process is known as threat modelling, using a threat risk assessment model.

The real art of the insurance business is putting a price tag on the risk assessment. I don't expect there to be much science behind this. My expectation is that it is a mixture of analysing old events, experience gathered in other fields, and gut feeling.

I would be interested in learning others' views on this topic. If you know more about cyber insurance, or have an opinion on the matter, please contact me.

Do you have a clear opinion on a topic in information security? Is the industry doing it all wrong, or do we simply need to learn about a new topic? We're always looking for security researchers to share their thoughts with a broad security audience. Please get in touch if you're interested in sharing your opinion with VB's audience!

Posted on 14 August 2014 by Virus Bulletin



Latest posts:

New paper: Collector-stealer: a Russian origin credential and information extractor

In a new paper, F5 researchers Aditya K Sood and Rohit Chaturvedi present a 360 analysis of Collector-stealer, a Russian-origin credential and information extractor.

VB2021 localhost videos available on YouTube

VB has made all VB2021 localhost presentations available on the VB YouTube channel, so you can now watch - and share - any part of the conference freely and without registration.

VB2021 localhost is over, but the content is still available to view!

VB2021 localhost - VB's second virtual conference - took place last week, but you can still watch all the presentations.

VB2021 localhost call for last-minute papers

The call for last-minute papers for VB2021 localhost is now open. Submit before 20 August to have your paper considered for one of the slots reserved for 'hot' research!

New article: Run your malicious VBA macros anywhere!

Kurt Natvig explains how he recompiled malicious VBA macro code to valid harmless Python 3.x code.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.