Is Cyber Insurance Void If I'm Not Patched?
s risks related to cybercrime and the cost of associated damages increase each year, cyber insurance has become a fast-growing field. Insurance agency PWC estimates that by 2020 cyber insurance premiums will reach $7.5 billion, up from $2.5 billion in 20151. Cyber incidents including data breaches, DDoS attacks, and cyber extortion are not covered by general liability and errors and omissions insurance, and major corporations have paid the price: In 2011, Sony was found liable for a $171 million loss2 related to the PlayStation hacker breach, because their policy covered only damages to physical property.
As Sony found, the cost of recovering from a cybersecurity incident can quickly add up. Losses can stem from failure to collect revenue while systems are inoperable, payments made to cyber criminals, cost to settle lawsuits following a data breach, and expenses associated with reputation management and remediation efforts to prevent another incident.
With the costs of cybercrime expected to reach $2 trillion by 20193, many companies are looking to cyber insurance as a way to protect their business, but it is not always the magic bullet companies expect it to be. Because cyber insurance is a relatively new industry, insurers have difficulty estimating the amount of claims they will need to fill each year. As a result of this, premiums can be high and coverage gaps or loopholes that allow the insurance company to get out of paying a claim are common.
One way insurers protect themselves is by requiring companies to provide a cyber risk profile and undergo an audit of their security systems and practices when they apply for coverage. Failure to adhere to the practices outlined in the application can result in claims being denied and the insurance policy being voided. This was the case for the Cottage Health hospital network, which saw a claim for over $4 million in losses denied after their insurer found that they had not regularly checked for and maintained security patches, which was outlined as part of their security procedures.
Neglecting Patching Renders Cyber Insurance Useless
Staying up to date on patching is one of the most common requirements of any cyber insurance policy: Almost all policies will have exclusions related to a failure to apply necessary security updates within a reasonable period of time. Known vulnerabilities are the biggest security threat to networks, and not patching them makes you an easy target for attackers.
Patching systems, encrypting data, and following other security best practices are precautions insurers expect companies to follow so that if a claim is made, they know it was not due to a preventable attack. However, some small and medium size businesses who purchase cyber insurance may falsely think that insurance is a replacement for other security measures such as utilizing firewalls, conducting security trainings to prevent against phishing and other scams, and checking for and applying patches on a regular basis.
1 https://www.pwc.com/gx/en/insurance/publications/assets/reaping-dividends-cyber-resilience.pdf2 https://www.cio.com/article/3065655/cyber-attacks-espionage/what-is-cyber-insurance-and-why-you-need-it.html3 https://www.forbes.com/sites/stevemorgan/2016/01/17/cyber-crime-costs-projected-to-reach-2-trillion-by-2019/#1223a2153a91
Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.
Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, Mac, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.
Experience modern, cloud-native management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.