When employees cause cyber breaches, most insurers won't pay out
Insurers are limiting pay outs under cyber-security policies, reports Cyberheist News. If employers neglect to patch known breaches in their systems or employees take the bait from phishing schemes, some insurers won't cover the resulting claims for damages.
According to Cyberheist, cyber-security policies are a new fast-growing insurance market, with current estimates of $5 billion in premiums by 2020.
Insurers base their pay outs on aggregated risk and therefore place limits on coverage.
With insurers limiting coverage of cyber crimes, employers need to update or overhaul their computer systems and train staff in how to avoid taking the bite in phishing scams and email security breaches, such as the massive WannaCry ransomeware attack last month.
Employers also need to monitor employees' use of computer systems. Some security breaches are "inside jobs." According to a Dtex Systems report, 95% of organizations have workers who try to override security and web restrictions.
Additionally, some organizations without cyber insurance have resorted to using their kidnap insurance policies, also known as K&R coverage, to pay for damages. Though leaning on K&R policies to help with recovery is a clever strategy, it is unlikely insurers will permit it long term.
The global cyber insurance market is expected to grow 131% by 2020, compared to the 2016 market, according to a recent report from the Insurance Information Institute. There are about 60 companies writing cyber insurance policies today, mainly in the U.S.
HR often is a target for security breaches because of the large databases of personal information on employees that it maintains. Without a means of recovering damages caused by internal negligence, hacking into HR databases is a significant cost to organizations and personal loss to employees.