UNIVERSIDAD DE ESPECIALIDADES ESPIRITU SANTO

FACULTAD DE ESTUDIOS INTERNACIONALES

BENEFIT ANALYSIS OF CYBER INSURANCE AS A SOLUTION FOR CYBER

CRIME ON BUSINESSES SINCE COVID-19

RESEARCH PAPER PRESENTED IN FULFILLMENT OF THE REQUIREMENTS TO

OBTAIN THE BACHELLOR DEGREE IN INTERNATIONAL NEGOTIATIONS

STUDENT:
VALERIA ANDREA MORALES LEORO

TUTOR:
ING. BILLY ANDRADE GARCIA, MBA

SAMBORONDON APRIL 2023

Abstract

Cybercrime or Computer Crime refers to criminal activities that are carried out using

the internet or other technology means which has increased since the Covid-19 pandemic

taking into account the workforce has shifted from an office environment to work from home

situation. The main objective of this research is analyzing the benefits of cyber insurance as

consequence of the financial impact cyber risk has had on Latin American businesses since

Covid-19. Extensive research was made on the topics and a quantitative study was applied to

measure the vulnerability of personnel towards cyber security at 151 employees in

Samborondón and Guayaquil. Also, a qualitative analysis was done by interviewing cyber

experts in the industry. Some results showed that although there are clear vulnerabilities of

cyber security in Ecuador, such as poor cyber security awareness; cyber insurance

counteracts as prevention strategy to minimize the possibility of suffering cybercrime or, in

the case it happens, transferring the cost of the risk to another entity, the insurer.

Keywords: Cybercrime, Cyber Insurance, Covid-19, Hacking, Data Breach, Cyber Risk
Introduction

Since COVID 19 happened, the world took a 180 degrees turn in almost every

possible aspect. New challenges were imposed for businesses as they had to change their in-

office model to a work-from-home solution - essential to continue with their activities and to

secure profits to their investors. As the model changed, new technologies needed to be

implemented in order for everything to have online access for their employees to continue

their responsibilities as well as securing their health. Corporations had to accelerate their

digital transformation, which then made cyber security to be a major concern. (Marco J.

Vassallo)

As everything changed so abruptly, businesses weren’t necessarily ready to change

to a home office modality, which in turn made them even more exposed to cyber-attacks than

ever before (Zerlang, 2022). A business could potentially lose millions of dollars if they were

a victim from these kinds of attacks. Their confidential information may be compromised as

well as their clients`. Making them vulnerable to have a tremendous economic hit and

plausible lawsuits from third parties, as their information may be compromised.

Such contingencies as cyber threats, third-party intrusion, information leakage, data

theft, cyber extortion and fraud, accompanied by disruptive technologies, require a new and

improved way that helps to prevent it. Improving in-house securities is not enough, as a risk

is still possible. Its negligent to assume that only increasing securities is a solution,

consequently making cyber insurance the ultimate protection in order to hand over the risk

and secure the businesses` financials and their shareholders.

 The main objective of this research is to analyze the benefits of cyber insurance as

consequence of cyber risk since covid 19 pandemic hits Latin American Economy. The

specific objectives to achieve the main objective are to:

• To examine the impact of COVID-19 on the frequency and severity of cyber-

attacks on businesses in Latin America.

• To analyze the benefits of cyber insurance coverage

• To describe what securities companies are expected to comply in order to buy

cyber insurance

• To explore how cyber insurance helps a company when dealing with a cyber-

attack.

• To analyze the cyber insurance market – who can provide this type of product?

• To demonstrate the financial impact of cybercrime

• To explore the role of government regulations and policies, specifically in

Ecuador, promoting the adoption of cyber insurance by businesses.

Literature Review

Information Technology

Information technology (IT) is the use of networks, computer hardware, and software

to store, process, and transmit information. (Nelson, 2022) Technology has completely

changed how businesses function and has grown to be an essential part of contemporary

company procedures. Businesses can now store enormous volumes of data thanks to

Technology, which can then be examined to learn important things about how the company

operates and how its customers behave. (Neddersen, 2021)

 Since there has been an increase on reliance of technology to operate as a company,

they are now more exposed to a different type of cyber dangers. Some of the cybersecurity

concerns linked to Information Technology are:

• Hacking: “is the act of identifying and then exploiting weaknesses in a computer

system or network, usually to gain unauthorized access to personal or

organizational data.” (Kaspersky, 2022)

• Social engineering: “is a manipulation technique that exploits human error to gain

private information, access, or valuables. In cybercrime, these “human hacking”

scams tend to lure unsuspecting users into exposing data, spreading malware

infections, or giving access to restricted systems.” (Kaspersky, 2022)

• Phishing: “is the most common form of social engineering, the practice of

deceiving, pressuring or manipulating people into sending information or assets

to the wrong people. Social engineering attacks rely on human error and

pressure tactics for success” (IBM)

• Malware: is “short for malicious software, refers to any intrusive software

developed by cybercriminals (often called hackers) to steal data and damage or

destroy computers and computer systems. Examples of common malware include

viruses, worms, Trojan viruses, and ransomware.” (Cisco, 2023)

If a firm is exposed to these types of attack, it can result to data leaks, financial losses,

and reputational damage to a corporation. Furthermore, and due to the rising handling of

mobile devices and using the cloud, enterprises now find it difficult to assure the security of

their data and networks (HUB International Limited, 2022).

Cyber Crime
 Cybercrime refers to criminal activities that are carried out using the internet or other

technology means, like the use of digital computer. Cybercrime can take many forms,

including hacking, phishing, identity theft (Dennis, 2023). Hackers often target businesses

and organizations because they hold valuable information and assets. It can have a significant

impact on businesses causing financial losses.

Cybercrime is a global issue and a threat that has grown in recent years since

technology has advanced exponentially and cybercriminals have had more experience (PWC,

2022). Consequently, organizations must take proactive steps to protect themselves against

cybercrime, such as applying full-bodied cybersecurity measures and staying well-versed

about the latest cyber threats. Some common cybersecurity measures include making regular

cyber security trainings in the workforce (like explaining phishing emails), implementing

antivirus software, firewalls, multi factor authentication, disaster recovery plan, and intrusion

detection systems, as well as conducting regular security assessments and encrypt

information (Federal Communications Commission).

