Cyber insurance is designed to restore many aspects of a business following an incident. An indemnity payment covers financial loss. DFIR practitioners are sent to rebuild computer networks and more niche services to restore corrupted data. Public relations advice is aimed at rebuilding the firm’s reputation and so on. Yet, corporate cyber insurance does not, to my knowledge, cover services offered to restore the psychological health of the victim firm’s employees.
This matters because cyber incidents can be traumatic. Psychological stressors include ransomware gangs choosing a skull and cross bones aeshtetic/theatrical negotating style through to impending job losses for breached firms. As the joke goes, a CISO’s job description is the person to be fired after a breach. During incidents, employees are forced to work long hours for days if not weeks on end. Some threat actors deliberately target holiday periods in the knowledge that these are disproportionately stressful for defenders given the time of year has no special significance to cyber criminals from other cultures.
The psychological impacts are apparent whenever a ransomware victim talks about the incident. I have spoken to victims whose tone completely changes, with visible physical responses like blood draining from their face in some cases. All of this suggests some level of psychological trauma. So why don’t cyber insurance policies cover the cost of mental health practitioners to support the victim firm’s employees?
After all, many cyber products sold to individuals are already covering these costs. In a sample of 34 personal identity insurance policies, my analysis shows a policy filed in 2014 was the first to cover the cost of mental health counseling. After that, the majority of insurers who filed such policies offered free counseling to identity theft victims. Similarly, AIG’s Family Cyber Edge policy covers mental health support in the aftermath of cyberbullying events.
So here is my challenge to cyber insurance product teams: begin to add services to corporate cyber insurance that support the psychological well-being of employees after an incident. There is clearly an insured loss, namely the trauma of employees. The quantum of loss is measurable (the mental health workers’ bill) and manageable via sublimits. I predict that the small overhead on premiums will be more than out-weighed by the gratitude of employees and the sense that insurers are restoring all aspects of a business post-incident.
P.S. I avoided the elephant in the room, namely the psychological and lifestyle stress suffered by incident responders. This is a much bigger topic that is much more complicated to address.
Daniel Woods
Daniel Woods is currently a Postdoc at the University of Innsbruck, after completing his PHD about the economics of cyber risk transfer at the University of Oxford.