AUTHOR: Terry Kurzynski, CISSP, CISA, PCI QSA, ISO 27001 AUDITOR
There’s digital gold in your data storage units, computers, networks, and clouds. There is also a large portion of your reputational capital, liability of multiple kinds, and quite possibly the economic viability of your enterprise. With all this at stake, protection against IT incidents and accidents is a priority. However, data backups and IT security measures can only handle so much. Cyber security insurance can help shield your business against the rest.
What is Cyber Insurance?
Cyber insurance is insurance for organizations and individuals against Internet-based risks. More generally, it may also cover risks related to IT assets and their usage. As with other kinds of insurance, cyber insurance allows you to transfer your risk to somebody else (the insurance company), instead of eliminating, mitigating or simply accepting it within your enterprise. On the other hand, it often differs from traditional business insurance products, which tend to exclude Internet and IT-related risks.
The Current Need for Cyber Insurance
The perfect IT security solution does not exist. Even near-perfection in IT security comes with a price tag that is too high for most organizations. True, judicious use of IT security technologies and procedures can keep attackers out for a long time, but new cyber security threats arise every day. Cyber insurance can help compensate losses sustained as the result of an attack. A recent Ponemon Institute report put the average consolidated total cost of a data breach at $4 million.
Benefits of Cyber Insurance
Cyber insurance spreads the cost of compensation over all cyber-insurance policy holders. Those with bigger risks pay more than those with smaller ones. Paradoxically, cyber insurance may also help prevent such attacks from succeeding in the first place. The explanation is that cyber insurers insist on certain minimum standards of security in a customer’s IT installations before agreeing to accept the customer’s risk.
Cyber Risk and Aggregations of Cyber Risk
Today’s IT installations are highly connected, especially when they link via the Internet. This affects the calculation of cyber risk. Cyber insurance differs from traditional business insurance by having a significantly wider span of risk, but also by having less historical data to draw on. To help position and determine levels of risk, cyber insurers may aggregate cyber risks by categories such as:
- Internal enterprise IT
- Counterparties and partners
- Outsourced and contract
- Supply chain
- Disruptive technologies
- Upstream infrastructure
- External impacts (from the systems of others)
Lack of industry information obliges cyber insurance companies to scrutinize customers even more closely before proposing a policy. Your enterprise may have to accept invasive security assessments and disclose information you would normally consider confidential. Claims for compensation may also be more difficult to resolve.
Only your cyber insurer can tell you exactly which risks are covered and to what degree. However, cyber coverage tends to be composed of four categories of risk: errors and omissions (in the services you provide), media liability (like infringement of intellectual property), network security, and privacy. Coverage of first party costs (costs you sustain directly) and third party coverage (for example, for claims against you) will depend on the category and the insurer’s policy.
Limitations and Exclusions
When first party and third party costs are included, the maximum compensation may be limited by the terms of the policy. Limitation may apply in terms of money paid out, or in terms of the time a prejudice is suffered: for example, system outage must last for at least eight hours for cyber insurance coverage to apply. Common exclusions (no coverage) include reputational damage, loss of future revenue, expenses to improve security systems, and loss in value of intellectual property. Their impact can be sizable. For example, cyber insurance coverage for the 2015 Anthem health insurance breach was approximately $100 million, but estimates of real costs were up to ten times as much.
What to Look for as a Cyber Insurance Buyer
A cyber insurance policy must have explicit descriptions of coverage for first and third party claims. The coverage must match the needs of your enterprise. Coverage of immediate expenses following a cyber or IT incident is a case in point. Crisis management, public relations firms, incident investigation, repair and disaster recovery of system, and direct loss of business income should all be included. Be aware that many cyber insurance companies place restrictions on the crisis coach or incident response handler your enterprise can use. Specific candidates or flexibility in choosing them will therefore need to be agreed upfront. Your broker has a bit of leverage during underwriting to include your security partner in that coverage, but again this needs to be discussed upfront.
What Insurers Look for when Deciding Coverage
A cyber insurer must identify the risks associated with your enterprise, if it is to accurately calculate a policy premium. The industry sector, geography, size, solutions supplied, and security posture are all data that must be made available, as a minimum. Track records of incidents and previous claims may be examined as well. Laurie Schwarz, Vice President of Lockton, an insurance broker specializing in cyber insurance, points out that cyber insurance premium prices also depend on the kind of data and the volume of data handled by an enterprise. After an assessment, the annual premium price for suitable coverage for a smaller business with revenues of less than $100 million per year might be in the range of $2500 to $4000. As enterprises get larger, premium prices tend to rise, but so does the total level of coverage sought, which at the upper end may amount to several hundred million dollars.
Making the Business Case for Cyber Insurance
Cyber insurance, like enterprise insurance in general, is a question of business continuity. This is turn is governed by business impact analysis. The bigger the negative impact to the business, the more important it is to have a solution in place to absorb or avoid that impact. Larger budgets may then be justifiable in terms of premiums for cyber insurance policies. Conversely, being the proud owner of a cyber insurance policy may make your enterprise more attractive to customers who see this as a sign of better risk management.
And the Future of Cyber Insurance?
As enterprises move IT systems and data towards the cloud, on premise risk becomes smaller and cloud provider related risk becomes larger. While early cloud business model failure now seems less likely, recent denial of service attacks using the Internet of Things show how even large cloud providers could be brought to a standstill. At the same time, insurance data and insurance analytics are growing, making cyber insurance more “off-the-shelf” and creating more opportunities for smaller organizations to benefit from protection through cyber insurance too.