Cybersinsurance is unlikely to cover your losses

The Myth:

We’ve got cyber insurance so we’re covered

When was the last time that you checked your cyberinsurance policy in detail?

It could be time to engage a specialist broker to get you a policy that not only matches your risk appeatite, but is also likely to pay out if things go wrong.

The Reality:

Most policies are unlikely to pay out and even if they do they're unlikely to cover all the losses

Cyber insurance policies often include a host of provisions and exclusions. These make it almost impossible to claim for any incident. Recent incidents illustrate that insurers are already refusing to pay.

Here are some of the most common policy exemptions:

  • Policies tend to only cover ‘a hacker who specifically targets you alone’. Unfortunately, cyberattacks are rarely focused on a single victim. Often either the same attack vector is used on many victims in a scattergun approach (phishing attacks) or malware is used that is contagious in nature (WannaCry)
  • Policies tend not to cover ‘any failure…by a cloud/infrastructure provider…unless you own the hardware and software’. Unfortunately, this would not only exclude almost all cloud use, but also exclude almost anything other than hosted services which exclusively use kit you own
  • Policies tend not to cover incidents involving a ‘third party…not unduly restricted or financially limited by any term in any of your contracts’. This is meant to ensure that the insurer is able to pursue any third party involved for unlimited damages. Unfortunately, this excludes almost all service providers as they themselves tend to specify some limitation to damages in their contracts, such as damages being limited to the value of the contract. No service providers these days offers unlimited liability
  • Policies tend not to cover incidents involving ‘any individual hacker within the definition of you’. Unfortunately, this would exclude all insider threats
  • Policies tend not to cover ‘the use by you of any software or systems that are unsupported by the developer’. This clause rarely specifies that the unsupported software needs to be part of the attack vector, which means that you could be excluded if you had a single instance of something like Windows XP on your technology estate, even if this was not part of the attack at all
  • Policies tend not to cover incidents ‘attributable to any failure…by the Internet Service Provider (ISP) that hosts your website, unless such infrastructure is under your operational control’. Unfortunately, this would exclude all incidents involving any ISP as it is unheard of for ISP infrastructure to be under your operational control
  • Policies tend not to cover ‘acts of foreign enemies, terrorism, hostilities or warlike operations (whether war is declared or not)’
  • Policies tend not to cover ‘any error or omission arising out of the provision of negligent professional advice or design’. Unfortunately, if at any time you have tested or assessed your security (as is required under GDPR), but then failed to implement all the resulting recommendations then your cover could be void. So, if you have had penetration testing or certification audits (for ISO 27001 or PCI say) then you need to address every single recommended revision or recommendation or you risk voiding your cover
  • Policies tend not to cover ‘anything likely to lead to a claim, loss or other liability under this section, which you knew or ought reasonably to have known about before we agreed to insure you’. This is the pre-existing condition provision. This means that if in any business case that your team make for adopting cyber insurance, you cite potential vulnerabilities as reasons for this adoption, then these very vulnerabilities could then be excluded from any cover

It is not just a question of whether you're covered, but what they'll pay for

If you’re knocked down while crossing the street, you don’t expect to simply be stretchered to the side of the road, to prevent you being hit again. Instead you expect them to provide an ambulance to take you to hospital, a doctor to check you out when you get there and the very best surgeons available to fix you up. Avoid policies that just provide the basics and ensure that your policy either includes support from the best specialists in incident response, cyber law, reputation management and social influence, or it allows you to choose which specialists you engage.



Most of our clients come to us after working with another consultant or not getting the results they were expecting from implementing Tabs3 or PracticeMaster on their own. Regardless of your circumstances, chances are we can help you in reaching your objectives and provide a clear cost/time savings benefit analysis before you make the commitment. This is the cornerstone of everything we do. We care about your law firm, your people, your specific needs, and results that you can use and measure immediately. Our clients entrust us to solve difficult problems in a manner that is secure and confidential from our first contact with them. Trust is the first attribute our clients recognize when we discuss solutions rather than problems.