Should You Consider Cyberinsurance for Your Organization?

Do you have the right level of protection against cyberattacks? Does your current insurance even cover them? What about cyberinsurance?

If you’re not sure, you’re not alone. At our recent Fraud Prevention Institute, Katharine Hall, senior vice president and cyberpractice leader with Aon, and Chetan Sehgal, partner, forensic disputes and investigation with BDO Canada LLP, discussed how to manage the cyber-risks that plans and organizations are facing.

Should You Consider Cyberinsurance for Your Organization?

Cyberattacks Are on the Rise

In 2018, the total cost of cybercrime was around $600 billion—and this is estimated to rise to a whopping $2 to $6 trillion in 2022, said Sehgal. “There’s a whole market out there for our information,” he noted.

Types of cyberattacks can include malware and ransomware, as well as SQL injection and phishing attacks, Sehgal explained. Social engineering—for example, impersonating an executive to get a fraudulent invoice paid—is also very common.


The reality is, even after security awareness training, employees are still susceptible to cyberthreats. “What is the weakest link within the antifraud system? The human interaction,” he added. And the damage can be considerable, including financial loss, business or service disruption and loss of intellectual property.

The Challenges of Cyberinsurance

As with any risk, you can deal with cyber-risk in one of four ways: avoid it, mitigate it, accept it or transfer it, said Hall. But if you’re looking to transfer a portion of that risk through insurance, don’t automatically assume you’re covered, she cautioned.

While cyberinsurance has been around for a while, until recently, it hasn’t had much uptake. Organizations may have been able to piece together some coverage from existing policies (e.g., business email compromise, or kidnap and ransom). However, many carriers don’t want to cover cyber because they don’t fully understand the risks, said Hall. “Those extensions were never properly written; they were never properly considered and were never properly priced.”

Today, types of insurance available to mitigate cyber-risks include cyber liability insurance and commercial crime insurance, she explained. Organizations may consider coverage for network business interruption, system failure, dependent business interruption/system failure, cyber extortion and digital asset restoration, as well as privacy and security risks.

However, cyberinsurance isn’t that easy to get these days, said Hall, noting that the underwriting has become much more rigorous. Before agreeing to provide insurance, the carrier will likely ask detailed questions on the organization’s existing cyber-risk management practices, such as multi-factor authentication, endpoint protection and response, and phishing exercises or cyber awareness training for employees. “The proliferation of ransomware has really hit the insurance industry hard,” Hall added.

Best Practices in Cyber-Risk Management

To ensure organizations are appropriately managing their cyber-risk, Hall and Sehgal’s top three recommendations are as follows:

  1. Create a culture of cybersecurity—it can’t be just IT’s responsibility;
  2. Hire a qualified Chief Information Security Officer (CISO); and
  3. Regularly review your cyberposture, including assessment, quantification, insurance and incident response readiness.

It’s critical for organizations to continually reevaluate their cyber-risk as they grow and evolve over time, Hall added. “The best thing you can do is be prepared.”

Learn More About Benefits Fraud

The Fraud Prevention Institute for Employee Benefit Plans Virtual Conference is available on-demand through August 19, 2021. Access the entire conference to learn more about emerging trends in fraud prevention, the latest in cybersecurity and deterrence of data breaches, and guidance for internal controls and risk prevention.

[Realted Reading: The Psychology of Benefits Fraud: Why We Lie to Ourselves]

Alyssa Hodder
Director, Education and Outreach – Canada


The latest from Word on Benefits:

Alyssa Hodder

Director, Education and Outreach – Canada Favorite Foundation Product: Conferences and blogs on what’s new and interesting in the industry Benefits Related Topics That Interest Her Most: Benefits communications and how to engage plan participants Personal Insight: The proud mother of two lovely and challenging girls, Alyssa enjoys travelling and experiencing different cultures. In her spare time, she loves to read and write, but her most unusual hobby is participating in a competitive axe-throwing league (nothing more rewarding than hitting that bullseye!)

Recommended Posts

Educating DC Plan Participants for the Long Hike to Retirement

Kathy Bergstrom, CEBS

Many years ago, I visited Grand Canyon National Park with my mom and aunt. It was unseasonably hot, but I wanted to walk down into the canyon on the Bright Angel Trail. My companions were not up for the hike, so I […]

Building and Designing for DEI: Creating Employee Benefits That Work for All

Guest Contributor

Benefits Magazine Extras articles provide you with bonus content on a mix of benefits topics as well as deep dives and analyses on the latest benefit trends and compliance issues. Foundation members can visit to view the full bimonthly print edition of the magazine.  Global […]