The regular occurrence of data breaches is pushing
organizations to think more seriously about updating their risk management
policies. With that in mind, we look at the top ten things you need to know
about cyber insurance, which is fast becoming a business necessity.
Cyber insurance
is a term that has been bandied around the information security sector in the
last 18-24 months but during this time is has divided opinion. Some have
described it as a necessity, an essential layer of protection for enterprises,
while others have dismissed it as a hyped-up product with overinflated prices,
confusing terms and very mixed levels of coverage.
1.
There are two
types of cyber insurance
“Cyber insurance is
an add-on to good security and compliance, not a standalone product.”
Given the number of news and analysis stories
around this emerging trend you could be forgiven for thinking that cyber
insurance is a one-size-fits-all product, but that is far from the truth. In
reality, it should be treated as an add-on to good security and compliance, and
not as a standalone product that will make your business secure.
It should be noted too that policies themselves are
not without fault, with many having exclusions to cover for certain cases.
With cyber insurance, there are two main types of
coverage. The first covers “first-party” risks, which essentially means the
loss or damage to your own data. The second type covers “third-party” risks,
which involves liability to clients, government and regulatory entities.
2.
Policies have
been around for years
Cyber insurance is not actually that new, with some
of the first policies emerging in the late 1990s due to the rise of the
internet. However, as Ross Brewer, vice president and managing director for
LogRhythm, explained
towards the end of 2014, the market was initially slow to take off as the
online world was still in its infancy.
Not anymore. The internet is now much more mature
and all types of organizations are active on the web, exposing businesses to
new opportunities and threats.
As Mr. Brewer noted last year: “It makes sense that
businesses would want to have the greatest level of protection as the aftermath
of a serious breach could be akin to a large-scale burglary.”
3.
Good security
will reduce your premium
As mentioned above, these kinds of policies should
always be viewed as a supplement, not a substitute, for good information
security and governance.
Insurers have also recognized this with many
actually offering heavily discounted premiums to companies that are seen as
having respectable security practices. Most policies now detail that a policy
can only be taken out if the client has proved they have met “minimum required
security practices”.
4.
Premiums still
fluctuate heavily
It’s a sign of an early and immature market that
cyber insurance premiums fluctuate wildly with the breaking news of data
breaches.
As just one example, shortly after the data breach
at US health insurer Anthem late last year, We Live Security
heard of some cyber insurance premiums rising by as much as 40 percent for new
policyholders – even though there were no changes to their own personal
circumstance.
5.
There are
numerous exclusions
Cyber insurance policies have endless terms and
conditions (T&Cs), and are very particular about what they do and don’t
cover by way of risk.
For example, policies
may not cover the loss of unencrypted data, data sent (and then lost) by
third-party contractors, while identity monitoring and data restoration services
may also not be covered. Breach notification services, in addition, may not be
covered.
6.
Cyber
insurance is becoming a priority for third-parties
Third-party and fourth-party contractors are always
a risk as far as security is concerned, with far too many breaches owing to
excessive privileges, or an attacker exploiting a weakness further down the
enterprise chain. The Target data breach of 2013 is a classic example, as attackers
initially compromised the retailer’s air conditioning contractor.
Today, procurement officers at some companies have
started requiring their vendor companies to have a cyber insurance policy in
place as a way of ensuring that those vendors have done their security homework
and have coverage. The service-level agreement (SLA) won’t go ahead, otherwise.
7.
But it
doesn’t protect against all types of loss
It is worth noting that cyber insurance is unlikely
to cover all losses from a breach, and especially against one type of loss that
often gets forgotten in the aftermath of a security incident.
That loss is specifically brand reputation, which
often takes a dip after the event. Companies will still lose an average of four
percent of customers as a result of a breach, which will definitely not be
covered.
8.
Prices are
negotiable
One of the few benefits of the market’s immaturity
is that policies are more negotiable than other types of insurance. That is
something that executives and business leaders need to bear that in mind when
it comes to renewal time.
9.
It’s perfect
for SMEs
Cyber insurance can be especially helpful for small
businesses, as a significant percentage of them are high risk cases for the
fact that they cannot cover the costs (plus loss of reputation) of a breach.
However, as the UK government noted in a paper titled
UK Cyber Security: The Role of Insurance in Managing and Mitigating the
Risk, 22 percent of small businesses have no ideas where to start
when it comes to protecting their enterprise in the event of a cyberattack. A
lot more education is needed.
10.
It is not
guaranteed to be a success
Security experts are split on cyber insurance and
its place in business, with just as many arguing that it is a useless add-on as
an essential business enabler.
Earlier this year, PwC predicted that the global
cyber insurance market could grow to US $7.5 billion (£4.8 billion) in annual premiums by 2020.
Some months later however and a KPMG study
indicated that these policies were not overly trusted by business leaders.
Based on a survey of senior information security
professionals from organizations which are members of KPMG’s International
Information Integrity Institute, 74 percent of businesses had no cyber
insurance.
Mistrust of insurers honoring policies appeared to
be one challenge, while 30 percent believed that the market was not
significantly mature for them to adopt such cyber insurance.