Cyber Insurance – Still a Valid Tool for Risk Management?

Insurance providers over recent years have dipped their toes in the water in the provision of Cyber-Insurance to organisations. Digital Transformation has made computer systems critical to business operations in many cases, and just as heavy machinery is insured against loss due to fire or flood, the contents of a data centre can now be insured against cyber-attack.

The Cyber Insurance industry is expected to grow to $20bn by 2025[1], and insurance is intended to be just one pillar of risk reduction – to be sensibly combined with investment in security technology, user education, and third-party risk reviews amongst others. While no-one, including the insurers, propose that insurance is a replacement for good security practices (indeed, many stipulate a certain level of due diligence before cover is provided), it can be used as a sensible way to transfer residual risk from cyber-attacks.

A major development which could derail the nascent industry is currently going through the courts. Mondalez, a huge food and snack multinational who own brands such as Cadbury and enjoys revenues of over $26bn experienced massive business disruption by the ‘NotPetya’ ransomware attack, losing nearly 26,000 devices resulting in a 5% revenue drop for the quarter.

Initially, Zurich Insurance approved $10M to Mondalez as it was covered for ‘physical loss or damage to electronic data, programs or software, including loss or damage caused by the malicious introduction of a machine code or instruction’. However, this was later rescinded as the policy included an exclusion for ‘hostile or warlike action in time of peace or war” by a ‘government or sovereign power.’

NotPetya was widely attributed to be an attack on the cyber-infrastructure of Ukraine, orchestrated by the Russian government. This poses a few discussion points in relation to the effectiveness of cyber-insurance:

  1. With the rise of nation state threats, either as an act of outright hostility or commercially focused espionage, does this take the most complex, and most disruptive cyber-attacks outside the scope of coverage from cyber insurance?
  2. The role of attribution of attacks becomes even more important – and this is already an extremely difficult process. Determining which country an attack came from is tricky enough – determining if it was state sponsored or a rogue individual is even more difficult. Another layer of complexity comes from ‘false flag’ attacks where one nation intentionally attempts an attack, leaving subtle hints to implicate another state.
  3. Cyber-insurance may not be the ‘last resort’ that some organisations were using it for. While transferring risk to another party in exchange for a predictable financial sum was tempting, the risks of an attack not being covered needs to be carefully understood.

In summary, security is – and always was the responsibility of the organisation who will be impacted most in the event of a breach. As an individual, this means don’t give your personal data to organisations with a dubious history of treating your data with the respect it deserves. For organisations, it means you need to fully understand your risks, quantify them appropriately, and provide your IT Security team with a budget commensurate with this risk.

Armadillo can provide a security risk review and help you to build out your security strategy for the coming 12-18 months. Get in touch if you would like to walk through how we can help you with strategic planning for 2019 and beyond. You can contact me directly at

[1] Kesan, Jay P.; Majuca, Ruperto P.; Yurcik, William J. “The Economic Case for Cyberinsurance”. Workshop on the Economics of Information Security (WEIS), 2004.


Written by: Rob O’Connor, Chief Technology Officer at Armadillo.