Cyber Insurance in Risk Management

Questions and Answers

What is the primary purpose of cyber insurance?

• To cover losses resulting from cyber attacks (correct)
• To improve IT system security
• To comply with regulatory requirements
• To transfer low risks to a third party

What type of loss is covered under cyber insurance?

• Physical damage to IT systems
• Financial loss from direct cyber fraud
• Reputation damage due to cyber attacks
• All of the above (correct)

Why is cyber insurance becoming increasingly important?

• Due to the increasing complexity of IT systems
• Due to the rising number of cyber attacks and breaches (correct)
• Due to the decreasing cost of cyber insurance
• Due to the increasing cost of IT systems

What is the main stage in the cyber insurance process?

Implementing security controls to reduce the impact of cyber attacks (D)

What is the role of a cyber insurer in the risk management process?

To assume the risk and provide financial protection (D)

What is covered under 'First Party Losses' in cyber insurance?

Data protection fines and penalties (C)

What is a major challenge in cyber insurance?

Data unavailability on potential losses (C)

Why are some companies refusing cyber insurance?

Because they think their policies already cover cyber risks (D)

What is the median number of days an attacker is discovered on someone's network?

146 days (D)

Why is cyber insurance growing slowly?

Because there are many unanswered questions in the field (C)

What proportion of a company's annual revenue is the cost of setting up cyber insurance for big companies?

1% (A)

Why are attacks originated from foreign agents excluded in policies in cyber insurance?

Because they are often state-sponsored (B)

Match the following cyber insurance aspects with their descriptions:

Risk Transfer = Transfer risk to a 3rd party such as an insurer First Party Losses = Covers data protection fines and penalties, data protection investigation & defence expenses Cyber fraud = Financial loss from direct use of computers to commit theft/fraud of money, property or security Breach of privacy = Cost of IT forensics and notifying affected subjects, fines from regulators

Match the following cyber attacks with their consequences:

Intellectual theft = Loss of value of assets Cyber fraud = Financial loss from direct use of computers to commit theft/fraud of money, property or security Data and software loss = Cost in rebuilding data Breach of privacy = Less transactions from customers due to being viewed as untrusted

Match the following stages with their descriptions in the cyber insurance process:

Request to buy RID2 = A company sends a request to buy cyber insurance Security controls implementation = Cyber insurer would like to know the implementation to reduce the impact of a cyber attack Proposal agreement = Company and cyber insurer reach an agreement on the proposal Loss assessment = Assessing the losses resulted from cyber attacks

Match the following cyber insurance aspects with their descriptions:

Cyber insurance agreement = A company and cyber insurer reach an agreement on the proposal Data breach notifications = Notifying affected subjects in case of a breach Public relation costs = Costs of repairing the company's reputation after a breach Identity theft expenses = Expenses incurred due to identity theft

Match the following cyber insurance aspects with their descriptions:

Data protection fines and penalties = Fines imposed by regulators for data breaches Data protection investigation & defence expenses = Costs of investigating and defending against data breaches Cyber insurance legislation = Legislation that necessitates the existence of cyber insurance Cyber attacks/breaches = Rising number of cyber attacks and breaches

Match the following cyber insurance aspects with their descriptions:

IT systems and networks = Damage to, or loss of information from these systems Cyber insurance = Insurance that covers losses relating to damage to, or loss of information from IT systems and networks Risk management = Fits into the risk transfer category Company = Sends a request to buy cyber insurance

Match the following challenges with their descriptions in the context of cyber insurance:

Data Unavailability = Not enough data on potential losses Difficulty in Quantification = Not knowing how to measure losses associated with cyber attacks Interdependent Attacks = One attack on a system can lead to vulnerability to other systems Powerful Cyber Weapons = Attackers have access to powerful tools to break into systems

Match the following reasons with their explanations for why some companies are refusing cyber insurance:

Orgs believe policies already cover cyber risks = Budget is limited Budget is limited = Companies think they are already covered for cyber risks Cyber insurance is still new = There are many unanswered questions Policies exclude foreign attacks = Attacks originated from foreign agents are excluded

Match the following statistics with their descriptions in the context of cyber insurance:

146 days = Median number of days an attacker is discovered on someone's network 1% of annual revenue = Cost of setting up cyber insurance for big companies Unspecified = Cost of setting up cyber insurance for small companies

Match the following terms with their descriptions in the context of cyber insurance:

Beast called cyber attacks = Cyber attacks can come from any part of the world Cascade Losses = One attack on a system can lead to vulnerability to other systems Security Controls = Measures to prevent or mitigate cyber attacks Threat Sectors = Probability of specified threat or loss

Match the following terms with their descriptions in the context of cyber insurance:

First Party Losses = Not specified in the passage Cascading Losses = One attack on a system can lead to vulnerability to other systems Security Controls = Measures to prevent or mitigate cyber attacks Threat Sectors = Probability of specified threat or loss

Match the following challenges with their impacts on cyber insurance:

Data Unavailability = Impacting premium setting Difficulty in Quantification = Impacting premium setting Interdependent Attacks = Leading to vulnerability to other systems Powerful Cyber Weapons = Making it easier to break into systems

Cyber insurance is agreed upon these ______ stages:

A company

Cyber insurance covers the losses relating to ______ to, or loss of information from, IT systems and networks.

damage

Low risks can be ______ to a 3rd party such as an insurer – Cyber insurance.

Transferred

The main reason for existence of cyber insurance is ______ and the number of rising cyber attacks/breaches.

legislation

Cyber insurance covers ______ and software loss – data have been deleted or corrupted, cost in rebuilding this data.

Data

Cyber insurance covers Data Privacy and Security ______ Party Losses.

First

Not enough data on potential losses that can occur, value of implementing security ______, probability of threat sectors attacking, probability of security controls not addressing threat or specified loss.

controls

The median no. of days of an attacker being discovered on someone’s network is ______ days.

146

Cyber insurance is growing slowly because some companies are refusing cyber insurance and this is the ______ why.

reason

One attack on a system can lead to ______ to other systems since cyber attacks are interdependent.

vulnerability

Attackers have access to powerful ______ weapons which is not easier to break into a system than before.

cyber

For big companies it doesn’t cost much to set up Cyber Insurance as its ______% of companies annual revenues.

1