Professional Documents
Culture Documents
Morales Leoro Andrea Valeria ResearchPaper
Morales Leoro Andrea Valeria ResearchPaper
Morales Leoro Andrea Valeria ResearchPaper
STUDENT:
VALERIA ANDREA MORALES LEORO
TUTOR:
ING. BILLY ANDRADE GARCIA, MBA
Cybercrime or Computer Crime refers to criminal activities that are carried out using
the internet or other technology means which has increased since the Covid-19 pandemic
taking into account the workforce has shifted from an office environment to work from home
situation. The main objective of this research is analyzing the benefits of cyber insurance as
consequence of the financial impact cyber risk has had on Latin American businesses since
Covid-19. Extensive research was made on the topics and a quantitative study was applied to
Samborondón and Guayaquil. Also, a qualitative analysis was done by interviewing cyber
experts in the industry. Some results showed that although there are clear vulnerabilities of
cyber security in Ecuador, such as poor cyber security awareness; cyber insurance
the case it happens, transferring the cost of the risk to another entity, the insurer.
Keywords: Cybercrime, Cyber Insurance, Covid-19, Hacking, Data Breach, Cyber Risk
Introduction
Since COVID 19 happened, the world took a 180 degrees turn in almost every
possible aspect. New challenges were imposed for businesses as they had to change their in-
office model to a work-from-home solution - essential to continue with their activities and to
secure profits to their investors. As the model changed, new technologies needed to be
implemented in order for everything to have online access for their employees to continue
their responsibilities as well as securing their health. Corporations had to accelerate their
digital transformation, which then made cyber security to be a major concern. (Marco J.
Vassallo)
to a home office modality, which in turn made them even more exposed to cyber-attacks than
ever before (Zerlang, 2022). A business could potentially lose millions of dollars if they were
a victim from these kinds of attacks. Their confidential information may be compromised as
well as their clients`. Making them vulnerable to have a tremendous economic hit and
theft, cyber extortion and fraud, accompanied by disruptive technologies, require a new and
improved way that helps to prevent it. Improving in-house securities is not enough, as a risk
is still possible. Its negligent to assume that only increasing securities is a solution,
consequently making cyber insurance the ultimate protection in order to hand over the risk
consequence of cyber risk since covid 19 pandemic hits Latin American Economy. The
cyber insurance
• To explore how cyber insurance helps a company when dealing with a cyber-
attack.
• To analyze the cyber insurance market – who can provide this type of product?
Literature Review
Information Technology
Information technology (IT) is the use of networks, computer hardware, and software
to store, process, and transmit information. (Nelson, 2022) Technology has completely
changed how businesses function and has grown to be an essential part of contemporary
company procedures. Businesses can now store enormous volumes of data thanks to
Technology, which can then be examined to learn important things about how the company
they are now more exposed to a different type of cyber dangers. Some of the cybersecurity
• Hacking: “is the act of identifying and then exploiting weaknesses in a computer
• Social engineering: “is a manipulation technique that exploits human error to gain
scams tend to lure unsuspecting users into exposing data, spreading malware
• Phishing: “is the most common form of social engineering, the practice of
to the wrong people. Social engineering attacks rely on human error and
If a firm is exposed to these types of attack, it can result to data leaks, financial losses,
and reputational damage to a corporation. Furthermore, and due to the rising handling of
mobile devices and using the cloud, enterprises now find it difficult to assure the security of
Cyber Crime
Cybercrime refers to criminal activities that are carried out using the internet or other
technology means, like the use of digital computer. Cybercrime can take many forms,
including hacking, phishing, identity theft (Dennis, 2023). Hackers often target businesses
and organizations because they hold valuable information and assets. It can have a significant
Cybercrime is a global issue and a threat that has grown in recent years since
technology has advanced exponentially and cybercriminals have had more experience (PWC,
2022). Consequently, organizations must take proactive steps to protect themselves against
about the latest cyber threats. Some common cybersecurity measures include making regular
cyber security trainings in the workforce (like explaining phishing emails), implementing
antivirus software, firewalls, multi factor authentication, disaster recovery plan, and intrusion
Insurance is an intangible financial product that transfers the risk from one entity or
person to another entity for a price, it is designed to protect individuals and organizations
against financial losses that may arise from unexpected events. A loss event is any occurrence
that results in financial losses or damages for the insured and is therefore claimed to the
Insurance policies are tailored to the clients need and are curated to cover specific
types of losses with a specific sum insured the insurer would be responsible. Property
damage, physical injury, medical costs are some of the many types of insurance available.