Insurance & Loss Event

Insurance is an intangible financial product that transfers the risk from one entity or

person to another entity for a price, it is designed to protect individuals and organizations

against financial losses that may arise from unexpected events. A loss event is any occurrence

that results in financial losses or damages for the insured and is therefore claimed to the

insurer in order to obtain the corresponding indemnity. (Maheshwari, 2023)

Insurance policies are tailored to the clients need and are curated to cover specific

types of losses with a specific sum insured the insurer would be responsible. Property

damage, physical injury, medical costs are some of the many types of insurance available.
Insurance plans are issued by insurance firms, who evaluate the risks involved with various

sorts of losses and determine rates accordingly (Maheshwari, 2023).

Cyber Insurance

A relatively new kind of insurance called "cyber insurance" covers damages brought

on by cyberattacks and data breaches. As businesses first began to realize the possible

financial damages brought on by cyber events in the late 1990s and early 2000s, the history

of cyber insurance began. At first, insurance firms provided compensation for damages

brought on by data breaches, but the policies' reach and level of protection were limited.

Insurance companies began to provide more thorough cyber insurance policies that covered

losses caused by cybercrime as well as business disruption, network failures, and ransoms

paid to hackers.(Colony West, 2019).

When high-profile data breaches and cyberattacks gained media attention in the

middle of the 2000s, the need for cyber insurance increased. Almost 163,000 people's

personal data were stolen in 2005 as a consequence of a hack at the data aggregator business

ChoicePoint (FTC, 2015). One of the first breaches to garner extensive media coverage, this

one significantly raised the demand amount paid to hacker, and loss of income due to

business interruption.

Organizations of all sizes and in all sectors globally are now realizing the need of

protecting themselves from the financial damages brought on by cyber disasters, which has

resulted in a rapidly expanding market for cyber insurance. The Global Cyber Insurance

Market is valued at USD 8.73 billion in 2022 and is forecasted to reach a value of USD 51.04

billion by 2030 at a Compound Annual Growth Rate (CAGR) of 24.70% over the forecast

period as seen in figure 1 (Vantage Market Research, 2023).

Figure 1
Cyber Insurance Market Size 2022 to 2030 (USD billion)

The coverage offered by cyber insurance policies can vary widely, but typically

includes coverage for first-party and third-party losses resulting from cybercrime. The main

coverages are cover the expenses associated with responding to a cyber-attack, such as

investigating the incident, restoring data, forensic experts, legal accompaniment, extorsion

amount paid to hacker, and loss of income due to business interruption. Some policies also

include coverage for the costs of notifying affected expenses related to legal responsibilities,

like as litigation expenses and regulatory fines and penalties, may also be covered by cyber

insurance. The policy coverage and costs vary depending on the organization's size and kind,

industry it operates in, and cybersecurity posture. The insurance might be expensive, but it

can offer crucial compensation that could otherwise force a business into bankruptcy.

(Morris, 2021).

Basic Prerequisites for Acquiring a Cyber-Insurance:

To purchase cyber insurance, businesses and organizations must meet certain

prerequisites. These prerequisites can differ depending on the company to play as the insurer

and the specific policy being purchased, taking into account line of business, size of the

company etc. In order to establish if they comply with the prerequisites, organizations must
also assess their current cybersecurity measures, including firewalls, antivirus software, and

intrusion detection systems (Köller, 2023).

Organizations must also make sure that their workers are taught in cybersecurity best

practices and uphold robust cybersecurity policies. This includes regularly backing up data,

implementing security patches and updates, enforcing MFA on all accesses, and maintaining

strong passwords. By demonstrating a commitment to cybersecurity, organizations can

reduce their risk exposure and potentially lower their cyber insurance premiums (May, 2022).

Analysis of the Cyber Insurance Market

The market for cyber insurance in Latin America is anticipated to expand at a CAGR

of 21.6% from 2021 to 2028, according to a research by Allied Market Research. The

frequency and severity of cyberattacks, the expanding adoption of digital technology by

organizations, and the mounting regulatory pressure on firms to secure sensitive data are all

contributing to this development (Aarti , 2020).

The size of the worldwide cyber insurance market was $9.8 billion in 2022, and it is

anticipated to increase to $31.7 billion by 2028, with a CAGR of 22.39% from 2023 to 2028.

Latin America's cyber insurance industry is still minor in comparison to other continents like

North America and Europe in terms of market size. Yet, it is projected to increase from $491

million in 2020 to $2.4 billion by 2028. (IMARC, 2023).

The key players in the cyber insurance market in Latin America include both local

and international insurers. Local insurers such as Bradesco Seguros and SulAmérica in

Brazil, and SURA in Colombia, are leading the way in the region. However, international

insurers such as AIG and Chubb, which are also present in Ecuador, are also expanding their

operations in Latin America, as they see the potential for growth in the market. (InsighAce

Analytic, 2023). Another key player would be reinsurance brokers who are capable of
“importing” insurance products to local insurance companies for their clients to still have

access to the insurance even though they don’t support it locally, but transfer the risk

internationally, as Lloyds, American or European markets. Reinsurance brokers such as

Momentum and THB Renovation are able to sell that product (Momentum, 2021).

The lack of knowledge and comprehension of cyber hazards among firms in the area

is one of the major issues the Latin American cyber insurance industry is currently

experiencing. Many businesses in Latin America still consider cybersecurity to be an expense

rather than an investment, and they might not have the tools or knowledge necessary to

handle cyber threats. This offers an opportunity for insurers to provide their clients with

services such as risk management and cybersecurity in addition to insurance coverage

(Jiménez, 2022).

Lack of uniform cybersecurity regulations in the area is another problem. This might

make it challenging for insurers to evaluate cyber threats and consistently underwrite

policies. But regulatory frameworks are beginning to take shape, with nations like Brazil,

Mexico, and now Ecuador enacting data protection laws that mandate businesses implement

cybersecurity measures and disclose data breaches; if they don't, they risk being subject to

fines and sanctions imposed by the organ of control (Banco Pichincha).

These are all projected to contribute to the Latin American market for cyber insurance

expanding significantly over the next years.

Cybercrime After COVID-19 Globally

The COVID-19 pandemic has had a significant impact on businesses and

organizations around the world. However, the impact made a lasting change in the Earths

population, forcing many to shift to remote work and digital operations. As seen on Figure 2
the pandemic has also led to an increase in cybercrime, as criminals seek to exploit the

vulnerabilities created by the pandemic to steal sensitive data and funds.

Figure 2

Cost of Cybercrime Worldwide (in trillion US dollars)

30

25

20

15

10

0
2018 2019 2020 2021 2022 2023 2024 2025 2026 2027

Note: Retrieved from Fleck, 2022

Additionally, to provide a better understanding of the increase in cyber risk since

COVID-19, here are some real statistics:

1. According to a report by Statista, global cost of cybercrime was estimated at some 8.4

trillion U.S. dollars in 2022 (Petrosyan, 2022) and the cost of cybercrime in Latin

America is estimated to be 90 billion U.S. dollars annualy (Pasquadibisceglie, 2022).

