You can insure yourself against cyber-attack, says Danny Bradbury, but be warned, prices are going up
Information security is all about mitigating risk. Savvy CISOs spend their time asking what threats their organizations face, how deeply these threats would sink the company, and how likely they are. In that sense, CISOs are suitable customers for another industry that’s also about risk management: insurance. So why haven’t the two overlapped more?
A Young Industry
At its heart, insurance is about the paid transfer of risk. Companies have been happily transferring their risk to insurance firms since the late 1600s, when economists created insurance services in response to the Great Fire of London.
Traditional risks, such as fire, flood, theft and injury, are well understood. On the other hand, the insurance industry is just getting to grips with cyber-risk.
“When we started looking for the first time at the issue of cyber-attacks and determining whether it would make sense to have a cyber-insurance policy, it was all green space,” says Ty Sagalow, former COO for AIG e-Business Risk Solutions, now running Innovation Insurance, a consulting firm and brokerage based in New York.
“It was new. There was no actuarial data on frequency or severity. We had to figure out how to create insurance for a risk that we knew very little about,” Sagalow adds.
How do companies manage that risk? Fifteen years is a heartbeat in the insurance business, and so cyber-insurance is still a relatively unknown quantity. The way that insurance companies assess risk involves analyzing past claims. But in a sector with such a short track record and quickly changing characteristics, that isn’t always easy. As such, the market is segmented from the general insurance pool, and covered by special policies.
Insurance companies identify and quantify the exposure, pinpoint the threats, and then make a model of how likely those threats are to occur.
“You have a lot less certainty about that frequency than for more established classes like life insurance or auto insurance, but that isn’t to say that there isn’t any information in the insurance industry,” says Tom Regan, the cyber practice leader for insurance broker Marsh. “We spend a lot of time and money looking to assess the probability of events.”
In any case, insurers have an appetite for risk. After all, that’s what makes them money.
“You don’t go into a new piece of business or a new product because you fear losses. You go in because you hope you’ll be able to make money. If there’s no risk, there’s no reward,” says Sagalow.
Insurers can mitigate their risk in cyber-insurance as they do in other industries, by splitting risk with other insurers, and by using re-insurance, where the insurers are themselves insured by other companies. They can also impose high deductibles.
What Policies Look Like
Typically, cyber-insurance coverage falls into two broad areas: first party and third party. The first party coverage focuses on the internal costs incurred by the company. It covers expenses such as hiring an attorney to deal with the legal ramifications of a breach, and taking on a PR firm to help get out in front of the problem and minimize reputational damage.
Savvy companies will bring in an external data forensics team to find out where the breach occurred, and remediate it. A first party component will also cover the cost of notifying individuals, and potentially even setting up contact centers to field calls from worried customers.
In addition, first party coverage typically covers the restoration of lost data, and it will usually compensate companies for lost business, says Michelle Lopilato, director of the cyber-risk solutions practice at North American insurance brokerage Hub International.
“If your network was breached and goes down, and you’re no longer able to transact business for a certain amount of time, that loss can be replaced,” she says.
"The insurance industry can deal with risks that grow significantly if they can be appropriately compensated"Tom Regan, Marsh
Lost business protection won’t kick in as soon as a disruption occurs. The most aggressive contracts start around six hours after the disruption, but can go as late as 18 hours for companies with poor business continuity operations, she said.
Third party coverage handles the fallout from cybersecurity events that affect other companies and individuals. Typical coverage here includes network maturity liability (if your network is used to infect another company’s systems, for example). It will also cover financial harm to other individuals from a company’s privacy breach, along with the cost of post-breach regulatory investigations and fines.
Rising Prices
Insurance companies are getting better at assessing clients’ cybersecurity readiness, according to Sagalow.
“The industry has matured,” he says. “We have determined that, at least for now, we can continue to underwrite the severity and frequency of cyber-risks, despite the mass attacks that we read about almost every day, whether that be Target, Home Depot, Sony, or others.”
But for how much longer? There are signs that cyber-insurance companies, which have blossomed in number over the last decade, are reacting to industry events.
“The industry is continuing to change and expand, and in certain areas of the business, we see some prices going up,” says Regan. “The insurance industry can deal with risks that grow significantly if they can be appropriately compensated for them. As long as they can get an adequate premium, they’ll be OK.”
Where are those prices likely to hit hardest? Look to retail, says Lopilato.
“We are seeing some tightening of the reins as far as underwriting goes. The insurers are looking for best-in-class controls and securities, and if they don’t have them, then they are getting declinations,” she says.
These controls include encryption at the point of swipe for credit card collection, along with point-of-sale network monitoring, up-to-date security patching, and PCI compliance. “If you can satisfy those four bullet points first, then you do have several carriers still willing to write this business,” she adds.
Companies that take advantage of these policies may even find themselves battling to get coverage. Such was the case with Atlantis National Services, a New York state-based title insurance agency licensed in 32 states. It obtained a cyber-insurance policy through Lloyds of London, after the Department of Homeland Security mandated a data center controls standard, SSAE 16, for title insurers. Atlantis co-founder Radni Davoodi began looking for cyber-insurance not long afterwards.
“It gives banks further comfort using us versus our competitors,” says Davoodi, but he adds that it wasn’t easy to obtain. The industry is still so new that choices are limited, he warns.
“It took us a while to get a quote, and the only broker who was able to provide us with one gave us a cookie cutter and said ‘take it or leave it’,” he says, recalling that there was no option on the deductible or the protection offered. “We’re hoping that in the coming years it will be a little more selective on our end.”
Do customers want insurers to take on their business, though? The Corporate Executive Programme, which monitors corporate security threats, surveyed 40 of its members for a January 2015 report on cyber-insurance. Only one in five companies had dedicated cyber-insurance, it found, and this was among a base of large companies, half of which measured revenues in the billions.
Cyber-insurance adoption also differed dramatically between the US (where 40% of companies had it) and the UK (where just 13% of firms did).
Regan says that regulation makes a big difference in adoption on either side of the Atlantic. In the US, where data breach notification is mandated in 47 states, more companies will be driven to adopt cyber-insurance because of the potential fallout should a breach occur.
"Insurers are looking for best-in-class controls and securities, and if [clients] don't have them, they are getting declinations"Michelle Lopilato, Hub International
Dr Claudia Natanson, chair of the CEP, suggests another factor.
“There was a point given by one of our legal members, stating that it wasn’t so much that the US had breach notification that promoted greater take up, but that unlike Europe, US [companies] could suffer class action suits,” she says.
European adoption will likely rise, adds Natanson. But with an average of four in five companies still not adopting dedicated cyber-risk insurance, there is a lot of potential headroom in this young industry.
Sagalow, who first took steps into cyber-insurance 15 years ago, is already expanding into something new: bitcoin. The cryptocurrency, which is slowly disrupting traditional financial markets, has been beset with security problems. Now, secure bitcoin storage companies are offering peace of mind to users who might hold thousands of dollars-worth in a software wallet. He is working with them to insure their customers against losses incurred in this strange new electronic asset.
“Bitcoin is the new cyber,” Sagalow says, recalling how the internet represented a fundamental shift in how business was done in 2000. “Fast forward 15 years later, and the same thing is happening again.”
Wherever you find uncertainty and risk, you’ll find a forward-thinking insurer exploring ways to underwrite it. The customers may take a little while to come, but if they’re aware of the dangers they’re facing, they’ll arrive eventually.
This feature was originally published in the Q2 2015 issue of Infosecurity – available free in print and digital formats to registered users