How about we play a little cyber insurance trivia to find out?  Trust me; it’s more interesting than you might think.

In an interview between Carole Theriault and Martin Overton, Theriault plays, “Covered by cyber Insurance, True or False” with Overton, who once worked for a large cyber insurance company. Overton describes himself as a security techie with over 30 years’ experience.

I encourage you to listen to the podcast yourself as the folks at Hacking Humans the Cyberwire, do a fantastic job of providing interesting content in an entertaining format.  If that’s not your thing, I’ll give you the highlights:

Scenario 1
A user gets a phishing email and clicks on a malicious link.  The malware causes a major disruption and downtime in the environment.

Covered by Cyber Insurance: True or False?
True – Overton says that generally cyber Insurance would pay out and cover the investigation, forensics, possibly legal costs and perhaps public relations if there’s brand damage.

Scenario 2
Again, a user gets a phishing email and clicks on the malicious link. This time the bad actors are after intellectual property.   The malware allows bad actors to quietly exfiltrate intellectual property.

Covered by Cyber Insurance: True or False?
Partially True – Cyber Insurance would probably pay out for the investigation and forensics, but according to Overton, “The fact is, intellectual capital is generally not covered by cyber insurance.”

Scenario 3
A user is tricked via a social engineering attack into logging on to a malicious website and providing their credentials.  The bad actors use these credentials to access a company bank account and transfer money.

Covered by Cyber Insurance: True or False?
True according to Overton.

Scenario 4
The business Email Compromise. A user in Finance gets an email from someone they think is the CEO asking to wire money out of the company.   The finance person completes the request only to find that the CEO’s email had been spoofed or the bad actor sent the email from a similar looking domain.

Covered by Cyber Insurance: True or False?
False.  Overton says, “Cyber insurance, from my understanding, would not cover that. A crime policy potentially would … ’cause crime policies cover fraud, irrespective whether it’s an internal person or an external person that’s done it.”

This was a fun little game, but the point is that Cyber Insurance is quite nuanced, and you need to understand your risks to ensure that you will be covered when the worst happens. Assess your risks, document them, and work on putting controls in place to close the gaps. Monitor and make continual improvements. Don’t worry if you don’t have all the skills to tackle this on your own, CTI’s group of security consultants can augment your team. Remember, A payout from an insurance policy (if you’re covered), might ease the pain after a security breach, but working to prevent the breach in the first place will likely have a much better ROI.