Cyber insurance: what is it, do I need it, and what does it cost? Those are just some of the questions around cyber insurance.
Cyber security is not just technology, but it involves the whole business and how well risks are managed. Today a firm must understand the inherent risk, risk mitigation and residual risk. Cyber insurance is a vehicle for transferring part of the firm’s risk to an insurance provider.
Cyber insurance is seen as a way to protect firm from cyber security risks. An example would be ransomware attacking the client data folders. Insurance policies are not standard. Each policy is different from large to small firms, as each have different levels of risk to protect against.
Pricing policies vary greatly from firm to firm based on risks. As an example, most ransomware attacks are focused on small and mid-sized firms (presumably because the success rate is higher). So getting compensation for resulting loss is increasingly of interest to smaller businesses. Smaller firms should ask themselves whether they would be better to invest the premiums in user-awareness training, newer technologies on the network perimeter and more sophisticated storage and backup regimes – particularly when examining the many exclusions and exceptions in the fine print of cyber insurance policies.
Most large firms already have cyber insurance in place. These policies can be complex and there is often significant overlap with other policies. Many have substantial exclusion clauses designed to limit the circumstances in which the insurer will pay out.
Risk categories identified in policies include:
- Data Breach
- Denial of Service
The costs covered may include rectification of the vulnerable environment though incident response, the costs of disclosure, lawsuits and other consequential loss.
Cyber Insurance liabilities are categorized as third-party or first-party costs and damages. Third-party liabilities are losses incurred by a company other than the firm taking out the policy. An example would be a VOIP provider installing a device in a firm environment in such a way that it allows an attack to occur.
First-party liabilities are those incurred directly by the insured firm; for example, when a firm is hacked and data is stolen. In such a case there may be different types of damage, such as the cost of replacing or recovering the data, notifying those affected or of repairing the environment or the data. Sometimes even the damage to the reputation of the company. The Target breach in December 2013 is a good example of dramatic financial and brand damage resulting from an intrusion.
Buyers need to look carefully at the risks they wish to protect and the insurance products that are available to provide cover.
Top buying tips
- Carefully consider the risks your firm wishes to protect against. Are they first-party or third-party liabilities or maybe both?
- What level of coverage is needed for the firm activities being performed?
- Investigate available policies with the help of a broker. Most firms already have various policies in place, so it is probably better to go to the incumbent broker or insurer for advice.
- Understand the exceptions in the policy. Create a list of the circumstances when the insurer will not pay out.
- Understand the cost of the insurance. Can this be passed on as part of the cost of doing business?
- Weigh whether the costs of the policy offset the risks being covered, particularly if it is heavily conditional. In other words, is internal staff education and self-insuring a better option?
- If dealing with IT suppliers such as vendors or resellers, should companies ask questions about the type of cyber insurance those partner firms have in place? This is a common practice in relation to some forms of insurance.
- Consider if the policy covers new risks as well as existing or known risks. To use a medical example, it’s the difference between being covered for a pre-existing condition and a new ailment.
- Investigate whether policy costs can be reduced if certain security controls and technologies are in place. A bit like the insurer that provides a discount if you have an alarm system on your house.
- Determine if there is overlap with professional indemnity or other liability insurance that is already in place or is being considered.
Avoid the overlap
Care needs to be taken to avoid paying for the same cover twice. There is often overlap between professional indemnity insurance or other liability cover and cyber insurance policies. Aside from wasting money, having double cover for the same risks may result in invalidating one or both of the policies unless fully disclosed at the outset. Insurers are historically uncomfortable having a second firm or policy protecting against the same risks.
Exclusion clauses are the big issue in many cyber insurance policies. Because the risks that are being protected against are often difficult to predict and are in new and inherently complex areas, insurers go to some lengths to exclude risks.
Obtaining protection against fire or flood is straightforward. Companies and insurers understand these risks. In contrast, global security teams at both Verizon and Symantec agree that in 2017, 419 million new malware threats were released into the wild. That’s close to one million new forms of malware released every day of the year. Will a particular policy of insurance cover zero-day attacks? In other words, a new type of attack not previously seen and, as such, not referred to in any cyber insurance policy.
Data Breach Study sponsored by IBM concluded that 43 percent of data loss results from internal actors, of which 50 percent was intentional and 50 percent accidental. Firms considering cyber insurance need to understand how the policy deals with breaches that result from employees or contractors. Are they covered or excluded? If excluded, then based on the Intel stats, this could exclude a large group of potential breaches from being covered.
Another tricky question: does cyber insurance cover pre-existing breaches the organization doesn’t know about? FireEye’s M-Trends report found that in 2017 the average time a company detects an advanced persistent threat on a corporate network was 99 days. The average detection period improves each year, but it is still a long time.
For potential purchasers of cyber insurance, this means they may be making declarations to the insurance company that there are no breaches in their networks when in fact a bad actor has been sitting inside for months. This raises questions: should they have known about the breach, could they have done more to discover it, what is their security posture and do they need to get a vulnerability assessment done before taking out the insurance? These can be difficult questions to answer.
Insurance law imposes heavy obligations on both insurer and insured to make full disclosure. The legal principle of “utmost good faith” applies. It is possible that a pre-existing intrusion, which the organization was not aware of but should have been, may lead to a denial of cover.
What are the circumstances in which the insurer will refuse to pay out? The exclusion clauses are often far-reaching and difficult to understand. In many, the costs of the insurance are significant but the circumstances in which the insurer will pay out are narrow. Some of the most common exclusions and exemptions are:
- Failure by the firm to ensure employees and contractors are aware of security issues and the risks their behaviors can create for company and customer data.
- Failure by the firm to maintain an adequate regime to ensure basic security controls are current and are consistent with best practice.
- Failure to disclose pre-existing risks that have been revealed in vulnerability assessments or penetration testing exercises but have not been fully or effectively rectified.
Cyber insurance policies have been around for more than a decade but only recently has the threat landscape and the volume and sophistication of threats and threat vectors increased so dramatically that these policies are now being considered more widely.
Many cyber insurance policies are so heavily conditional that they are not a great investment. In many cases, they do not cope well with the rapidly changing nature of security threats and with the speed at which new attacks can be developed and released by bad actors.
So what is the best deal? In my professional opinion, although insurance may benefit large companies, it is not worth the investment for smaller businesses. A smaller company would have more success skipping the expensive insurance costs and increasing their own security. In the long run, it would be less costly, more efficient, and helpful to the company.