Insurability: The Long Term Impacts of a Cyber Attack

Severin Pietri
| 8/16/2021

If your business has been a victim of a cyber attack, you are well aware that the immediate priorities are to resume operations as quickly as possible and protect your information, requiring engaging with emergency cyber security consultants or paying a ransom. Your next step will be to invest in cyber security or increase your current safeguards.

Once you have resolved your cyber attack and implemented new processes and policies you may think your business is now safe, but what about the long-term impacts of the cyber attack? How will this effect the future of your business’ operations?

Applying for Cyber Security Insurance

Crowe MacKay’s technology consulting team have been assisting clients in reviewing their cyber security insurance policies, and have observed how the landscape of cyber insurance is changing, specifically surrounding the types of questions insurers are asking businesses.

Previously, insurers would ask a limited set of questions in the underwriting form, such as:

  • Do you have backups?
  • Do you have antivirus?
  • Do you have a disaster recovery process?

Cyber Security

Following the increase in successful cyber attacks and the somewhat lag from business to strengthen their defences, insurers are becoming more detailed and pointed in the questions they ask. Some examples of these include:

  • Do you test your recovery process yearly?
  • Do you have multi-factor authentication?
  • Is your back-up procedure using technology that will protect from a Ransomware attack?
  • What is the brand and type of firewalls and routers used?
  • Do you have a cyber security incident recovery plan, and has it been tested

Answering “No” or providing an answer that does not meet the criteria of the insurer may result in much higher premiums or a refusal by the insurer to underwrite you, leaving your business fully exposed and with no safety net.

These changes are in response to the increase of cyber security attacks and claims made by businesses resulting in higher losses for insurers. You can expect to see this trend continue and even a potential tightening of the process in the future.

Selecting Cyber Security Insurance for Your Business
Can an Insurer Refuse Insurance After a Cyber Attack?
How to Protect Yourself from a Cyber Attack
Selecting Cyber Security Insurance for Your Business

As you look to protect your business, insurers are looking to mitigate their risks. What does this mean when it comes to your cyber security insurance? 

Crowe MacKay’s technology consultants have seen insurers adding limitative clauses to their policies which will drastically reduce the amount payable by the insurance to you in the event of a Cyber Attack. 

Examples of clauses you may find in a policy are as follows:

  • Authentication information stolen through social engineering
    In the event the cyber attack, and losses, on your company originated from the acquisition of log-in credentials via social engineering or phishing, the limit can melt from an original $2 million coverage down to $20,000. 
  • Generic limitation on phishing attacks
    Insurance policies may stipulate a lower limit for phishing attacks, generally to 1% of your total cover.
Can an Insurer Refuse Insurance After a Cyber Attack?

It has been reported to us, that numerous insurers refused to underwrite businesses if they had a cyber security event in the last year. More importantly, some of the cyber security incidents at the root of the refusal were benign in nature and resulted in no claim filed with the insurer.

A provider may refuse to renew your insurance while you are in the process of renewing your policy, potentially putting you in the position where you may end up with no insurance policy for a period of time. A cyber security event during such a period could result in a dramatic situation for your business.

For clients that have been able to secure a new policy following an event, we often see an increase in their premiums by more than 50%.

How to Protect Yourself from a Cyber Attack

With the continuous increase in sophisticated cyber attacks and the hardening of the insurance market, Crowe MacKay’s technology consultants strongly recommend companies take the proactive steps to strengthen their defences against hackers.

A successful cyber attack will not only damage your business in the short term but leave you more exposed in the long term if insurers refuse to underwrite your business. Executing a cyber security risk assessment is the first step in strengthening your position.

 This article has been prepared for the general information of our clients. Please note that this publication should not be considered a substitute for personalized advice related to your situation.

Crowe MacKay’s Technology Consultants have decades of experience advising clients on how to protect and enhance their business through the implementation of new technology-centered strategies. We work with you to ensure your digital transformation not only meets your business’ needs but exceeds your expectations.

Severin Pietri is part of our firm's Technology Consulting practice where he helps clients with the automation of their business processes, manage their cyber security risk, implement a digital strategy, and develop and deploy AI enabled decision support engines. Severin has held roles of Chief Architect in a multinational consultancy firm, System Architect for a Canadian exchange, and the Global Head of Tax Transformation for a global bank headquartered in the UK.
Severin Pietri
Severin Pietri
Director, Technology Consulting

Let's Discuss!

Connect with a trusted Crowe MacKay advisor to discuss your specific situation by calling us toll-free at 1 (844) 522 7693, emailing [email protected]or by completing the form.
* Required