Insurance plans are issued by insurance firms, who evaluate the risks involved with various
Cyber Insurance
A relatively new kind of insurance called "cyber insurance" covers damages brought
on by cyberattacks and data breaches. As businesses first began to realize the possible
financial damages brought on by cyber events in the late 1990s and early 2000s, the history
of cyber insurance began. At first, insurance firms provided compensation for damages
brought on by data breaches, but the policies' reach and level of protection were limited.
Insurance companies began to provide more thorough cyber insurance policies that covered
losses caused by cybercrime as well as business disruption, network failures, and ransoms
When high-profile data breaches and cyberattacks gained media attention in the
middle of the 2000s, the need for cyber insurance increased. Almost 163,000 people's
personal data were stolen in 2005 as a consequence of a hack at the data aggregator business
ChoicePoint (FTC, 2015). One of the first breaches to garner extensive media coverage, this
one significantly raised the demand amount paid to hacker, and loss of income due to
business interruption.
Organizations of all sizes and in all sectors globally are now realizing the need of
protecting themselves from the financial damages brought on by cyber disasters, which has
resulted in a rapidly expanding market for cyber insurance. The Global Cyber Insurance
Market is valued at USD 8.73 billion in 2022 and is forecasted to reach a value of USD 51.04
billion by 2030 at a Compound Annual Growth Rate (CAGR) of 24.70% over the forecast
Figure 1
Cyber Insurance Market Size 2022 to 2030 (USD billion)
The coverage offered by cyber insurance policies can vary widely, but typically
includes coverage for first-party and third-party losses resulting from cybercrime. The main
coverages are cover the expenses associated with responding to a cyber-attack, such as
investigating the incident, restoring data, forensic experts, legal accompaniment, extorsion
amount paid to hacker, and loss of income due to business interruption. Some policies also
include coverage for the costs of notifying affected expenses related to legal responsibilities,
like as litigation expenses and regulatory fines and penalties, may also be covered by cyber
insurance. The policy coverage and costs vary depending on the organization's size and kind,
industry it operates in, and cybersecurity posture. The insurance might be expensive, but it
can offer crucial compensation that could otherwise force a business into bankruptcy.
(Morris, 2021).
prerequisites. These prerequisites can differ depending on the company to play as the insurer
and the specific policy being purchased, taking into account line of business, size of the
company etc. In order to establish if they comply with the prerequisites, organizations must
also assess their current cybersecurity measures, including firewalls, antivirus software, and
Organizations must also make sure that their workers are taught in cybersecurity best
practices and uphold robust cybersecurity policies. This includes regularly backing up data,
implementing security patches and updates, enforcing MFA on all accesses, and maintaining
reduce their risk exposure and potentially lower their cyber insurance premiums (May, 2022).
The market for cyber insurance in Latin America is anticipated to expand at a CAGR
of 21.6% from 2021 to 2028, according to a research by Allied Market Research. The
organizations, and the mounting regulatory pressure on firms to secure sensitive data are all
The size of the worldwide cyber insurance market was $9.8 billion in 2022, and it is
anticipated to increase to $31.7 billion by 2028, with a CAGR of 22.39% from 2023 to 2028.
Latin America's cyber insurance industry is still minor in comparison to other continents like
North America and Europe in terms of market size. Yet, it is projected to increase from $491
The key players in the cyber insurance market in Latin America include both local
and international insurers. Local insurers such as Bradesco Seguros and SulAmérica in
Brazil, and SURA in Colombia, are leading the way in the region. However, international
insurers such as AIG and Chubb, which are also present in Ecuador, are also expanding their
operations in Latin America, as they see the potential for growth in the market. (InsighAce
Analytic, 2023). Another key player would be reinsurance brokers who are capable of
“importing” insurance products to local insurance companies for their clients to still have
access to the insurance even though they don’t support it locally, but transfer the risk
Momentum and THB Renovation are able to sell that product (Momentum, 2021).
The lack of knowledge and comprehension of cyber hazards among firms in the area
is one of the major issues the Latin American cyber insurance industry is currently
rather than an investment, and they might not have the tools or knowledge necessary to
handle cyber threats. This offers an opportunity for insurers to provide their clients with
(Jiménez, 2022).
Lack of uniform cybersecurity regulations in the area is another problem. This might
make it challenging for insurers to evaluate cyber threats and consistently underwrite
policies. But regulatory frameworks are beginning to take shape, with nations like Brazil,
Mexico, and now Ecuador enacting data protection laws that mandate businesses implement
cybersecurity measures and disclose data breaches; if they don't, they risk being subject to
These are all projected to contribute to the Latin American market for cyber insurance
organizations around the world. However, the impact made a lasting change in the Earths
population, forcing many to shift to remote work and digital operations. As seen on Figure 2
the pandemic has also led to an increase in cybercrime, as criminals seek to exploit the
Figure 2
30
25
20
15
10
0
2018 2019 2020 2021 2022 2023 2024 2025 2026 2027
1. According to a report by Statista, global cost of cybercrime was estimated at some 8.4
trillion U.S. dollars in 2022 (Petrosyan, 2022) and the cost of cybercrime in Latin
2. A survey found that 73% of companies globally had experienced a cyber-attack (Marsh
3. The average cost of a data breach in Latin America for 2022 was 2.80 million U.S.
dollars, for 2021 was 2.56 million U.S. dollars (IBM Corporation, 2022).