2. A survey found that 73% of companies globally had experienced a cyber-attack (Marsh

& Microsoft, 2022).

3. The average cost of a data breach in Latin America for 2022 was 2.80 million U.S.

dollars, for 2021 was 2.56 million U.S. dollars (IBM Corporation, 2022).
4. The FBI reported that it received 791,790 complaints of suspected internet crime in

2020, a 69% increase from 2019 (Federal Bureau of Investigation, 2021).

5. According to a report by IBM, 83% of organizations studied have had more than one

data breach and the average total cost of a data breach is 4.35 million U.S. dollars as

seen in Figure 3. This number represents a 2.6% increase over last year's average cost

of a data intrusion, which was USD 4.24 million. The average price has increased by

12.7% from USD 3.86 million in the report for 2020 (IBM Corporation, 2022).

Figure 3

Average Total Cost of a Data Breach

Financial Impact on Companies that have Suffered Cyberattacks

The financial impact of a cyberattack on a business can vary based on factors such as

the company's size, the nature of the attack, and the industry in which the business operates.

A cyberattack can result in direct financial losses, such as costs associated with remediation,

regulatory fines, and legal fees. There may also be indirect costs, such as costs associated

with business interruption, brand reputation damage, and consumer loyalty and credibility

loss. Here are six examples of companies in Latin America that have suffered financial losses

due to cyberattacks:
1. Banco de Chile: In 2018, Banco de Chile suffered a cyberattack that resulted in $10

million in losses. The attack involved a virus that infiltrated the bank's computer

systems and caused chaos in the bank's operations, they had to temporarily shut down

over 9,000 ATMs and close down its branches for several days. (Kirk & Ross, 2018)

2. Seguros Equinoccial: In August 2020 the insurance company in Ecuador, suffered a

ransomware attack that resulted in an estimated $4 million in losses. The attack

involved hackers encrypting the company's data and didn’t let them use their

systems, later demanding a ransom payment to restore access. (El Universo, 2020)

3. In May 2019, Banco Pichincha, one of the largest banks in Ecuador, suffered a

cyberattack that resulted in an estimated $12 million in losses. The attack involved

hackers using a malware to intercept the bank's transactions and transfer funds to

accounts in Hong Kong and Dubai. (Voz de America, 2021)

4. Costa Ricas Government: In May, Costa Rica declared a national emergency in

response to a ransomware attack in April by the Russia-aligned hacking group Conti,

which had identified vulnerabilities in the nation's public cybersecurity infrastructure.

The effects of the assault caused halts cross the public sector, including paralyzed

commerce, citizens unable to access public services online, and private companies

unable to submit their earnings or charge the state for their professional services. The

government refused to pay the $10 million ransom demanded by Conti's hackers, but

the infrastructure collapse in the days that followed was far more costly. “The Costa

Rican Chamber of Foreign Commerce estimated losses of more than $125 million in

the first two days of the attack alone” (Rosch, 2022).

5. CNT EP: In 2021, The Ecuadorian telecoms firm CNT EP had a cyberattack in 2021

in which hackers broke into the business' computer systems and disrupted its
 operations, particularly its invoicing and customer support systems. The same hackers

demanded a ransom payment of 11 million dollars after breaking into other businesses

in South America; it is not known how much CNT paid. (Din, 2021)

6. The Municipality of Quito in Ecuador had undetermined amounts of corrupted data

released on April 16, 2022, by the ransomware group ALPHV (BlackCat). This is a

significant occurrence because it was confirmed by the Mayor's Office of

Municipality of Quito and the State Attorney General's Office that the initial attack

resulted in the "suspension" of several crucial governmental services, which

inconvenienced users by making it difficult for them to complete procedures. As of

April 25, 2022, the hackers provided a free download link for all the data allegedly

exfiltrated by ALPHV on a.onion domain. Sensitive financial, legal, and political

papers pertaining to the operations and administration of the Municipality of Quito,

Ecuador, are likely among the compromised data. If used by a nation-state, criminal

organization, or other opportunistic threat actor, this material might be harmful to

Ecuador's national security (Insikt Group, 2022).

In Latin America, ransomware attacks increased by 25 percent in 2022 compared to

the previous year, which is only a small sample of the cybercrimes that have lately occurred.

(Onofa, 2022) Also, there is a global tendency to target certain industries more than others,

as depicted Figure 4, with the healthcare, financial, pharmaceutical, technology, and energy

sectors being the most targeted. (IBM Corporation, 2022).

Figure 4

Average Cost of a Data Breach by Industry

Also, as previously stated, particularly as understood in the case of the Costa Rican

government, timing is crucial in order to stop these types of cyberattacks correctly. Business

interruption and the time of containment are among the higher costs of experiencing

cyberattacks, and as Figure 5 below illustrate, the average time to detect and contain a data

breach is nearly 300 days.

Figure 5

Average Time to Identify and Contain a Data Breach

 These instances highlight the diverse tactics and effects of cyberattacks on Latin

American businesses, as well as the monetary damages they might bring about.

Benefits of Cyber Insurance

The increasing number of cyber-attacks and their devastating effects have made cyber

insurance a crucial component of any comprehensive risk management strategy for

organizations.

Here are some of the benefits of cyber insurance:

1. Financial Protection: Cyber insurance provides financial protection to individuals and

businesses in the event of a cyber-attack. It can cover losses due to business

interruption, data recovery costs, legal fees, forensic expert services, notification

expenses, credit monitoring expenses (in case it applies), sanctions imposed, and

other expenses associated with a cyber incident. (AIG, 2019; Beazley)

2. Reputation Management: Cyber insurance can provide access to resources and

expertise that can help individuals and businesses manage their reputation in the event

of a cyber-attack. The coverage is reputation protection expense, can include public

relations advisors and crisis management support. The response advisor aside from a

public relation agency may also be a law appointed firm by the insurer to advance an

mitigate the losses. (AIG , 2013)

3. Regulatory Compliance: Many industries are subject to strict data protection

regulations, such as HIPAA for healthcare and GDPR for businesses operating in the

European Union and in the case of Ecuador the Ley Organica de Protección de Datos

Personales. If the law is broken, sanctions may be imposed between 0,7% to 1% of

sales revenue corresponding to the previous fiscal year (Alonso, 2023). Cyber

insurance can help businesses comply with these regulations and also acting as a
 financial tool by providing coverage for legal fees and fines resulting from a breach.

