Cyber Insurance as Crisis Management Tool

My reason for joining the 2021 Cyber Risk Officer spring program run by ICTTF was to be able to have a sound, creditable basis for engaging in my role as a non-executive director on the subject of all things cyber, from identifying risks through to a cyber risk strategy. I wanted to see and understand what “great” looked like. That’s exactly what we got through the program.

The cyber insurance topic of the program was one where I’d some experience as during my career with a large global insurance company focused on commercial insurance, cyber Insurance became one of our offerings. I was both excited by it as it was developing from a fringe purchase to a ”primary” purchase by companies so represented a growth area for new product development, the opportunity to serve customers with meaningful protection and of course it has the potential to generate new revenue streams. However, I was also sceptical since it was an “unknown” – little loss history, difficult to model and potentially one event worldwide could magnify losses across multiple insureds.

That may sound like I didn’t believe in the product we were selling but only from the perspective of being the seller. If I was a buyer I would absolutely ensure I had good insurance protection in place! The remainder of this article puts forward views to support that.

The “Crisis Period”

I’ve been pretty tech savvy during all of my career, seeking to understand how better we use technology, thinking through its functionality, its design and particularly its user experience patterns. Why is that important? As a leader in the business, I was exposed to different disciplines using technology in vastly different ways, using data sets to manage their part of the business and then sharing it in a corporate interdependent ecosystem. So as an example actuaries would model various data internal to the business alongside external sources. Some of this output would be used by underwriting groups for pricing or modelling purposes. Other parts of their output would assist claims in claims management or reserving practices. Yet other parts of their data would be used by finance colleagues in capital management, treasury activities or budgeting. And of course actuarial analyses enabled various decision levers for executive leadership groups that drove profitability. What you see from this is the interdependency of systems and data across the business.

We of course had cyber risks as part of the local and global Disaster Recovery (DR) plans. As chair of our Crisis Management Team, I considered a major cyber event much more damaging than the loss of use of say an office building to a fire. We could shift work pretty quickly to other offices following a fire. We could move to remote working within hours. But a cyber event in a global business where interdependency is embedded across the globe would be devastating. We would literally have thousands of people converting digitised processes to manual ones. Nobody had been trained for that outcome nor had our business operational model allowed for new processes to be designed for an enforced manual processing of transactions in real time so to speak.

So for me, what was important if we were subjected to a cyber event was what happens in the first 5 hours, the first 24 hours, the first 36 hours, the first 5 days and the first 10 days. I always took the view that if we’re not back in business to a great extent within  weeks, the business would lose massive credibility – colleagues, regulators, customers, intermediaries and major suppliers to name a few. So this is the “crisis period”.

Of course we were a large financial company operating in a heavily regulated environment worldwide so our DR plans were pretty comprehensive, were aligned to the business model and were tested regularly. We knew we weren’t invincible but it wasn’t for a lack of preparation. Many companies and organisations quite simply are not so prepared.

Insurance is generally regarded as protecting against financial loss in exchange for a premium. However for certain categories of commercial risk the management of the crisis period is more critical than any financial indemnity. Think of a major pharma company with a large chemical spillage into a  water course that affects 100,000 residents of a nearby town. Think of a food company which finds it has to recall product because of a serious contamination. Think of a company which has received a ransomware demand to release their crippled IT infrastructure which houses multiple types of personal identifiable information and renders large swathes of workflows redundant without IT. The scenarios demand quick and incisive support with a degree of urgency and immediacy. Insurance policies frequently fulfil this with a range of experienced services that can respond instantly to a crisis scenario. I’ll touch later on what that might include but to give one example,  the PR agency used for product launches is unlikely to be the one to handle crisis-led communications.

What Cover  should a Company Buy?

First thing I’d recommend is to consult an insurance broker. The bigger your organisation the more the focus should be on a global broker - they offer niche expertise, tend to have a lot of big client experiences upon which to draw and are more able to respond to complex claims environments. They will advise on

  • The current status of organisational readiness for a cyber event
  • How much cover to purchase and benchmark you within industry sectors
  • Market conditions, pricing, insurer preferences
  • Preparing the information to provide to insurers and organising the dialogue to have with insurers
  • The range of post-incident services
  • Coverage negotiations and customised options
  • Restricted cover and funding options that may be available.

Getting an insurer to engage in underwriting a cyber risk is now fairly rigorous, demanding and can be quite comprehensive in the data requested. It is not uncommon to have proposal forms that are 10+ pages in length. Below some of the data required;

  1. Basic corporate financial information broken down by product, sub product, geography, customer segment
2. Data records
  • Number of records by type of information – PII, payment cards, health data
  • By geography
  • Online sales
  • Scale, purpose, protocols, monitoring of 3rd party data sharing

3. System outages

  • DR plan detail around actions, duration, mitigation measures, testing frequency
  • Financial impact estimations
  • Seasonal peak time modelling
  • Back up management
  • Life cycle management of IT infrastructure
4. Outsourcing service providers (OSPs)
  • Due diligence, audits,
  • Cloud usage
  • Contractual and financial Indemnity provisions of any Service Level Agreements
  • DR plan for OSPs
5. Data Security
  • Responsibility – privacy officer, company policies, compliance records
  • Data classification policy
  • System access privilege management
  • Encryption & back up practices for sensitive information
  • Compliance with various industry standards
  • Retention and destruction policies
6. Network Security
  • Extent of protections – firewalls, anti-malware, vulnerability scanning, a remote access controls
  • Password management policies
  • Patching protocols
  • Mobile network access – USBs, BYOD
  • Threat intelligence capabilities
  • Penetration testing
  • Social media presence, procedures and policy
7. Employee engagement
  • Communications
  • Phishing tests
  • Social media monitoring
8. Claims history
  • Details of incident log procedures, including escalation and review
  • Claims history – accidental, intentional, near miss, disclosure
  • Financial impact
  • Extortion demands