4. The FBI reported that it received 791,790 complaints of suspected internet crime in
5. According to a report by IBM, 83% of organizations studied have had more than one
data breach and the average total cost of a data breach is 4.35 million U.S. dollars as
seen in Figure 3. This number represents a 2.6% increase over last year's average cost
of a data intrusion, which was USD 4.24 million. The average price has increased by
12.7% from USD 3.86 million in the report for 2020 (IBM Corporation, 2022).
Figure 3
The financial impact of a cyberattack on a business can vary based on factors such as
the company's size, the nature of the attack, and the industry in which the business operates.
A cyberattack can result in direct financial losses, such as costs associated with remediation,
regulatory fines, and legal fees. There may also be indirect costs, such as costs associated
with business interruption, brand reputation damage, and consumer loyalty and credibility
loss. Here are six examples of companies in Latin America that have suffered financial losses
due to cyberattacks:
1. Banco de Chile: In 2018, Banco de Chile suffered a cyberattack that resulted in $10
million in losses. The attack involved a virus that infiltrated the bank's computer
systems and caused chaos in the bank's operations, they had to temporarily shut down
over 9,000 ATMs and close down its branches for several days. (Kirk & Ross, 2018)
involved hackers encrypting the company's data and didn’t let them use their
systems, later demanding a ransom payment to restore access. (El Universo, 2020)
3. In May 2019, Banco Pichincha, one of the largest banks in Ecuador, suffered a
cyberattack that resulted in an estimated $12 million in losses. The attack involved
hackers using a malware to intercept the bank's transactions and transfer funds to
The effects of the assault caused halts cross the public sector, including paralyzed
commerce, citizens unable to access public services online, and private companies
unable to submit their earnings or charge the state for their professional services. The
government refused to pay the $10 million ransom demanded by Conti's hackers, but
the infrastructure collapse in the days that followed was far more costly. “The Costa
Rican Chamber of Foreign Commerce estimated losses of more than $125 million in
5. CNT EP: In 2021, The Ecuadorian telecoms firm CNT EP had a cyberattack in 2021
in which hackers broke into the business' computer systems and disrupted its
operations, particularly its invoicing and customer support systems. The same hackers
demanded a ransom payment of 11 million dollars after breaking into other businesses
in South America; it is not known how much CNT paid. (Din, 2021)
released on April 16, 2022, by the ransomware group ALPHV (BlackCat). This is a
Municipality of Quito and the State Attorney General's Office that the initial attack
April 25, 2022, the hackers provided a free download link for all the data allegedly
Ecuador, are likely among the compromised data. If used by a nation-state, criminal
the previous year, which is only a small sample of the cybercrimes that have lately occurred.
(Onofa, 2022) Also, there is a global tendency to target certain industries more than others,
as depicted Figure 4, with the healthcare, financial, pharmaceutical, technology, and energy
Also, as previously stated, particularly as understood in the case of the Costa Rican
government, timing is crucial in order to stop these types of cyberattacks correctly. Business
interruption and the time of containment are among the higher costs of experiencing
cyberattacks, and as Figure 5 below illustrate, the average time to detect and contain a data
Figure 5
American businesses, as well as the monetary damages they might bring about.
The increasing number of cyber-attacks and their devastating effects have made cyber
organizations.
interruption, data recovery costs, legal fees, forensic expert services, notification
expenses, credit monitoring expenses (in case it applies), sanctions imposed, and
expertise that can help individuals and businesses manage their reputation in the event
relations advisors and crisis management support. The response advisor aside from a
public relation agency may also be a law appointed firm by the insurer to advance an
regulations, such as HIPAA for healthcare and GDPR for businesses operating in the
European Union and in the case of Ecuador the Ley Organica de Protección de Datos
sales revenue corresponding to the previous fiscal year (Alonso, 2023). Cyber
insurance can help businesses comply with these regulations and also acting as a
financial tool by providing coverage for legal fees and fines resulting from a breach.