(AIG, 2019)

4. Cybersecurity Services: Some cyber insurance policies come with additional services

that can help prevent cyber-attacks. These can include vulnerability assessments, call

center services designated to deal with costumers, and cybersecurity best practices

guidance (National Cyber Security Centre, 2020).

5. Peace of Mind: Cyber-attacks are becoming more sophisticated and frequent, and no

organization or individual is immune to them. Cyber insurance provides peace of

mind by providing coverage for financial losses and liabilities that could otherwise

be devastating.

6. Competitive advantage: Having cyber insurance can also provide a competitive

advantage for businesses. In today's digital age, customers and partners are

increasingly concerned about cybersecurity risks, and having cyber insurance can

demonstrate a commitment to managing cyber risks effectively.

To summarize, it’s important to understand the importance of cyber insurance and

with all the benefits it comes. It is certainly not an expense, but an investment, which is

getting more expensive as the time passes. According to Aon’s Cyber Solutions, who have

received guidance by cyber insurers main players, premium increases of between 20% and

50% are to happen in 2022 the trends are expected to continue to 2023 (AON, 2023).

Methodology

Using a mixed methods approach the study used both quantitative and qualitative

techniques. These included analysis and discussion of online articles and statistics about the

subject, surveying employees to determine their susceptibility to cybercrime, and speaking

with two cyber insurance experts to learn more about how well that insurance works to reduce

the risks of cybercrime.

The existing literature on cyber insurance and cybercrime was thoroughly reviewed

in order to perform the study, with a focus on current research and data. This gave the study

a qualitative research approach and a strong basis and made it easier to pinpoint the most

important research topics and ideas.

A survey, via google forms, was given to a sample of 151 employees located in

Guayaquil and Samborondon in order to get information on how vulnerable employees are

to cybercrime. The survey's closed-ended questions were used as quantitative approach to

the research in this paper. Descriptive statistics were used to examine the survey data in order

to identify the trends of cybersecurity and their vulnerabilities within Ecuadorian companies.

The first cyber insurance expert who was interviewed was Carlos Miranda, Cyber

Risk Underwriter of Beazley, the second person interviewed was Carlos Chancay, the

Facultative Reinsurance Manager of Momenutm Reinsurance (MREC Intermediaria de

Reaseguros S.A.) which is the top reinsurance broker in Ecuador. They provided in-depth

information on the advantages and limitations of cyber insurance as a risk management tool,

they were interviewed by me in order to gain insights into the effectiveness of cyber insurance

in reducing the risks of cybercrime. The expert's replies were broken down into major themes

and patterns utilizing thematic analysis of the interview data.

Discussion of Survey Results

The full results of this survey are shown in Annex A.

As demonstrated in the research there has been an increase in cyber risk since covid

19. One of the most significant changes brought about by the COVID-19 pandemic is the
shift towards remote work. With employees working from home, as responded by 60%

(Figure 13) of employees surveyed, businesses have had to rely on digital platforms to

maintain their operations. This has increased the attack surface for cyber criminals, making

it easier for them to exploit vulnerabilities in the IT systems of businesses. According to “El

Panorama de Amenazas en América Latina 2021” a report by Kapersky shows cyber-attacks

in Latin America have increased “24% since in during the first eight months of the year,

compared to the same period in 2020.” Furthermore, the growth trend in cyber-attacks is also

reflected in all countries, “led by Ecuador (+75%), followed by Peru (+71%), Panama

(+60%), Guatemala (+43%) and Venezuela (+29%).” (Diazgranados, 2021)

Likewise, considering the first eight months of 2022, Kapernerky recorded a total of

817 million attempted attacks in Latin America, representing 2,366 blockages per minute

(39.43 per second). Brazil is the most targeted country in Latin America, followed by

Ecuador: both are on the global list of the top 10 phishing attacks and rank 6th and 8th

respectively. (Kaspersky, 2022)

In addition to this, the pandemic has also led to an increase in the use of personal

devices for work purposes. This has created further vulnerabilities in the IT systems of

businesses, as personal devices are often less secure than corporate devices. According to the

survey run in Ecuador, 60% of employees admitted to being able to work remotely (Figure

13) and 55% of them revealed they do not have MFA in place as a cyber security measure.

(Figure 14) Making the companies in question even more likely to fall in one of the 39 attacks

per second and making them unable to buy cyber insurance since they don’t comply with the

prerequisites. This indicates an even greater vulnerability, as managers cannot see who is

accessing the data when they are at the office, there is no assurance that only the employee

has access to that information.

 Additionally Figure 17 shows most respondents report that their company restricts

user access to sensitive data/information based on the employee's job position, but not by

much, it reflects only a difference of about 9%. Which demonstrates that someone who is not

supposed to have access to certain information still has. And the more people who have

information they don’t need, the easier it is for it be vulnerated.

Another factor contributing to the increase in cyber risk is the rise in phishing attacks.

There was a 667% increase in phishing attacks in March 2020, compared to January and

February of the same year. (Schwartz, 2020). As shown in Figure 6, phishing is the second

most attempted attack following the COVID-19 pandemic. (Petrosyan, 2023).

Figure 6

Where do IT professionals see an increase in cyber-attacks and attack attempts following the

COVID-19 pandemic?

Additionally, most of the Ecuadorian employees surveyed for this research were

unaware that the first step when receiving an email is to verify the domain. Nearly 20% of

respondents indicated that they clicked on the link without taking the necessary security
precautions. (Figure 21) It makes sense that 41% of the sample did not believe they were

adequately trained in cyber security, and that a sizeable 31% neither agreed nor disagreed

with this statement, indicating that more than 70% are not knowledgeable about the

significance of cyber security and represent and important threat to the company. (Figure 18)

Following this line of thought, it is also notable that most employees surveyed, 56%,

do not know how to respond to a cyber security incident (Figure 20), and most of them

therefore will most likely fail to report it. In addition, the fact that 48% (Figure 22) of

respondents said their employer did not have a plan for a cyberattack calls into doubt the

likelihood of a reasonable answer to a cybercrime. Even if the employee was uncertain

whether the company had a plan in place (28%), the fact that they are unaware of the plan

and lack genuine guidance indicates a high rate of vulnerability.

Analysis of Interview

As mentioned above, and detailed in Annex B, an interview was conducted with

Miranda and Chancay, cyber insurance experts that works in the industry. It is clear from the

conversation with them that companies must have solid cybersecurity procedures in place

before they can get cyber insurance. This is because there is a significant demand for cyber

insurance and that reinsurers must be choosy about the companies they cover due to capacity

constraints. Cyber form, financial statements, MFA, antivirus and firewall, encrypted

backups, employee cybersecurity training, and others are all requirements for a business to

obtain a quote.

