In the past couple of years there’s been a significant uptick in talk about cyber insurance. This comes as no surprise, as risk has risen well beyond manageable levels and the costs associated with breaches now impact bottom lines. The breach that hit Target in 2013 drove damages that exceeded $290 million. The attack on Sony dismantled the release of a major motion picture and led to the termination of at least one top executive.
Investments in skilled personnel and technologies that include everything from firewalls to anti-virus to threat intelligence platforms will continue to provide the best returns when it comes to reducing risk. However, cyber insurance also can be a valuable tool to help address risk. It could be especially useful when gaps exist that are too hard or too expensive to address via other means.
Understanding available options and your organization’s overall risk exposure are keys to knowing which cyber insurance path to follow.
Know what’s covered
There currently are no “standard” cyber insurance policies available. As a result, specific policy options available may vary between carriers and industry.
Typical policies focus on covering first-party risk, where organizations are vulnerable to losses caused by attacks or breaches. Costs to first parties can come in many forms, including losses driven by business disruption, regulatory fines and other parties that seek to recover related damages.
Before investing your organization’s money in a policy, it is critical to understand specifics. You’ll want to know what exclusions exist, what the time period is that the policy covers, and the types of damages your carrier would compensate your organization for after an incident has occurred.
Insurers typically won’t cover damages inflicted by “foreign enemies” or caused by “acts of terrorism.” Exclusions such as these could make it extremely difficult for any organization to receive compensation. Because attribution is difficult at best, you should make sure you understand how the insurance company you are considering determines if an attack was an act of terrorism or carried out by a foreign enemy.
It is extremely important to know when coverage begins and what the time period is that it covers. If an attacker is in your network prior to the effective date of a policy, it may be difficult at best to collect compensation, as most policies will not cover incidents that took place prior to their effective dates. Whether or not your organization could offset the cost of an attack that took place in the past is extremely important, especially when you consider the normally high “dwell time” the bad guys remain inside of systems before being discovered.
There are damages that insurance providers cannot and will not cover—things like impact to reputation and future business losses that might occur as a result of an incident. And, there are limits to compensation amounts available. Depending on the risk being offset, even going through multiple policy carriers may not yield enough coverage to mitigate losses. Remember the Target example? That retailer was able to obtain $100 million in coverage by going through multiple carriers prior to its breach, which didn’t even cover half of the $290 million it lost.
The market for cyber insurance has been around for several years, but it is still far from mature. Underwriters are new to the cyber risk field, likely suffering from the same level of threat information overload that most organizations are experiencing, and probably finding that it is very difficult to accurately assess risk.
Insurance companies use a variety of tools, questionnaires and other techniques to assess risk levels prior to approving policies. However, don’t allow your organization’s premiums to be established based solely on carriers’ assessments.
Before you engage with a carrier, know what your organization’s risk levels are, how mature its security programs are, and what tools are in place to defend against attacks.
To make the most of an insurance investment, have solid programs in place providing things like vulnerability management, threat intelligence and perimeter defense. You also should conduct periodic third-party assessments that will assist with understanding your organization’s gaps and what can be done to close them.
If you don’t know the status of your organization’s security posture and what tools are in place, then you could put your organization at the mercy of underwriters’ assessments, which could lead to overpriced premiums or outright rejection.
There are numerous indicators showing that cyber insurance demand will rise significantly in a short period. PriceWaterhouseCoopers estimates that annual gross written premiums will triple to $7.5 billion by 2020 from $2.5 billion in 2014. These estimates may indicate that the collective thought among enterprise security and risk professionals is that cyber insurance is a good idea, but it is important to remember that cyber insurance and security aren’t the same things.
When it comes to security, your organization’s highest priorities should continue to be focused on employing the right talent, ensuring effective communication, developing a security-focused culture, and having in place basic technologies known to provide effective defense.
Most importantly though, is to always place security first. All of the cyber insurance in the world can’t actually defend your organization from advanced cyber threats, attackers, malicious insiders and heavily backed nation-state actors.
Travis Farral, director of security strategy at Anomali, is a guest contributor to ThirdCertainty.com, where this article originally posted.