(AIG, 2019)
4. Cybersecurity Services: Some cyber insurance policies come with additional services
that can help prevent cyber-attacks. These can include vulnerability assessments, call
center services designated to deal with costumers, and cybersecurity best practices
5. Peace of Mind: Cyber-attacks are becoming more sophisticated and frequent, and no
mind by providing coverage for financial losses and liabilities that could otherwise
be devastating.
advantage for businesses. In today's digital age, customers and partners are
increasingly concerned about cybersecurity risks, and having cyber insurance can
with all the benefits it comes. It is certainly not an expense, but an investment, which is
getting more expensive as the time passes. According to Aon’s Cyber Solutions, who have
received guidance by cyber insurers main players, premium increases of between 20% and
50% are to happen in 2022 the trends are expected to continue to 2023 (AON, 2023).
Methodology
Using a mixed methods approach the study used both quantitative and qualitative
techniques. These included analysis and discussion of online articles and statistics about the
The existing literature on cyber insurance and cybercrime was thoroughly reviewed
in order to perform the study, with a focus on current research and data. This gave the study
a qualitative research approach and a strong basis and made it easier to pinpoint the most
A survey, via google forms, was given to a sample of 151 employees located in
Guayaquil and Samborondon in order to get information on how vulnerable employees are
the research in this paper. Descriptive statistics were used to examine the survey data in order
to identify the trends of cybersecurity and their vulnerabilities within Ecuadorian companies.
The first cyber insurance expert who was interviewed was Carlos Miranda, Cyber
Risk Underwriter of Beazley, the second person interviewed was Carlos Chancay, the
Reaseguros S.A.) which is the top reinsurance broker in Ecuador. They provided in-depth
information on the advantages and limitations of cyber insurance as a risk management tool,
they were interviewed by me in order to gain insights into the effectiveness of cyber insurance
in reducing the risks of cybercrime. The expert's replies were broken down into major themes
As demonstrated in the research there has been an increase in cyber risk since covid
19. One of the most significant changes brought about by the COVID-19 pandemic is the
shift towards remote work. With employees working from home, as responded by 60%
(Figure 13) of employees surveyed, businesses have had to rely on digital platforms to
maintain their operations. This has increased the attack surface for cyber criminals, making
it easier for them to exploit vulnerabilities in the IT systems of businesses. According to “El
in Latin America have increased “24% since in during the first eight months of the year,
compared to the same period in 2020.” Furthermore, the growth trend in cyber-attacks is also
reflected in all countries, “led by Ecuador (+75%), followed by Peru (+71%), Panama
Likewise, considering the first eight months of 2022, Kapernerky recorded a total of
817 million attempted attacks in Latin America, representing 2,366 blockages per minute
(39.43 per second). Brazil is the most targeted country in Latin America, followed by
Ecuador: both are on the global list of the top 10 phishing attacks and rank 6th and 8th
In addition to this, the pandemic has also led to an increase in the use of personal
devices for work purposes. This has created further vulnerabilities in the IT systems of
businesses, as personal devices are often less secure than corporate devices. According to the
survey run in Ecuador, 60% of employees admitted to being able to work remotely (Figure
13) and 55% of them revealed they do not have MFA in place as a cyber security measure.
(Figure 14) Making the companies in question even more likely to fall in one of the 39 attacks
per second and making them unable to buy cyber insurance since they don’t comply with the
prerequisites. This indicates an even greater vulnerability, as managers cannot see who is
accessing the data when they are at the office, there is no assurance that only the employee
user access to sensitive data/information based on the employee's job position, but not by
much, it reflects only a difference of about 9%. Which demonstrates that someone who is not
supposed to have access to certain information still has. And the more people who have
Another factor contributing to the increase in cyber risk is the rise in phishing attacks.
There was a 667% increase in phishing attacks in March 2020, compared to January and
February of the same year. (Schwartz, 2020). As shown in Figure 6, phishing is the second
Figure 6
Where do IT professionals see an increase in cyber-attacks and attack attempts following the
COVID-19 pandemic?
Additionally, most of the Ecuadorian employees surveyed for this research were
unaware that the first step when receiving an email is to verify the domain. Nearly 20% of
respondents indicated that they clicked on the link without taking the necessary security
precautions. (Figure 21) It makes sense that 41% of the sample did not believe they were
adequately trained in cyber security, and that a sizeable 31% neither agreed nor disagreed
with this statement, indicating that more than 70% are not knowledgeable about the
significance of cyber security and represent and important threat to the company. (Figure 18)
Following this line of thought, it is also notable that most employees surveyed, 56%,
do not know how to respond to a cyber security incident (Figure 20), and most of them
therefore will most likely fail to report it. In addition, the fact that 48% (Figure 22) of
respondents said their employer did not have a plan for a cyberattack calls into doubt the
whether the company had a plan in place (28%), the fact that they are unaware of the plan
Analysis of Interview
Miranda and Chancay, cyber insurance experts that works in the industry. It is clear from the
conversation with them that companies must have solid cybersecurity procedures in place
before they can get cyber insurance. This is because there is a significant demand for cyber
insurance and that reinsurers must be choosy about the companies they cover due to capacity
constraints. Cyber form, financial statements, MFA, antivirus and firewall, encrypted
backups, employee cybersecurity training, and others are all requirements for a business to
obtain a quote.