Miranda and Chancay stated that several factors are considered when determining the

premiums for cyber insurance policies, including the quantity of records containing

personally identifiable information, the amount of investment made by the company in

cybersecurity, the industry, the degree of risk involved, and the anticipated deductible. For

an insured amount of between $500,000 and $1,000,000, premiums typically begin at

$20,000; however, for financial institutions, they may begin at $35,000 or more which is

certainly less than financing alone a cyber-attack which losses tend to be over a million

dollars.

A specialist call center that is open 24/7 to take client calls and begin the claim

processing procedure is involved in the claims process for a cyber event. The next step is to

hire forensic specialists to ascertain the cause of the data breach, and to manage the claim

more effectively, attorneys and public relations companies are recruited. An experienced

negotiator is also employed to deal with the hacker in the event of business interruption and

ransom demands. Additionally, the insured's year-end financial accounts are examined in

order to calculate the profit lost due to nonoperation.

Policies typically feature a sublimit that covers sanctions, fines, and regulatory fines

connected to cyber events. This sublimit is not necessarily stated at the beginning and can be

negotiated. Depending on the sector, this sublimit is normally no greater than 40% of the

total covered amount. Since the Ley de Proteccion de Datos Personales statute only recently

went into effect, the subject is pertinent in the instance of Ecuador.

The fact that e-crime, or the theft of money from a bank by a hacker, is not covered

by cyber insurance coverage is one of its limitations. It is negotiable, though, and reinsurers

may incorporate a sublimit of about 20% for cybercrime.

To summarize, the interviews conducted have shown that cyber insurance may help

businesses reduce the financial effect of cybercrime, which has considerably escalated since

the COVID-19 epidemic. And governments are indirectly pushing firms to embrace cyber
insurance by enforcing laws that hold companies accountable and may result in losses if

broken.

Conclusions

Who needs Cyber Insurance? All sizes of businesses should think about purchasing

cyber insurance to guard against monetary losses resulting from data breaches, network

interruptions, and other cyber catastrophes. Small businesses may be particularly vulnerable

to cyber-attacks because they do not have the same financial means as bigger firms to handle

the expenses connected with a cyber event. They can get financial protection from cyber

insurance to assist them to recover from the financial loss of a cyber-attack.

Another group that can profit from cyber insurance is healthcare practitioners since

they keep big volumes of patient data. Data breaches, HIPAA violations, Ecuador’s Ley de

Protección de Datos Personales, and other cyber catastrophes can be financially protected

from by purchasing the insurance.

Financial Institutions are vulnerable to cyberattacks because they hold private

financial information, these businesses are prime targets for online fraudsters. Losses

resulting from fraudulent transactions, data breaches, and other cyber disasters may be

covered by cyber insurance.

Government organizations are susceptible to cyberattacks since they keep sensitive

data as well. Data breaches, network outages, etc. can cause them to have expenses which

are covered by cyber insurance.

Primary services like telecoms networks should also think about it, they are key

infrastructure that houses vast quantities of sensitive data, including customer information,

financial records, and intellectual property. They might be the target of a cyberattack that

causes large monetary damages to third parties as well as reputational harm.

 Any company that uses technology to store or handle sensitive information should

have cyber insurance. Also, almost all organizations nowadays depend on the internet in this

digital age. Thus, a cyber-attack might cause serious losses for any kind of company.

A variety of coverage alternatives, ranging from basic policies to premiums with

cyber security risk management services, are available, according to the review of the cyber

insurance industry and its benefits. This implies that companies of every size and in any

sector may select an insurance plan that suits their requirements and price range.

Cyber insurance offers financial protection in the case of a cyberattack as one of its

main advantages. Many expenses, such as legal bills, economic interruption, and reputational

harm, might be incurred by victims of cyberattacks. Cyber insurance can help businesses

cover these costs, mitigating the attack's impact and allowing them to recover more swiftly

and efficiently.

My recommendation for new research is to do market research in Ecuador, taking into

account the new Ley de Protección de Datos Personales in place and to understand how the

demand will shift, and therefore implement a business plan in companies around the

insurance industry, e.g. insurance brokers.

This paper has demonstrated, since COVID-19, that cyber insurance is a valuable

solution for companies dealing with cybercrime, it may benefit firms in a number of ways,

including financial security, access to professional assistance, and control over reputational

harm. Even if it is not a complete solution, it can add a crucial layer of security against more

frequent and sophisticated assaults. Businesses that store or handle sensitive data, such as

customer, financial, or proprietary information, should think about getting cyber insurance

to safeguard themselves and their clients, as the saying goes, "prevention is better than cure”.
Bibliography:

Aarti, G. (2020). Cyber Insurance Market Size, share: Latest coverage and trends 2026.

Retrieved 2023, from https://www.alliedmarketresearch.com/cyber-insurance-

market

Abrams, L. (2021, August 03). Ecuador's state-run CNT telco hit by Ransomexx

Ransomware. Retrieved 2023, from

https://www.bleepingcomputer.com/news/security/ecuadors-state-run-cnt-telco-hit-

by-ransomexx-ransomware/

Abrams, L. (2021, October 12). Cyberattack shuts down Ecuador's largest bank, Banco

Pichincha. Retrieved from

https://www.bleepingcomputer.com/news/security/cyberattack-shuts-down-

ecuadors-largest-bank-banco-pichincha/

Acanerler, A. (2021, December 06). Top 5 cyber attacks in Latin America in 2021. Retrieved

2023, from https://socradar.io/top-5-cyber-attacks-in-latin-america-in-2021/

AIG Metropolitana. (n.d.). Seguro de Responsabilidad Civil para Riesgos Ciberneticos

[PDF]. AIG.

AIG. (2013). SEGURO DE RESPONSABILIDAD CIVIL POLIZA DE SEGURO DE

RESPONSABILIDAD CIVIL PARA RIESGOS CIBERNÉTICOS. Retrieved from

https://www.aig.com.ec/content/dam/aig/lac/ecuador/documents/forms/poliza_de_se

guroderesponsabilidad_civilpara_riesgos_ciberneticos.pdf

AIG. (2019). Cyber Edge Policy Documentation. Retrieved from

https://www.aig.co.uk/content/dam/aig/emea/united-kingdom/documents/Financial-

lines/Cyber/cyberedge-policy-documentation.pdf
Alonso, C. (2023, February 22). Claves de la Ley Orgánica de Protección de Datos

Personales de Ecuador. Retrieved 2023, from

https://www.globalsuitesolutions.com/es/claves-proyecto-ley-organica-proteccion-

de-datos-personales-ecuador/

AON. (2023, February 28). Retos de los Riesgos y los seguros ciber en 2021 [Informe ciber].

