I read Colin Tankard’s recently published comment for Infosecurity with interest (‘Beware the Nascent Cyber Insurance Market’), and although I would agree that some of the concerns his article raised are legitimate, I am unable to concur with the overall position adopted.
Within his article, Tankard cites many statistics relating to the likelihood of a firm identifying a security breach (a subset of the breaches they actually experience). I personally take it as a fact that over an extended period, most organizations will suffer a significant breach, and in a notable percentage of these cases the impact could create genuine business disruption. These statistics are a clear indicator that a prevention-only approach to organizational security does not work.
Quite simply, it is not economically viable or technically possible for any organization to completely secure itself. My favorite paper on the subject is ‘Why Information Security is Hard – An Economic Perspective’ written by Ross Anderson of Cambridge University in 2001. Every infosec professional should read this.
Within the information security profession, our role is to reduce the frequency of these breaches and where they occur to minimize the losses – the uncomfortable truth is there is an acceptance that there will be losses. Indeed, if you look at physical security solutions they acknowledge that static security controls will be defeated given time; instead, physical security designs will focus upon delaying an attacker long enough for a response capability to be activated.
I advocate security strategies that categorize their components into four strands: prevention, detection, response and residual. The first three areas are those that can be addressed in a technical fashion and serve to control the loss experience; the final component is a board matter and consists of a decision to either accept certain risks or to insure them. Increasingly boards are considering insurance in relation to cyber risks – this shouldn’t be seen as a criticism of their information security teams, it’s much more a sign of a maturing understanding of the topic at the board level. When an executive board is not explicitly considering residual risk, what that really signals is that they don’t consider the risk to be genuine in the first place.
So, where would insurance sit in a security strategy? The current products on the market are split between the third-party claims and first-party losses (e.g., lost revenue and the costs arising from dealing with the incident). Third-party coverage is driven by contractual obligations, and within the US legal system the first-party coverage provides the costs in dealing with a business disruption and the subsequent loss of revenue to a certain limit. The example is very clear: no organization wants to experience a disaster, but it accepts that it could experience one and that the impact could be sufficient to destroy its business. Wouldn’t you like your board to view security as something that has business significance?
The natural analogy for this type of insurance is that that it’s like the airbags in your car – no matter what other safety features it has, or how well you drive, you may experience a crash. An airbag doesn’t guarantee that you’ll walk away, but it certainly improves your odds.
It is nevertheless important to understand that ‘cyber’ policies are specialist products and the market for these is still developing. These offerings should not be confused with some of the extensions added to ‘computer’ policies that really were designed to cover the physical replacement of equipment, and not the business impact associated with a disruption. Many of the poor experiences reported relate to clients who believed they had cyber coverage, when in fact they had a poorly constructed free extension to a product designed to replace server hardware.
Any insurance claim is going to be scrutinized, but it’s important to understand that these products are not sold directly. Provided you work with a broker who has specialist knowledge of the cyber market, they will then be able to work with you to avoid products that have overly onerous warranties and exclusions, and present your risk in the best possible light when broking the initial coverage. Your broker will probably also assist should you ever need to submit a claim.
Although I fully understand the suspicion that insurers will seek to avoid paying claims, if they do this in a systemic fashion then the brokers will cease to recommend their products, and that is a strong incentive for them to ‘play fair’. While there has been some publicity about claims that have been refused, through my conversations with underwriters of a number of high-value claims that have been paid without publicity, most organizations remain loathed to admit they have been affected by a security breach, and so the lack of public data here should not be surprising.
Tankard’s article notes that an insurer may require controls beyond those mandated by an auditor and flags this as a negative. Personally, I see this as a positive because it moves organizations away from a tick box mentality toward a more robust security strategy. Rigid technical standards such as PCI-DSS have an important place in the security ecosystem by encouraging fixed minimum controls; however, there is always a risk that the organization concerned has gamed the certification through aggressive control of the scope and ignoring side-channel risks. When the objective is to get the certification rather than be secure, then the project will be approached with a narrow cost-control mindset.
Risk-based standards (e.g., ISO 27001) are not perfect and are still subject to scope control, but they are generally more holistic. The proposal forms I have seen for cyber products could generally be described as a subset of ISO 27001-recommended controls, with disclosures relating to known breaches over the last few years. Cyber insurance policies are manually underwritten, which means that the price that you’d be charged is based upon a specialist underwriter’s personal view of the control environment you have – this is very different from the algorithmic pricing applied to domestic car insurance.
Getting a quote for cyber insurance does not require you to implement additional controls, but should an underwriter decline to quote on the basis that you are missing a particular control, then I’d humbly suggest this is something that you need to consider as a business issue because there are very few of these red lines, and the ones that exist are there for good reason.
The market in the UK for this type of coverage, for example, will continue to develop; and I’ve had the pleasure of being involved with Cyber Risk Insurance Forum (CRIF), which includes a number of specialist brokers, leading underwriters, legal firms and technical security companies. This group is seeking to promote and develop the UK approach in this area.
Finally, on a regulatory note, I must highlight that although I work for Oval, which has a cyber-broking specialty, I am not personally a qualified broker. As such, all I am authorized to do is provide general information about this topic. Should you wish to investigate how cyber insurance coverage could fit within both your security strategy and corporate insurance portfolio, then you should speak to your insurance broker.
Tom Whipp, CISSP, is the Head of Risk for Oval Ltd, and advisory firm specializing in risk, insurance broking, financial planning and healthcare.