What’s your liability in a hacked world—are you covered?


As apps move from the data center to the cloud, organizations are inevitably forced to address risk four ways: mitigation, avoidance, acceptance, and transfer. This article is about this last way, risk transfer—specifically the need for cyber insurance. As breaches become commonplace—or inevitable—the need for insurance has grown exponentially, as have the skills of insurers at assessing risk and recommending improvements. Every company should consider buying cyber insurance.

Sara Boddy Miniatur
Sara Boddy
Published March 20, 2017


Every company should consider buying cyber insurance. You might be amazed at what you can learn from the process.

Years ago, applying for cyber insurance consisted of filling out a single form, answering a few questions, and attesting that your company was following certain standards. Now, the process is much more onerous and intense, but it’s also much more educational—not just for the insurance underwriter, but for you. You can learn a lot about the risks your business faces by taking the time to complete a cyber insurance application.

Weathering the process can help expose weaknesses and shortcomings in your strategy.

Some risks are obvious to anyone reading today’s headlines—data breaches, cyber-related business interruption (DDoS attacks), and cyber extortion are the top three reasons why companies explore cyber insurance.

But there are also many not-so-obvious risks. For instance, many companies use cyber insurance to offset the risk of unintentional noncompliance with regulations. In fact, avoidance of regulatory fines and penalties is one of the most popular reasons companies purchase cyber insurance. Even if you believe you are in compliance with regulations, the risk that you may have missed dotting an “i” or crossing a “t” might make cyber insurance worth the premium. Not surprisingly, three industries that will probably purchase the most cyber insurance in the future are also among the most regulated: professional services, financial services, and healthcare.

Why are insurance applications so helpful? Because insurers want to verify exactly what you need to know as well: that you have a strong strategy and process in place to catch attacks and limit damages. Weathering the process of explaining your company’s security technologies, processes, and policies can help expose weaknesses and shortcomings in your strategy. It’s a gauntlet, but one from which your company will emerge stronger.

Know your security score

Insurance companies are increasingly using security scoring systems, such as BitSight, SecurityScorecard, and even FICO, which has recently expanded its own scoring system to cover security. Such services constantly monitor externally visible events—including spam relays, compromised computers inside your firm’s network, and open ports within your company’s IP address space—that give a hint at whether your company’s network has been breached.


The average cost of a breach from 2013 to 2015. Average data loss was over two million records.

Like a credit score, such services provide an outside view of an internal state—in this case, your security posture. They can even help detect breaches and give management an indication of how your company measures up against its peers.

Find out whether or not you are covered

Unfortunately, many companies do not fully understand what their insurance covers. Just as homeowners can be shocked to learn that their homeowners’ insurance does not cover flooding, companies can find that an incident falls outside the coverage of their cyber insurance.

For that reason, think about conducting tabletop exercises that allow you to look at different coverage scenarios. If your network is breached due to the security shortfalls of a third-party app, is your company covered by the insurance policy under consideration? How about if one of your employees picks up a flash drive in your company parking lot, inserts it into her laptop, and takes down your network, causing your e-commerce site to go dark? Is the lost revenue covered?

Many insurers attempt to minimize their potential costs by reducing coverage amounts or including exceptions in their coverage. It’s important to consider those limits when evaluating policies and reviewing scenarios.

Smaller companies and suppliers need coverage too

The average breach from 2013 to 2015 consisted of a loss of over two million records and cost $665,000, according to the NetDiligence Cyber Claims Study 2016. The study found that the majority of claims are made by companies with less than $2 billion in revenue.

As the numbers show, companies of all sizes suffer from cyber events and need cyber insurance, including smaller organizations. Large companies should consider requiring that their suppliers also have a certain level of coverage.

Finally, companies of all sizes need to make sure that their deductibles are not too high and that they understand which factors are considered when calculating damages. If your insurance does not cover an incident because it falls under your deductible, the coverage is worthless.

Sara Boddy currently leads F5 Labs, F5 Networks’ threat intelligence reporting division. She came to F5 from Demand Media where she was the Vice President of Information Security and Business Intelligence. Sara ran the security team at Demand Media for 6 years. Prior to Demand Media, she held various information security consulting roles over 11 years at Network Computing Architects and Conjungi Networks.