Miranda and Chancay stated that several factors are considered when determining the
premiums for cyber insurance policies, including the quantity of records containing
$20,000; however, for financial institutions, they may begin at $35,000 or more which is
certainly less than financing alone a cyber-attack which losses tend to be over a million
dollars.
A specialist call center that is open 24/7 to take client calls and begin the claim
processing procedure is involved in the claims process for a cyber event. The next step is to
hire forensic specialists to ascertain the cause of the data breach, and to manage the claim
more effectively, attorneys and public relations companies are recruited. An experienced
negotiator is also employed to deal with the hacker in the event of business interruption and
ransom demands. Additionally, the insured's year-end financial accounts are examined in
Policies typically feature a sublimit that covers sanctions, fines, and regulatory fines
connected to cyber events. This sublimit is not necessarily stated at the beginning and can be
negotiated. Depending on the sector, this sublimit is normally no greater than 40% of the
total covered amount. Since the Ley de Proteccion de Datos Personales statute only recently
The fact that e-crime, or the theft of money from a bank by a hacker, is not covered
by cyber insurance coverage is one of its limitations. It is negotiable, though, and reinsurers
To summarize, the interviews conducted have shown that cyber insurance may help
businesses reduce the financial effect of cybercrime, which has considerably escalated since
the COVID-19 epidemic. And governments are indirectly pushing firms to embrace cyber
insurance by enforcing laws that hold companies accountable and may result in losses if
broken.
Conclusions
Who needs Cyber Insurance? All sizes of businesses should think about purchasing
cyber insurance to guard against monetary losses resulting from data breaches, network
interruptions, and other cyber catastrophes. Small businesses may be particularly vulnerable
to cyber-attacks because they do not have the same financial means as bigger firms to handle
the expenses connected with a cyber event. They can get financial protection from cyber
Another group that can profit from cyber insurance is healthcare practitioners since
they keep big volumes of patient data. Data breaches, HIPAA violations, Ecuador’s Ley de
Protección de Datos Personales, and other cyber catastrophes can be financially protected
financial information, these businesses are prime targets for online fraudsters. Losses
resulting from fraudulent transactions, data breaches, and other cyber disasters may be
data as well. Data breaches, network outages, etc. can cause them to have expenses which
Primary services like telecoms networks should also think about it, they are key
infrastructure that houses vast quantities of sensitive data, including customer information,
financial records, and intellectual property. They might be the target of a cyberattack that
have cyber insurance. Also, almost all organizations nowadays depend on the internet in this
digital age. Thus, a cyber-attack might cause serious losses for any kind of company.
cyber security risk management services, are available, according to the review of the cyber
insurance industry and its benefits. This implies that companies of every size and in any
sector may select an insurance plan that suits their requirements and price range.
Cyber insurance offers financial protection in the case of a cyberattack as one of its
main advantages. Many expenses, such as legal bills, economic interruption, and reputational
harm, might be incurred by victims of cyberattacks. Cyber insurance can help businesses
cover these costs, mitigating the attack's impact and allowing them to recover more swiftly
and efficiently.
account the new Ley de Protección de Datos Personales in place and to understand how the
demand will shift, and therefore implement a business plan in companies around the
This paper has demonstrated, since COVID-19, that cyber insurance is a valuable
solution for companies dealing with cybercrime, it may benefit firms in a number of ways,
including financial security, access to professional assistance, and control over reputational
harm. Even if it is not a complete solution, it can add a crucial layer of security against more
frequent and sophisticated assaults. Businesses that store or handle sensitive data, such as
customer, financial, or proprietary information, should think about getting cyber insurance
to safeguard themselves and their clients, as the saying goes, "prevention is better than cure”.
Bibliography:
Aarti, G. (2020). Cyber Insurance Market Size, share: Latest coverage and trends 2026.
market
Abrams, L. (2021, August 03). Ecuador's state-run CNT telco hit by Ransomexx
https://www.bleepingcomputer.com/news/security/ecuadors-state-run-cnt-telco-hit-
by-ransomexx-ransomware/
Abrams, L. (2021, October 12). Cyberattack shuts down Ecuador's largest bank, Banco
https://www.bleepingcomputer.com/news/security/cyberattack-shuts-down-
ecuadors-largest-bank-banco-pichincha/
Acanerler, A. (2021, December 06). Top 5 cyber attacks in Latin America in 2021. Retrieved
[PDF]. AIG.
https://www.aig.com.ec/content/dam/aig/lac/ecuador/documents/forms/poliza_de_se
guroderesponsabilidad_civilpara_riesgos_ciberneticos.pdf
https://www.aig.co.uk/content/dam/aig/emea/united-kingdom/documents/Financial-
lines/Cyber/cyberedge-policy-documentation.pdf
Alonso, C. (2023, February 22). Claves de la Ley Orgánica de Protección de Datos
https://www.globalsuitesolutions.com/es/claves-proyecto-ley-organica-proteccion-
de-datos-personales-ecuador/
AON. (2023, February 28). Retos de los Riesgos y los seguros ciber en 2021 [Informe ciber].