Retrieved from https://noa.aon.es/informe-tendencias-riesgos-ciber-2021/

Banco Pichincha (Ed.). (n.d.). Qué Es la ley de protección de datos personales en Ecuador.

Retrieved 2023, from https://www.pichincha.com/portal/blog/post/ley-proteccion-

datos-ecuador-que-es

BBC. (2021, June 02). JBS: Cyber-attack hits world's largest meat supplier. Retrieved 2023,

from https://www.bbc.com/news/world-us-canada-57318965

Beazley. (n.d.). Business interruption guide. Retrieved 2023, from

https://cyberservices.beazley.com/usa/bi_guide/policy_wording.html

Beazley. (n.d.). Who we are - Carlos Miranda. Retrieved from https://www.beazley.com/en-

us/who-we-are/people/carlos-miranda

Cisco. (2023). What is malware? - definition and examples. Retrieved from

https://www.cisco.com/site/us/en/products/security/what-is-malware.html#tabs-

9cfa4a460b-item-b8ba101fed-tab

Colony West. (2019, November 29). A history of cyber liability insurance. Colony West.

Retrieved from https://colony-west.com/a-history-of-cyber-liability-insurance/

Dennis, M. A. (2023, April 5). Cybercrime. Encyclopedia Britannica. Retrieved 2023, from

https://www.britannica.com/topic/cybercrime
Din, A. (2021, July 19). Ecuador's CNT hit with Ransomexx Ransomware attack. Retrieved

2023, from https://heimdalsecurity.com/blog/ransomexx-ransomware-impacts-

ecuadors-corporacion-nacional-de-telecomunicaciones-cnt/

Durbin, D. (2021, June 10). Meat Company JBS confirms it paid $11m ransom in

Cyberattack. Retrieved 2023, from https://apnews.com/article/europe-hacking-

technology-business-353f8dea34bbbba15207ff350e7a2f0f

El Universo. (2019, September 12). Telconet confirma ataque informático y que ya recuperó

el control de sus sistemas.

https://www.eluniverso.com/noticias/2019/09/12/nota/7511888/telconet-confirma-

ataque-informatico-ya-recupero-control-sus

El Universo. (2020, August 20). Seguros Equinoccial confirma ataque cibernético y

trabajadores protestan en Quito.

https://www.eluniverso.com/noticias/2020/08/20/nota/7957775/seguros-

equinoccial-confirma-ataque-cibernetico-trabajadores

Ellerbeck, S. (2022, July 26). Nearly half of organizations are being hit by economic crime,

with cybercrime the gravest threat. what can they do about it? World Economic

Forum. Retrieved 2023, from https://www.weforum.org/agenda/2022/07/fraud-

cybercrime-financial-business/

Federal Bureau of Investigation. (2021). Internet Crime Report (Rep.). Retrieved 2023, from

FBI website: https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf

Federal Communications Commission (Ed.). (n.d.). Cybersecurity for small businesses.

Federal Communications Commission. Retrieved 2023, from

https://www.fcc.gov/communications-business-opportunities/cybersecurity-small-

businesses
Fleck, A. (2022, December 02). Infographic: Cybercrime expected to skyrocket in coming

years. Retrieved 2023, from https://www.statista.com/chart/28878/expected-cost-of-

cybercrime-until-2027/

FTC (Ed.). (2015, June 26). Choicepoint settles data security breach charges; to pay $10

million in civil penalties, $5 million for consumer redress. Retrieved 2023, from

https://www.ftc.gov/news-events/news/press-releases/2006/01/choicepoint-settles-

data-security-breach-charges-pay-10-million-civil-penalties-5-million-consumer

HUB International Limited (Ed.). (2022, January 10). Hub International Limited. 150 N

riverside plaza, 17th floor, Chicago, IL 60606. HUB International. Retrieved 2023,

from https://www.hubinternational.com/blog/2022/01/common-cyber-security-risks-

for-businesses/

IBM Corporation. (2022, July). Cost of a Data Breach Report 2022 (Rep.). Retrieved 2023,

from IBM website: https://www.ibm.com/downloads/cas/3R8N1DZJ

IBM. (n.d.). What is phishing? Retrieved 2023, from https://www.ibm.com/topics/phishing

IMARC (Ed.). (2023). Cyber Insurance Market Trends, share, size, growth 2023-2028.

Retrieved 2023, from https://www.imarcgroup.com/cyber-insurance-market

InsighAce Analytic. (2023, March 22). Cyber Insurance Market set to surge significantly and

expected to grow at a CAGR of 23.78% to 2031: InsightAce study. Retrieved 2023,

from https://www.globenewswire.com/news-

release/2023/03/22/2632372/0/en/Cyber-Insurance-Market-Set-to-Surge-

Significantly-and-Expected-to-Grow-at-a-CAGR-of-23-78-to-2031-InsightAce-

Study.html
Insikt Group. (2022, June 14). Latin American governments targeted by ransomware.

Retrieved 2023, from https://www.recordedfuture.com/latin-american-governments-

targeted-by-ransomware

Jiménez, J. (2022, October 11). Latam suffers 1,600 cyberattacks a second. Retrieved 2023,

from https://www.mapfre.com/en/insights/insurance/latam-cyberattacks/

Kaspersky. (2022, July 01). What is hacking? and how to prevent it. Retrieved 2023, from

https://www.kaspersky.com/resource-center/definitions/what-is-hacking

Kaspersky. (2022, November 17). Panorama de amenazas américa latina. Retrieved 2023,

from https://latam.kaspersky.com/blog/panorama-amenazas-latam-2022/25509/

Kirk, J., & Ross, R. (2018). Banco de Chile loses $10 million in swift-related attack.

Retrieved from https://www.bankinfosecurity.com/banco-de-chile-loses-10-million-

in-swift-related-attack-a-11075

Köller, J. (2023, March 17). Cyber Insurance Requirements: Everything You Need to know

in 2023. Retrieved 2023, from https://www.tenfold-security.com/en/cyber-insurance/

Maheshwari, R. (2023, March). Insurance: Definition, how it works and main types of

policies. Forbes. Retrieved 2023, from

https://www.forbes.com/advisor/in/insurance/what-is-insurance/

Marco J. Vassallo, C. G. (n.d.). The importance of cyber security in the post Covid-19 World.

