Who will pay for your cyber liabilities?

[Posted on Behalf of Pushkal Mishra AVP IT & CISO HDFC ERGO Health Insurance Ltd)

The 2019 edition of Symantec threat report reveals that:

- One in 10 URLs are malicious

- More than 70 million records stolen from poorly configured *S3 buckets

- 56% rise in web attacks with an average of 4,800 websites compromised each month

- Enterprise *ransomware up by 13% , mobile ransomware up by 33%

- 48% of malicious email attachments found to be office files

- An astounding 100% increase in malicious *powershell scripts

According to Ponemon Institute research (Oct 2018), the average cost of data breach amounts to $350 per record for the incidents that involve 1 to 50 million records!

Can you ever be fully insulated from cyber attacks? Even though you have:


The truth is that no one is immune! The pace at which technology reinvents itself makes it bit harder for security to catch-up at the same pace. Besides, failure to upgrade technology and *residual risks act as a ticking time bomb.

While technical vulnerabilities are the biggest contributor to cyber attacks, off-late attacks are moving towards exploitation of human vulnerabilities. And why not? Penetrating technology demands skills, time and money whereas exploitation of human is relatively cheaper endeavor as our curiosity, helpfulness, biases and greed make us an easier target than the technology. Consequently *phishing emails alone causing multi-million-dollar loss with lesser efforts.

So what is the way out?

I believe transferring some of those risks with an adequate cyber insurance policy is the answer to the question. Remember cyber insurance is not a frequency-based product that you want to use for smaller issues. It is a crisis product that should be designed and used when the usual measures don't work out.

So how does it work?

The first step in the cyber insurance scheme of things is to conduct the risk assessment to identify what is valuable and arrive objectively at the limit of liability and scope of cover.

Typically, a good policy should have at least following terms but you can further tweak it to suit your risk exposure:


Once you've brainstormed over the scope, work on arriving at the limit of liabilities (the dollar value you want the insurer to cover you with). In some cases, you want full coverage such as in Forensic investigations while in others you can limit it to a certain percentage of overall liability, for example fund transfer fraud 80% of total liability.

Now that you’ve worked on essential pieces of Insurance cover, you now need to find the best Insurer who is viable and can pay as promised on the paper. Please keep in mind that the cyber insurance market is niche and there are only few players offering comprehensive cover within reasonable cost. So, it is important for you to better understand the Insurer’s capability. Here are few things that you might want to check before signing with them:

No alt text provided for this image
So the businesses that require storing customer data (as well as sharing it with the sub-processors) or any organization that can't withstand the liabilities of cyber attacks/data breaches should definitely evaluate Cyber Insurance as an instrument to offset cost resulting from hefty fines, expenses and claims.

E-mail me when people leave their comments –

You need to be a member of CISO Platform to add comments!

Join CISO Platform