Banco Pichincha (Ed.). (n.d.). Qué Es la ley de protección de datos personales en Ecuador.
datos-ecuador-que-es
BBC. (2021, June 02). JBS: Cyber-attack hits world's largest meat supplier. Retrieved 2023,
from https://www.bbc.com/news/world-us-canada-57318965
https://cyberservices.beazley.com/usa/bi_guide/policy_wording.html
us/who-we-are/people/carlos-miranda
https://www.cisco.com/site/us/en/products/security/what-is-malware.html#tabs-
9cfa4a460b-item-b8ba101fed-tab
Colony West. (2019, November 29). A history of cyber liability insurance. Colony West.
Dennis, M. A. (2023, April 5). Cybercrime. Encyclopedia Britannica. Retrieved 2023, from
https://www.britannica.com/topic/cybercrime
Din, A. (2021, July 19). Ecuador's CNT hit with Ransomexx Ransomware attack. Retrieved
ecuadors-corporacion-nacional-de-telecomunicaciones-cnt/
Durbin, D. (2021, June 10). Meat Company JBS confirms it paid $11m ransom in
technology-business-353f8dea34bbbba15207ff350e7a2f0f
El Universo. (2019, September 12). Telconet confirma ataque informático y que ya recuperó
https://www.eluniverso.com/noticias/2019/09/12/nota/7511888/telconet-confirma-
ataque-informatico-ya-recupero-control-sus
https://www.eluniverso.com/noticias/2020/08/20/nota/7957775/seguros-
equinoccial-confirma-ataque-cibernetico-trabajadores
Ellerbeck, S. (2022, July 26). Nearly half of organizations are being hit by economic crime,
with cybercrime the gravest threat. what can they do about it? World Economic
cybercrime-financial-business/
Federal Bureau of Investigation. (2021). Internet Crime Report (Rep.). Retrieved 2023, from
https://www.fcc.gov/communications-business-opportunities/cybersecurity-small-
businesses
Fleck, A. (2022, December 02). Infographic: Cybercrime expected to skyrocket in coming
cybercrime-until-2027/
FTC (Ed.). (2015, June 26). Choicepoint settles data security breach charges; to pay $10
million in civil penalties, $5 million for consumer redress. Retrieved 2023, from
https://www.ftc.gov/news-events/news/press-releases/2006/01/choicepoint-settles-
data-security-breach-charges-pay-10-million-civil-penalties-5-million-consumer
HUB International Limited (Ed.). (2022, January 10). Hub International Limited. 150 N
riverside plaza, 17th floor, Chicago, IL 60606. HUB International. Retrieved 2023,
from https://www.hubinternational.com/blog/2022/01/common-cyber-security-risks-
for-businesses/
IBM Corporation. (2022, July). Cost of a Data Breach Report 2022 (Rep.). Retrieved 2023,
IMARC (Ed.). (2023). Cyber Insurance Market Trends, share, size, growth 2023-2028.
InsighAce Analytic. (2023, March 22). Cyber Insurance Market set to surge significantly and
from https://www.globenewswire.com/news-
release/2023/03/22/2632372/0/en/Cyber-Insurance-Market-Set-to-Surge-
Significantly-and-Expected-to-Grow-at-a-CAGR-of-23-78-to-2031-InsightAce-
Study.html
Insikt Group. (2022, June 14). Latin American governments targeted by ransomware.
targeted-by-ransomware
Jiménez, J. (2022, October 11). Latam suffers 1,600 cyberattacks a second. Retrieved 2023,
from https://www.mapfre.com/en/insights/insurance/latam-cyberattacks/
Kaspersky. (2022, July 01). What is hacking? and how to prevent it. Retrieved 2023, from
https://www.kaspersky.com/resource-center/definitions/what-is-hacking
Kaspersky. (2022, November 17). Panorama de amenazas américa latina. Retrieved 2023,
from https://latam.kaspersky.com/blog/panorama-amenazas-latam-2022/25509/
Kirk, J., & Ross, R. (2018). Banco de Chile loses $10 million in swift-related attack.