KPMG. Retrieved 2023, from https://kpmg.com/mt/en/home/insights/2021/07/the-

importance-of-cyber-security-in-the-post-covid19-world.html

Marsh & McLennan. (n.d.). Cyber Insurance in Latin America.

https://www.marsh.com/us/insights/research/cyber-insurance-in-latin-america.html

Marsh, & Microsoft. (2022). MARSH-MICROSOFT CYBER RISK SURVEY

ADDRESSES KEY TRENDS. Retrieved 2023, from

 https://www.guycarp.com/insights/2022/06/marsh-microsoft-cyber-risk-survey-

addresses-key-trends.html

May, S. (2022, October 12). 5 requirements to get Cyber Insurance. Retrieved 2023, from

https://aldridge.com/5-requirements-to-get-cyber-insurance/

Momentum. (2021, September 13). Productos " Momentum Re Insurance. Retrieved 2023,

from https://momentumreinsurance.com/productos/

Morris, R. (2021). History of cyber insurance. Marsh Commercial. Retrieved 2023, from

https://www.marshcommercial.co.uk/articles/history-of-cyber-insurance

Nabe , C. (2020, December 15). Impact of covid-19 on Cybersecurity. Deloitte . Retrieved

2023, from https://www2.deloitte.com/ch/en/pages/risk/articles/impact-covid-

cybersecurity.html

National Cyber Security Centre. (2020). Cyber Insurance guidance. Retrieved 2023, from

https://www.ncsc.gov.uk/guidance/cyber-insurance-guidance

Neddersen, J. (2021, July 21). Impact of technology on business. Herzing University.

Retrieved 2023, from https://www.herzing.edu/blog/impact-technology-business

Nelson, C. (2022, January 12). What is information technology (IT)? University of Phoenix.

Retrieved 2023, from https://www.phoenix.edu/blog/what-is-information-

technology.html

Onofa, M. (2022, June 30). Cyberattacks threaten security in Ecuador. Retrieved from

https://dialogo-americas.com/articles/cyberattacks-threaten-security-in-

ecuador/#.ZDTmxi-xBpQ

Pasquadibisceglie, M. (2022, December 19). The future of digital identity in Latin America:

What's happening in 2023? Retrieved 2023, from https://www.jumio.com/future-of-

digital-identity-latin-america-2023/
Petrosyan Ani Petrosyan, A. (2023, April 05). Covid-19: Increase in cyber attacks 2021.

Retrieved 2023, from https://www.statista.com/statistics/1258261/covid-19-increase-

in-cyber-attacks/

Petrosyan, A. (2022, December 02). Estimated cost of cybercrime worldwide 2027.

Retrieved 2023, from https://www.statista.com/statistics/1280009/cost-cybercrime-

worldwide/

ProWriters. (2022, November 22). Cyber Insurance history. ProWriters. Retrieved 2023,

from https://prowritersins.com/cyber-insurance-blog/history-cyber-insurance/

PWC (Ed.). (2022, April 22). Cybercrime poses biggest threat to businesses – as the impact

of hackers becomes more destructive. PwC. Retrieved 2023, from

https://www.pwc.com/bm/en/press-releases/pwcs-global-economic-crime-and-

fraud-survey-2022.html

Rosch, C. (2022, June 01). A massive cyberattack in Costa Rica leaves Citizens Hurting.

Retrieved 2023, from https://restofworld.org/2022/cyberattack-costa-rica-citizens-

hurting/

Schwartz, S. (2020, March 26). Coronavirus phishing attacks up 667% since February,

research finds. Retrieved 2023, from https://www.ciodive.com/news/phishing-email-

malware-coronavirus/574888/

The Hartford (Ed.). (n.d.). Types of business insurance every business needs | the Hartford.

The Hartford. Retrieved 2023, from https://www.thehartford.com/business-

insurance/types-of-insurance

Vantage Market Research. (2023). Cyber Insurance Market - Global Industry Assessment &

Forecast. Retrieved 2023, from https://www.vantagemarketresearch.com/industry-

report/cyber-insurance-market-1476
Voz de America. (2021, October 15). El mayor Banco de Ecuador sufre un ciberataque.

Retrieved 2023, from https://www.vozdeamerica.com/a/mayor-banco-de-ecuador-

sufre-ciberataque-/6272549.html

Zerlang, J. (2022, July 21). Council post: The pandemic's lasting effects: Are cyber attacks

one of them? Forbes. Retrieved 2023, from

https://www.forbes.com/sites/forbestechcouncil/2022/07/20/the-pandemics-lasting-

effects-are-cyber-attacks-one-of-them/?sh=13992b1c2b76

Zurkus, K. (2018, June 12). Bank of Chile suffers $10m loss. Retrieved 2023, from

https://www.infosecurity-magazine.com/news/bank-of-chile-suffers-10m-loss/
Annexes
 Annex A

Figure 7

Please select the response that best describes the industry in which your company is active

Figure 7 shows that different employees in different types of industries where

surveyed, the top industries were: Insurance, Food, Education and Medical.

Figure 8

How long you have been working in the company?

 Figure 8 shows that the majority of respondents have been working at the company

for more than 4 years.

Figure 9

Does your company require users to change passwords on at least a quarterly basis?

Figure 9 shows that the majority of respondents indicate that their company

does not requires password changes at least once every quarter which demonstrate the

vulnerability in cyber security.

Figure 10

Does your company require strong passwords for administrator rights e.g. 10 characters using

a mix of alphabetic, numeric and other characters

 Figure 10 shows that most respondents report that their company does not require

strong passwords for administrator rights, including a mix of alphabetic, numeric, and other

characters. However, it is not by a lot of difference, it can be said that it is almost half that

have and half that don’t, but still the majority are not obligated to do it, therefore there is a

clear vulnerability.

Figure 11

Do you save your passwords in a web browser?

Figure 11 shows a significant number of respondents admit to storing their passwords

in a web browser meaning that when a wrong person gain access to their devices, it would

be easier to access to even more private information

Figure 12

Do you use 2-factor authentication?

 Figure 12 shows the majority of respondents do not use two-factor authentication

making it easier for cyber criminals to access their accounts

Figure 13

Does your company allow remote access to its corporate network?

Figure 13 shows the majority of respondents report that their company allows

remote access to its corporate network.

Figure 14

If yes, is this limited to two-factor authentication only?

 Figure 14 shows among companies that allow remote access, most don’t require

two-factor authentication.

Figure 15

Do you have anti-virus software installed on your computer?

Figure 15 shows the vast majority of respondents have anti-virus software installed

on their computer.

Figure 16

Do you use pirated software on the computer?

 Figure 16 shows that 1/3 of respondents use pirated software on their computer

making their computer vulnerable to hackers.

Figure 17

Does your company restrict user access to sensitive data/information according to an

employee's job position?

