Security breaches are mainstream occurrences, and every organization should assume that they are a victim. According to recent research published in conjunction with Infosecurity Europe in April, 93% of large organizations state that they experienced at least one breach in the previous year. They also reported that the number of breaches is growing rapidly as organizations experienced, on average, 50% more breaches than in the previous year.
As firms grapple with security breaches and incidents, and the associated losses, there is a growing trend being seen in the number of organizations looking to take out specific insurance to protect themselves since those losses are unlikely to be covered by the existing insurance policies. According to research published by insurance broker Marsh, demand for cyber insurance among its customers rose by a third during 2012 compared to a year earlier.
In response to such growing demand, the range of cyber insurance offered has been expanding. According to Airmic, the Association of Insurance and Risk Managers in Industry and Commerce, insurance coverage is now commonly available for first-party risk exposure, such as loss or damage to digital assets, business disruption, cyber extortion, reputational damage, and theft, as well as third-party risks such as investigation costs, customer notification costs and compensation paid to customers. According to research conducted in 2012 by RIMS, the Risk Management Society, 38% of respondents claim to have a cyber insurance policy. However, while it found that there were lots of figures concerning payouts for automotive, aviation, fiduciary, marine, malpractice, worker’s compensation and other types of insurance, there was little mentioned in the way of payouts for cyber insurance.
Although there are thousands of insurers offering more general policies, it is estimated that there are only about 40 or so firms offering specific cyber insurance. In common with many other emerging markets, it is also a brave new world, with policies varying widely in coverage and details on actual payouts scarce. Generally, such insurance is based on some common factors, such as the size of the company, the amount of data to be protected, past losses and previous claims, and the number of individuals granted privileged user access.
However, one further factor that insurers are basing insurance levels on is ‘standard of care’ requirements, which refers to the policies, procedures and safeguards that organizations need to have in place in order to qualify. Such requirements range from having a security plan in place and raising security awareness among employees, to specific technology safeguards, such as firewalls, access controls and real-time constant monitoring for vulnerabilities.
According to Marsh, insurance firms are showing much greater interest in the information security practices and procedures that their customers have in place as demand for cyber insurance grows. And there is the rub – organizations wishing to take out such insurance must be able to prove that they have the required standard of care requirements covered, which could mean opening up their systems to the scrutiny of the insurers, and therefore potentially providing them with access to confidential information contained within their systems.
It cautions that this could also oblige firms to invest in security controls that are way beyond the traditional demands of auditors, placing further pressure on financially strapped organizations that are looking to balance their budgets.
There are already examples of organizations that believed they had sufficient insurance for a cybersecurity breach, only to have their claims rejected over specificities. This is because the onus is generally on the organization that has suffered losses to prove that its IT security policies and the controls that it has in place were stringent enough to deal with overly broad clauses often contained in the policies’ small print. Such clauses are currently open to interpretation over what security is considered to be sufficient. For example, if the organization was logging security events that it believes provides a strong chain of evidence regarding how an attack occurred, the insurance company could well argue that it should also have had the controls in place to prevent the attack from occurring in the first place.
As the cyber insurance industry matures, there will likely be many disputes between organizations and their insurers over exactly what the insurance they have purchased covers and whether or not claims will be honored. Organizations should not view cyber insurance purchases as an excuse for lack of investment in further security controls. Rather, investing in such cover may mean they are actually obliged to implement further controls, such as continuous monitoring and logging of all systems in their network.
Organizations need to tread a fine line between how much they are willing to invest in preventive controls and whether or not those investments will be seen as sufficient by insurers offering coverage. Until this market matures and coverage becomes based on universal, standard principles, the only advice that organization should heed is ‘caveat emptor’.
Colin Tankard is managing director of data security company Digital Pathways, which specializes in the design, implementation and management of systems that ensure the data security.