in-swift-related-attack-a-11075
Köller, J. (2023, March 17). Cyber Insurance Requirements: Everything You Need to know
Maheshwari, R. (2023, March). Insurance: Definition, how it works and main types of
https://www.forbes.com/advisor/in/insurance/what-is-insurance/
Marco J. Vassallo, C. G. (n.d.). The importance of cyber security in the post Covid-19 World.
importance-of-cyber-security-in-the-post-covid19-world.html
https://www.marsh.com/us/insights/research/cyber-insurance-in-latin-america.html
addresses-key-trends.html
May, S. (2022, October 12). 5 requirements to get Cyber Insurance. Retrieved 2023, from
https://aldridge.com/5-requirements-to-get-cyber-insurance/
Momentum. (2021, September 13). Productos " Momentum Re Insurance. Retrieved 2023,
from https://momentumreinsurance.com/productos/
Morris, R. (2021). History of cyber insurance. Marsh Commercial. Retrieved 2023, from
https://www.marshcommercial.co.uk/articles/history-of-cyber-insurance
cybersecurity.html
National Cyber Security Centre. (2020). Cyber Insurance guidance. Retrieved 2023, from
https://www.ncsc.gov.uk/guidance/cyber-insurance-guidance
Nelson, C. (2022, January 12). What is information technology (IT)? University of Phoenix.
technology.html
Onofa, M. (2022, June 30). Cyberattacks threaten security in Ecuador. Retrieved from
https://dialogo-americas.com/articles/cyberattacks-threaten-security-in-
ecuador/#.ZDTmxi-xBpQ
Pasquadibisceglie, M. (2022, December 19). The future of digital identity in Latin America:
digital-identity-latin-america-2023/
Petrosyan Ani Petrosyan, A. (2023, April 05). Covid-19: Increase in cyber attacks 2021.
in-cyber-attacks/
worldwide/
ProWriters. (2022, November 22). Cyber Insurance history. ProWriters. Retrieved 2023,
from https://prowritersins.com/cyber-insurance-blog/history-cyber-insurance/
PWC (Ed.). (2022, April 22). Cybercrime poses biggest threat to businesses – as the impact
https://www.pwc.com/bm/en/press-releases/pwcs-global-economic-crime-and-
fraud-survey-2022.html
Rosch, C. (2022, June 01). A massive cyberattack in Costa Rica leaves Citizens Hurting.
hurting/
Schwartz, S. (2020, March 26). Coronavirus phishing attacks up 667% since February,
malware-coronavirus/574888/
The Hartford (Ed.). (n.d.). Types of business insurance every business needs | the Hartford.
insurance/types-of-insurance
Vantage Market Research. (2023). Cyber Insurance Market - Global Industry Assessment &
report/cyber-insurance-market-1476
Voz de America. (2021, October 15). El mayor Banco de Ecuador sufre un ciberataque.
sufre-ciberataque-/6272549.html
Zerlang, J. (2022, July 21). Council post: The pandemic's lasting effects: Are cyber attacks
https://www.forbes.com/sites/forbestechcouncil/2022/07/20/the-pandemics-lasting-
effects-are-cyber-attacks-one-of-them/?sh=13992b1c2b76
Zurkus, K. (2018, June 12). Bank of Chile suffers $10m loss. Retrieved 2023, from
https://www.infosecurity-magazine.com/news/bank-of-chile-suffers-10m-loss/
Annexes
Annex A
Figure 7
Please select the response that best describes the industry in which your company is active
surveyed, the top industries were: Insurance, Food, Education and Medical.
Figure 8
Figure 9
Does your company require users to change passwords on at least a quarterly basis?
Figure 9 shows that the majority of respondents indicate that their company
does not requires password changes at least once every quarter which demonstrate the
Figure 10
Does your company require strong passwords for administrator rights e.g. 10 characters using
strong passwords for administrator rights, including a mix of alphabetic, numeric, and other
characters. However, it is not by a lot of difference, it can be said that it is almost half that
have and half that don’t, but still the majority are not obligated to do it, therefore there is a
clear vulnerability.
Figure 11
in a web browser meaning that when a wrong person gain access to their devices, it would
Figure 12
Figure 13
Figure 13 shows the majority of respondents report that their company allows
Figure 14
two-factor authentication.
Figure 15
Figure 15 shows the vast majority of respondents have anti-virus software installed
on their computer.
Figure 16
Figure 17
Figure 17 shows most respondents report that their company restricts user access to
sensitive data/information based on the employee's job position, but not by much, it reflects
only a difference of about 9%. Which demonstrates that someone who is not supposed to
have access to certain information, since it is not needed, still has. And the more people who
Figure 18 shows most respondents feel that they have not received sufficient
training in cyber security at the company, with the majority disagreeing to being taught
enough.