While a broker can be very useful, my experience over the years is that organisations with “crisis period” potential need to pay careful attention and view this as an investment in cyber protection. Some common sense suggestions:

  • If your organisation has a good story to tell, then share that with the underwriter. If you are wary about sharing DR plans (many companies are) you can ask for a confidentiality agreement or organise a secure vault online for underwriters in view-only mode for a limited time period.  

  • If there are weaknesses in your cyber security, acknowledge that you’re aware of them alongside the rationale for why it’s a weakness (e.g. it may be a very small part of the business) or highlight any plans to strengthen various areas.

  • Ask your broker to benchmark that weakness against industry peers as it may turn out you’re above average compared to competitors.

  • If your organisation has had an incident that became a claim, one tangible outcome is your organisation is now more aware of the impacts, lessons will have been learnt and perhaps the organisation is now at a higher level of readiness. Be open to sharing high level improvements.

  • Explain why cyber insurance is a key purchase to strengthen your organisation from a cyber event and particularly in the “crisis period”.  

  • Share metrics that demonstrate the “organisational culture” is heavily influenced by cyber security. For example any outcomes from phishing or pen tests over various time periods or metrics from regular training programs designed to raise cyber risk awareness.

Some of these are probably counter intuitive in that they don’t seem to portray readiness. Underwriters are looking for a good thought process and as much mitigation as can be afforded.

Managing the “Crisis Period”

Certainly, this is a lot of information for any organisation. Yet it is essential to pull this together in a format that allows the underwriter to understand your risk and put forward a good proposition on pricing, coverage customisation and minimal restrictions. Any output from a cyber risk measurement system that demonstrates the organisations’ ability to identify, monitor, protect against and track cyber events will have a meaningful financial savings on the cost of cyber insurance.

It’s Friday afternoon and your organisation has just been told that you’re the subject of a ransomware attack and your IT infrastructure has had to go offline or shut down. The recent HSE event in Ireland has highlighted how immediate the impact became for staff, patients, service delivery not to mention COVID plans. In effect there was organisational paralysis and a fair degree of scrambling.

When such a serious cyber event occurs, the DR plan is triggered and the Crisis Management Team convene – day jobs are shelved and many people across the business become involved. Some looking for guidance, some highlighting priorities for their part of the business and others looking to drive what needs to be communicated to a variety of stakeholders. Of course the IT department are under massive pressure to report on status, advise on solutions and identify counter measures amid a host of other requests. Often executive leadership place far too much reliance on them on the assumption that IT alone can solve what is effectively now an operational business challenge. Quite simply cyber risk security and crisis management are completely different skillsets than running and managing a “business as usual” IT infrastructure.

Minute two is when the cyber insurance should be triggered. The triage that then takes place is designed to identify and assemble the external crisis management services required. Below are some common services offered by cyber insurance policies:

  1. Incident Response & IT Forensics. Identify an incident manager, provide experienced negotiators to liaise with the cyber event perpetrator, identify scale of the incident, follow the IT trail globally (hacker servers can be locat3ed in any country worldwide).

  2. Forensic accounting: Assess financial impact and ability to continue trading.

  3. Legal & regulatory; identify obligations if personal identifiable information has been lost – timescale, bodies to be notified, customer notification requirements.

  4. Crisis communications and PR:  various stakeholders need to be considered as part of the communications strategy and that determines what to communicate, messaging components (eg multiple languages, local regulations if a multi geography event; manage & interpret what regulators feed back to the crisis.

  5. Identity fraud and credit monitoring. If payment card or other sensitive financial details are involved there may be need to  engage a service that can quickly start to engage with customers around protections that have now been put in place. There may be a need for a call centre to respond to queries from customers.

  6. Ransomware negotiators. Several companies specialise in negotiations of a sensitive nature to a company. Cyber criminals are now firmly a part of that cohort.

Normally these service providers are global firms who are under Service Level Agreements to respond 24/7/365 and provide hugely beneficial advice. Sometimes we encountered a client who was concerned about access to its business systems and data that were unknown to them and so had a preference to have some of their own advisers respond in place of our panel. If your organisation feels strongly about this, then engage with the insurer during the negotiation stage. Where it makes sense an insurer will be accommodating (e.g. using the client’s global audit firm over the insurers forensics accounting partner). However be aware that where there is a critical component of the claims process, the insurer may insist on their panel appointment. That’s probably best to agree at inception of the policy rather than when an incident occurs.

And finally…

Cyber insurance may be worth it for many firms and while compensation for financial loss may be important, for me it is the “crisis period” which is the most daunting. Having led a crisis management team through various events, the initial shock quickly dissipates when you’ve got a good plan in place which is augmented by professional expertise guiding you from “crisis period” back to business as usual.

David Gallagher has over 25 years experience in the commercial insurance industry across Europe. He led the Irish business of XL Insurance/Axa XL since 2008 and retired in 2020. He is now a consultant and advisor to several insurance entities.