Skip to content

Search the site

How CISOs can make sure a cyber insurance claim pays out

Leading insurer highlights “shocking blind spots” that “happen over and over again on a daily basis” to invalidate claims.

A top insurer has highlighted the basic mistakes that invalidate cyber insurance claims and warned CISOs that relatively minor errors can reduce their chances of getting a payout.

Allan Vogel, cybersecurity consulting leader at the insurance giant AON, said that even small inaccuracies made on application forms enable insurers to reduce the amount they pay or refuse the claim altogether.

Vogel urged CISOs to focus on transparency and being unequivocally clear about the granular details of their cybersecurity posture, revealing some of the common mistakes he had seen whilst working with insurance claimants. 

Speaking at Forward 2024, a cyber-resilience event organised by the data security firm Rubrik, Vogel said: “I work with these applications every day. It’s amazing to me. These questions are black and white, yet CISOs are having a really difficult time answering them.”

Organisations should take care to fill out all forms as accurately as possible to avoid making potentially expensive slip-ups on “long and painful” claims, Vogel advised.

“You need to be very transparent and understand the questions - and it’s difficult,” he said.

Small mistakes include failing to precisely define network architecture and the nature of an organisation's defences.

For instance, Vogel said clients sometimes claim to have no privileged service accounts - which he described as “a very ambiguous term”. 

In a Microsoft environment, these are nonhuman accounts with privileges that are typically used to run applications or services. One of Vogel's clients was running Linux and concluded that because they didn’t use Microsoft, they didn’t have any privileged service accounts. 

However, they did have service accounts that could count as privileged. So when filling in an insurance form, they incorrectly said they had zero privileged accounts and the insurer “didn’t want to pay the claim because of the misrepresentation”.

MFA is another potential sticking point. Even if an organisation has put up strong defences, it takes just one unprotected device to be encrypted during a ransomware attack for an insurer to refuse to pay the claim. 

Mistakes CISOs should avoid

Vogel also described three “shocking blind spots” that “happen over and over again on a daily basis”. The first is failing to draw up a disaster recovery plan and test it effectively. 

The second is not having access to fast, reliable insights into critical aspects of the network, such as the location in which sensitive data and personally identifiable information (PII) is stored. 

“The other piece that's always shocking to me is how disconnected and siloed the CISO is from a lot of departments, like the architecture team,” Vogel added. “They have no connectivity into the architecture team and, from a backup perspective, they have no say in what controls and products are in place to get a proper recovery from a threat.”

The impact of a breach

Vogel also warned that many organisations “don't realise the impact on shareholder value” caused by a cyber attack. 

These losses are caused by factors such as fines, operational disruption, theft of funds, reputational damage, loss of customer trust, litigation costs, and much more. 

In 2023, a AON cyber resilience white paper found that organisations hit by a cyber attack suffer a subsequent 9% decrease in shareholder value during the year after the event.

However, it also reported that addressing an attack effectively can have a beneficial effect, suggesting companies that deal with the incident successfully experience an 18% increase in shareholder value over the same period. 

Vogel said: “This statistic highlights the disparity between unprepared and prepared organisations. That shareholder value after a cyber attack depends on how effectively the organisation manages the aftermath of an incident, restores investor confidence, and demonstrates the resilience and growth potential of the organisation."

Key factors to achieving a successful recovery include an effective incident response plan, rapid detection and containment, robust recovery measures, and successful restoration of lost or encrypted data through backups or decryption.

Recovering quickly and communicating effectively also helps to build investor confidence, maintain stock value, and limit financial damage.