Figure 19
Figure 20
security incident.
Figure 21
Figure 21 shows a majority of respondents indicate that they check the examine the
Figure 22
The company you work for has an incident plan regarding a cyber-attack?
Figure 22 shows a significant number of companies do not have an incident plan in
Figure 23
Figure 23 shows the majority of respondents do use the same password for multiple
online accounts. However the difference is not by a lot, it could be said that half of the sample
Figure 24
department.
Annex B
Interview
Question 1: What are the prerequisites that a business needs to enforce in order to be
Carlos Miranda commented that is not only a matter of it a business can buy, but also
being able to even get a quote form a reinsurer there already needs to be well implemented
cyber securities, since the demand for the product is so high, and the capacity of the reinsurers
• MFA (Multi factor authentication) implemented on all access including but not
limited to:
• Encrypted Backups
They would also need financial statements and a questionnaire from the company.
These are global standards in order to have access to a cyber insurance, it is not limited
cyber security measures, complete the cyber form, which must be positive, and submit
financial statements. The importance of implementing good security measures, being that
entities that handle third party information, must understand that the fact of properly
safeguarding such information is to have their customers in mind, and also that customers
are inclined to trust companies that are responsible with their data. Therefore, this is reflected
in a good financial position of the company and its in their own interest.
Question 2: How does the underwriter determine the premium for cyber insurance
policies?
Carlos Miranda commented that there are many factors that take into account in order
to quote but some of the main ones are: the number of PII (Personal Identifiable Data)
records, to what extent does the company invest in their cyber security, if they follow the
prerequisites mentioned above, the type of industry that they operate - it’s not the same to
quote a wholesaler compared to a call center or a credit card issuer, the latter has more
information and a higher risk, therefore higher premiums. He commented that premiums
usually go up from US$ 20,000 in most cases for a sum insured in between US$ 500,000 -
US$ 1,000,000.
Carlos Chancay commented that it depends on the level of data or records kept by the
entity to be insured and the limit they wish to contract. As secondary factors, additional
coverages such as payment of fines and penalties or expected deductibles also influence the
price. Minimum risk premiums tend to be as low as US$ 20,000 for industries that are not
the most vulnerable. While more sensitive lines of business, such as financial institutions,
hospitals, call centers, payment processors, etc., would see premiums above US$ 35,000 for
incident?
Carlos Miranda commented that in the case of Beazley, they have a specialized call
center that is available 24/7 in order to receive calls from customers and start the claim
handling process. It then proceeds with hiring forensic experts to understand where the data
breach started, lawyers and public relations firms for the company to deal with the claim
more efficiently. And in the case their client is suffering from business interruption and the
hacker is asking for a ransom in exchange, they also proceed to hire an expert negotiator to
Carlos Chancay mentioned that the first step is the notification of the loss, secondly,
an adjuster or a forensic expert or lawyer should be appointed to see if there really is a cause
for coverage. After that, the support of the documented losses, in case it is due to business
interruption, a due analysis of the Financial Statements of the previous fiscal year must be
made, to determine how much is the loss of income per day and therefore determine the loss
of profits. In the same way you can also hire a sublimit to cover the loss of profits of
companies that depend on your services to operate, in case they decide to sue you. As the
risk and the loss is technical, it is extremely important the advice of the insurance broker that
Question 4: How does the policy address regulatory fines and penalties related to
cyber incidents?
Carlos Miranda commented that usually policies tend to have a sublimit that covers
penalties, sanctions, and regulatory fines, it tends to not be higher than 40% of the sum
insured and is not always given at the start depending on the industry. Usually, clients need
to negotiate in order to have that sublimit, it is not usually given at first offer.
Carlos Chancay mentioned that it is a sublimit that can be contracted, and it is a value
that can be accrued once it is legally proven that the company or the insured that has its cyber
policy and is responsible for that disclosure of data and therefore has to pay a penalty to the
state for not complying with the law. In the case of Ecuador with the new law of protection
of personal data in force, that can mean up to 1% of billing for misuse and also covers legal
Question 5: Are there any specific exclusions or limitations in the policy that I should
be aware of?
usually not given at first offer, which is E-crime. He mentioned as cyber insurance is the theft
of data by cyber-crime, it doesn’t actually include also the theft of cash from the bank from
the hacker. However, if negotiated and needed the reinsurer may include a sublimit of e-
Carlos Chancay mentioned that the insured or the contracting party of the policy
should always keep in mind and review the document in its entirety to be clear about the
scope and limitations of the policy. The theft of physical money due to physical and on-site
hacking of a technological device, for example a bank vault is not covered, since that is the
interest of another insurance policy, and the client should be aware that the main nature of