Figure 17 shows most respondents report that their company restricts user access to

sensitive data/information based on the employee's job position, but not by much, it reflects

only a difference of about 9%. Which demonstrates that someone who is not supposed to

have access to certain information, since it is not needed, still has. And the more people who

have information they don’t need, the easier it is for it be vulnerated.

Figure 18

Do I feel I have been sufficiently trained in cyber security at the company?

Figure 18 shows most respondents feel that they have not received sufficient

training in cyber security at the company, with the majority disagreeing to being taught

enough.

Figure 19

Do I know exactly where to go in the organization when I need a security expert?

 Figure 19 shows a significant number of respondents do know where to go within

the organization to seek advice from a security expert.

Figure 20

Do I know how to formally report a security incident?

 Figure 20 shows the majority of respondents do not know how to formally report a

security incident.

Figure 21

What do you do when you receive an email with a link or document?

Figure 21 shows a majority of respondents indicate that they check the examine the

link/document before clicking on it.

Figure 22

The company you work for has an incident plan regarding a cyber-attack?
 Figure 22 shows a significant number of companies do not have an incident plan in

place in case of a cyber-attack.

Figure 23

Do you use the same password for your online accounts?

Figure 23 shows the majority of respondents do use the same password for multiple

online accounts. However the difference is not by a lot, it could be said that half of the sample

repeats passwords for their accounts.

Figure 24

Does the company you work for has an IT department?

Figure 24 demonstrates most respondents report that the company they work for has an IT

department.
 Annex B

Interview

Question 1: What are the prerequisites that a business needs to enforce in order to be

able to buy cyber insurance?

Carlos Miranda commented that is not only a matter of it a business can buy, but also

being able to even get a quote form a reinsurer there already needs to be well implemented

cyber securities, since the demand for the product is so high, and the capacity of the reinsurers

is limited. The following securities need to be enforced to be able to achieve a quote:

• MFA (Multi factor authentication) implemented on all access including but not

limited to:

o MFA for privileged users

o MFA for outlook 365 or equivalent

o MFA for backups

• Antivirus and Firewall installed

• Disaster Recovery plan

• Business continuity plan

• Encrypted Backups

• Encryption for data at rest and in transit

• Training and education on cybersecurity to employees

They would also need financial statements and a questionnaire from the company.

These are global standards in order to have access to a cyber insurance, it is not limited

by region but as a whole, since cybercrime is not limited by territory.

 Carlos Chancay mentioned that the insured must have MFA controls, among other

cyber security measures, complete the cyber form, which must be positive, and submit

financial statements. The importance of implementing good security measures, being that

entities that handle third party information, must understand that the fact of properly

safeguarding such information is to have their customers in mind, and also that customers

are inclined to trust companies that are responsible with their data. Therefore, this is reflected

in a good financial position of the company and its in their own interest.

Question 2: How does the underwriter determine the premium for cyber insurance

policies?

Carlos Miranda commented that there are many factors that take into account in order

to quote but some of the main ones are: the number of PII (Personal Identifiable Data)

records, to what extent does the company invest in their cyber security, if they follow the

prerequisites mentioned above, the type of industry that they operate - it’s not the same to

quote a wholesaler compared to a call center or a credit card issuer, the latter has more

information and a higher risk, therefore higher premiums. He commented that premiums

usually go up from US$ 20,000 in most cases for a sum insured in between US$ 500,000 -

US$ 1,000,000.

Carlos Chancay commented that it depends on the level of data or records kept by the

entity to be insured and the limit they wish to contract. As secondary factors, additional

coverages such as payment of fines and penalties or expected deductibles also influence the

price. Minimum risk premiums tend to be as low as US$ 20,000 for industries that are not

the most vulnerable. While more sensitive lines of business, such as financial institutions,

hospitals, call centers, payment processors, etc., would see premiums above US$ 35,000 for

limits starting at US$ 1,000,000, which is what they tend to buy.

 Question 3: How does the claims process work if my organization experiences a cyber

incident?

Carlos Miranda commented that in the case of Beazley, they have a specialized call

center that is available 24/7 in order to receive calls from customers and start the claim

handling process. It then proceeds with hiring forensic experts to understand where the data

breach started, lawyers and public relations firms for the company to deal with the claim

more efficiently. And in the case their client is suffering from business interruption and the

hacker is asking for a ransom in exchange, they also proceed to hire an expert negotiator to

deal with the criminal.

Carlos Chancay mentioned that the first step is the notification of the loss, secondly,

an adjuster or a forensic expert or lawyer should be appointed to see if there really is a cause

for coverage. After that, the support of the documented losses, in case it is due to business

interruption, a due analysis of the Financial Statements of the previous fiscal year must be

made, to determine how much is the loss of income per day and therefore determine the loss

of profits. In the same way you can also hire a sublimit to cover the loss of profits of

companies that depend on your services to operate, in case they decide to sue you. As the

risk and the loss is technical, it is extremely important the advice of the insurance broker that

the client has in order to mitigate the damage as soon as possible.

Question 4: How does the policy address regulatory fines and penalties related to

cyber incidents?

Carlos Miranda commented that usually policies tend to have a sublimit that covers

penalties, sanctions, and regulatory fines, it tends to not be higher than 40% of the sum

insured and is not always given at the start depending on the industry. Usually, clients need

to negotiate in order to have that sublimit, it is not usually given at first offer.
 Carlos Chancay mentioned that it is a sublimit that can be contracted, and it is a value

that can be accrued once it is legally proven that the company or the insured that has its cyber

policy and is responsible for that disclosure of data and therefore has to pay a penalty to the

state for not complying with the law. In the case of Ecuador with the new law of protection

of personal data in force, that can mean up to 1% of billing for misuse and also covers legal

expenses for defense and investigation costs.

Question 5: Are there any specific exclusions or limitations in the policy that I should

be aware of?

Carlos Miranda mentioned there is a limitation that is an extension of coverage

usually not given at first offer, which is E-crime. He mentioned as cyber insurance is the theft

of data by cyber-crime, it doesn’t actually include also the theft of cash from the bank from

the hacker. However, if negotiated and needed the reinsurer may include a sublimit of e-

crime of about 20%, which is the theft of money by cyber-crime.

Carlos Chancay mentioned that the insured or the contracting party of the policy

should always keep in mind and review the document in its entirety to be clear about the

scope and limitations of the policy. The theft of physical money due to physical and on-site

hacking of a technological device, for example a bank vault is not covered, since that is the

interest of another insurance policy, and the client should be aware that the main nature of

the Cyber coverage is the theft of data through cybercrime.