Cyber Insurance – Who Needs It and Why?
The costs of a data breach are on the rise. According to Ponemon’s 13th annual Cost of a Data Breach Study, the global average costs of a breach rose 6.4 percent over the previous year to $3.86 million in 2018. During that same period, the average cost for each lost or stolen record containing sensitive or confidential information increased 4.8 percent to $148.
To protect themselves against these rising costs, companies are turning to cyber insurance in droves. German reinsurance giant Munich Re said that the insurance market protecting companies against digital threats will likely double by 2020 to over $8 billion, as reported by Security Week. Given this forecast, many companies will undoubtedly purchase cyber insurance for the first time within the next few years. To help them get started, I’d like to provide some best practices for purchasing a policy.
What Is Cyber Insurance, Anyway?
For organizations to get a policy that fits them, it’s important that they first have a clear understanding of cyber insurance and the types of coverage that are available.
CIO defines cyber insurance as a means to “help an organization mitigate risk exposure by offsetting costs involved with recovery after a cyber-related security breach or similar event.” As noted by the European Union Agency for Network and Information Security (ENISA), cyber insurance coverage generally falls into three categories as follows:
- First-party coverage: Direct losses resulting from data destruction, extortion, theft, hacking and denial-of-service attacks, including forensic costs to determine the cause and extent of a breach or network event; business interruption costs; data restoration costs; cybercrime direct losses; cyber extortion threats; public relations expense to manage reputational damage; legal expenses to determine notification requirements and letter content; notification costs; and call center and/or credit monitoring costs
- Third-party coverage: Losses and costs incurred by other entities including liability claims and fines. It offers protection for the tech and IT companies and independent contractors who were responsible for the safe storage of data, including legal fees associated with lawsuits resulting from the loss, misuse, or breach of data.
- Other benefits: Costs and services associated with regular security audits, post-incident public relations, investigative expenses, and criminal reward funds.
While the policy terms tend to vary little, the premiums companies pay can vary quite a bit. To evaluate and assess the risks associated with an insurance policy, and therefore determine the premium to be paid, insurers commonly use an underwriting questionnaire. Insurers ask targeted questions that oftentimes refer to industry standards such as the Center for Internet Security’s 20 Critical Security Controls. These security measures cover hardware and software inventories, security configurations, continuous vulnerability assessment and other security fundamentals that insured organizations should be implementing in order to mitigate their digital risk.
The Benefits and Limitations of Cyber Insurance
Narayanan Iyer, our Corporate Controller here at Lastline, has negotiated cyber insurance policies on behalf of Lastline as well as several prior employers. He notes that many organizations are candidates, and they have an incentive to purchase cyber insurance in order to cover the expenses associated with the costs listed above resulting from a data breach:
Generally, it doesn’t matter what type of business you have – any business that collects data is a candidate for a breach and therefore for cyber insurance. For example, we, as a security company, have banks as customers, and our banking customers may require that we have the insurance as we have access to their network and email data. At the same time we are an account holder with our own bank, and we may require that our bank has insurance as they have access to our banking data. It goes both ways.
While it’s simply a good business practice to have this coverage, customers often demand that their vendors have cyber insurance for one of two reasons: 1) to decrease the risk of an important vendor going out of business as a result of a data breach, or 2) to increase the likelihood that they, the customer, can actually receive compensation should the vendor suffer a breach – companies found liable simply may not have adequate capital on their own to pay regulatory fines plus compensate all impacted customers.
Tom Kang, Global Cyber Product Leader (FINEX) at Willis Towers Watson, a global advisory, broking and solutions company, agrees that cyber insurance is useful in allowing organizations to understand and make business decisions based on their digital risk. But he notes that the business world is still hampered by an overarching misunderstanding about what constitutes cyber risk and the kinds of losses that can result from it. As a result, some businesses “believe that cyber insurance is protection against any risk that has to do with a computer or that coverage is limited to risks associated with computers.” He said this is far from true.
Indeed, organizations need to be aware of several potential pitfalls when it comes to purchasing a cyber insurance policy. Thompson Hine LLP found that many policies have exclusions for the insured entity’s failure to maintain security standards, for example. In other words, the insurer can deny claims if they determine that the policyholder didn’t have adequate security measures in place. Additionally, most policies cover claims that are made only during the policy period, while some plans have lower policy limits for particular types of coverage. Then there’s the common practice of insurers denying claims or seeking to rescind coverage if they discover that the insured committed errors or failed to include certain information in completing and/or submitting their insurance policy application.
How to Purchase a Policy That’s Right for You
According to Kang, the best way for companies to get started in purchasing a cyber insurance policy is to find the appropriate cyber insurance marketplace, as some marketplaces have minimal requirements based on a company’s size of operations and industry class. It is then that companies must take care of their risk assessment. As he explained:
Organizations must understand what their level of risk exposure is and more importantly have brokers quantify that exposure with sophisticated analytical tools in order to determine what and how much coverage they need to buy. You want to make sure you are buying an appropriate amount of coverage based on your overall risk strategy.
Companies are encouraged to ask providers about any tools they offer to help them understand and mitigate their risk. This could include, but is not limited to, online training, resources to be used with employees, lists of security product and service providers, technical information on how to respond to a breach or even a “breach coach.”
Where most companies falter when it comes to choosing the right policy is that they’re doing so for the wrong reasons – simply to check a box to satisfy a customer requirement or compliance issue. Instead, risk officers looking to purchase cyber insurance need to engage with IT which understands the company’s risk profile: what data they have, where and how it’s stored, security measures that are in place, etc. If you don’t know what your risk is, it’s not possible to mitigate that risk with the appropriate policy.
Next, organizations should look for certain provisions within a cyber insurance policy. Law firm Atkinson, Andelson, Loya, Rudd & Romo recommends that organizations limit their policy so that it matches the total exposure of the liability they would face in the event of a breach. So, fitting the policy to the company’s risk profile. There’s no use paying for greater liability than is necessary, after all. The firm also urges organizations to consider purchasing a policy with retroactive coverage, which means the insurance can protect them against data breaches that occurred before the policy took effect. Also consider coverage for third-party vendors if you use other companies to collect, analyze or store its private information.
Organizations must then fulfill certain business responsibilities once they have the right cyber insurance policy in place. Here’s Kang on one of these important obligations:
Cyber insurance decision makers need to regularly, at least on an annual basis, inform the board of their risk exposure and risk retention, mitigation and transfer strategies. They need to keep them up-to-date on the risk landscape and the steps being taken to manage or avoid exposures.
The conversations identified by Kang need to include risk and not just cybersecurity. After all, the issue of cyber insurance is not just about compliance. It’s an issue that should involve the entire organization including IT, the board, finance, legal, HR, risk managers, and business leaders.
Cyber Insurance Is Only Part of the Solution
Organizations need to approach cyber insurance with the purpose of proactively measuring and managing their cyber risk. If they embrace this mindset, organizations won’t make the mistake of treating cyber insurance as a cure-all solution or a checkbox. Instead, they’ll make a comprehensive risk management program where risk transfer is one part, not the only part, of the solution.
The marketplace for such policies is growing, and the types of available coverage are advancing to respond to evolving risks. With the right approach, organizations should have no trouble finding out which coverage options work for them. It’s then just a matter of selecting the right policy and tailoring it to fit their business requirements.