Sign up to our newsletter
The regular occurrence of data breaches is pushing organizations to think more seriously about updating their risk management policies. With that in mind, we look at the top ten things you need to know about cyber insurance, which is fast becoming a business necessity.
Cyber insurance is a term that has been bandied around the information security sector in the last 18-24 months but during this time is has divided opinion. Some have described it as a necessity, an essential layer of protection for enterprises, while others have dismissed it as a hyped-up product with overinflated prices, confusing terms and very mixed levels of coverage.
Given the number of news and analysis stories around this emerging trend you could be forgiven for thinking that cyber insurance is a one-size-fits-all product, but that is far from the truth. In reality, it should be treated as an add-on to good security and compliance, and not as a standalone product that will make your business secure.
It should be noted too that policies themselves are not without fault, with many having exclusions to cover for certain cases.
With cyber insurance, there are two main types of coverage. The first covers “first-party” risks, which essentially means the loss or damage to your own data. The second type covers “third-party” risks, which involves liability to clients, government and regulatory entities.
Cyber insurance is not actually that new, with some of the first policies emerging in the late 1990s due to the rise of the internet. However, as Ross Brewer, vice president and managing director for LogRhythm, explained towards the end of 2014, the market was initially slow to take off as the online world was still in its infancy.
Not anymore. The internet is now much more mature and all types of organizations are active on the web, exposing businesses to new opportunities and threats.
As Mr. Brewer noted last year: “It makes sense that businesses would want to have the greatest level of protection as the aftermath of a serious breach could be akin to a large-scale burglary.”
As mentioned above, these kinds of policies should always be viewed as a supplement, not a substitute, for good information security and governance.
Insurers have also recognized this with many actually offering heavily discounted premiums to companies that are seen as having respectable security practices. Most policies now detail that a policy can only be taken out if the client has proved they have met “minimum required security practices”.
It’s a sign of an early and immature market that cyber insurance premiums fluctuate wildly with the breaking news of data breaches.
As just one example, shortly after the data breach at US health insurer Anthem late last year, We Live Security heard of some cyber insurance premiums rising by as much as 40 percent for new policyholders – even though there were no changes to their own personal circumstance.
Cyber insurance policies have endless terms and conditions (T&Cs), and are very particular about what they do and don’t cover by way of risk.
For example, policies may not cover the loss of unencrypted data, data sent (and then lost) by third-party contractors, while identity monitoring and data restoration services may also not be covered. Breach notification services, in addition, may not be covered.
Third-party and fourth-party contractors are always a risk as far as security is concerned, with far too many breaches owing to excessive privileges, or an attacker exploiting a weakness further down the enterprise chain. The Target data breach of 2013 is a classic example, as attackers initially compromised the retailer’s air conditioning contractor.
Today, procurement officers at some companies have started requiring their vendor companies to have a cyber insurance policy in place as a way of ensuring that those vendors have done their security homework and have coverage. The service-level agreement (SLA) won’t go ahead, otherwise.
It is worth noting that cyber insurance is unlikely to cover all losses from a breach, and especially against one type of loss that often gets forgotten in the aftermath of a security incident.
That loss is specifically brand reputation, which often takes a dip after the event. Companies will still lose an average of four percent of customers as a result of a breach, which will definitely not be covered.
One of the few benefits of the market’s immaturity is that policies are more negotiable than other types of insurance. That is something that executives and business leaders need to bear that in mind when it comes to renewal time.
Cyber insurance can be especially helpful for small businesses, as a significant percentage of them are high risk cases for the fact that they cannot cover the costs (plus loss of reputation) of a breach.
However, as the UK government noted in a paper titled UK Cyber Security: The Role of Insurance in Managing and Mitigating the Risk, 22 percent of small businesses have no ideas where to start when it comes to protecting their enterprise in the event of a cyberattack. A lot more education is needed.
Security experts are split on cyber insurance and its place in business, with just as many arguing that it is a useless add-on as an essential business enabler.
Earlier this year, PwC predicted that the global cyber insurance market could grow to US $7.5 billion (£4.8 billion) in annual premiums by 2020. Some months later however and a KPMG study indicated that these policies were not overly trusted by business leaders.
Based on a survey of senior information security professionals from organizations which are members of KPMG’s International Information Integrity Institute, 74 percent of businesses had no cyber insurance.
Mistrust of insurers honoring policies appeared to be one challenge, while 30 percent believed that the market was not significantly mature for them to adopt such cyber insurance.
Author Editor, ESET