lolloj - Fotolia
Editor's note: This is part three of a series on cyberinsurance. Part one looks at how cyberinsurance policies fit within enterprise security programs, and part two examines how elements like third-party vendor risk are accounted for in those policies.
Insurers define what's required in order to get a cyberinsurance policy, and they also determine what premium discounts will be offered. Still, not much has been defined on either side in terms of standards or best practices for coverage and pricing. Coverage amounts may have an impact on price, but since there is not a lot of competition at this stage, premiums are running high up and down the stack.
This is where premium reduction items come into play. In terms of specific controls that can be applied to reduce a premium, the requirements have hardened a bit over recent years.
"As the investment in technology grows insurers will begin to offer incentives to adopt certain risk management tools strategies through premium credits or broader coverage," said Ben Beeson, the cyber risk practice leader at insurance broker Lockton Companies. "Today is still very much the stick rather than the carrot. If a retailer has no end-to-end encryption on a point-of-sale system, then they probably won't get insurance."
While certain requirements are being defined and adjusted, there's still more to do in terms of mapping requirements to security controls, the risks and to the policy. "We still tend to live in a high-medium-low world with stoplight charts sent to the board of directors," said Tom Fuhrman, managing director at Marsh Risk Consulting. "This is not very helpful -- we need the right expression of risk, [which is calculated as] probability and severity of loss over a period of time, and the ability to talk about the business value of the resources at risk."
However, a static underwriting process for a dynamic risk is increasingly unworkable. Technology and insurance are beginning to converge as insurers have started to use risk scoring tools and predictive analytics techniques to confirm their risk assumptions. "The insurance industry needs to partner with technology firms and analysts to help model the risk," Beeson said, noting that this is just the start.
Collaboration among insurers, brokers, underwriters and clients is also improving, which helps drive the types of policies, improvement of coverage and the limits organizations can receive. "Organizations and insurers have to sit down and talk -- a questionnaire alone is not enough," said Jacob Ingerslev, head of technology E&O for Cyber & Media Liability at financial services firm CNA Insurance, during an RSA Conference presentation. "We need to look deeper if we want to avoid the asbestos fiasco of years past."
Limitations in cyberinsurance coverage
While having some coverage is better than no coverage, organizations must pay attention to the clauses and limitations in their policies. Cyberinsurance experts highlighted several areas to keep in mind:
- Intellectual property: According to Beeson, while the loss or theft of private health information and personally identifiable information are insurable, theft or loss of intellectual property is not. David Bradford, co-founder, chief strategy officer and director of strategic partnership development at Advisen, an insurance analytics firm, agreed and said determining the value of IP is challenging. "The loss of IP can be devastating but hard to quantify, and it's difficult to gain a mutual understanding between insured and insurer," Bradford said. "Therefore, the insurance industry has not done a good job coming up with products to insure IP."
- Prior acts: Coverage on prior acts can be a challenging area as detection and identification of an attack are big problems; it can be difficult to determine the exact timeline of a security incident. "If you do not ask, you won't be given insurance if an act identified occurred before the first day of coverage," Beeson said.
- Breach continuation: Another area to look at is the repeat aspect of a breach. "If you've been through it once, the insurer may do something with your rates," Dixon said. "Once we determine the infection has been removed from the environment, we see payouts kick in from the insurer. From what we've seen, however, there will not be perpetual payouts for ongoing attacks."
- Claim attribution/association: Any dollars spent from payouts need to go toward the specific breach. Up until now, some insurers have been able to say where enterprises can spend those dollars, but moving forward, the payouts may not be applicable to that specific breach. "We see a lot of claims being declined if the monies are earmarked as investments in people, process or technology that should have been in place prior to the breach," Dixon said. This begs the question, when is enough enough? "When an organization becomes a cyber-fatality, how much does the insurance company cover?" asked Ken Allan, global information security leader at Ernst & Young.
- First party restrictions: "One of the common pitfalls to avoid is the first party/liability aspect of coverage," Ingerslev said. "Since claims that relate to the first party are mostly related to legal fees, for which we've seen no settlements yet, there are exclusions around consumer protection law violations that are part of a class-action suit. Companies need to be aware of restrictions here -- exclusions that talk about lack of sufficient security or flaws in the security software could pose a huge problem at claim time."
The ongoing ransomware attacks against hospitals raise the question for this space -- do they have protection with a policy? "We are certainly going through a wave of healthcare institutions being held ransom," said Julian Waits, president & CEO at PivotPoint Risk Analytics. "Carriers are actually limiting what they pay out on this these things -- we're not witnessing an out-of-control market; it just happens to be an inefficient market."
Tips from the insurers
The goal for this industry is to move the market forward so organizations can make informed decisions on what cyberinsurance they need, what they need to do to avoid making a claim and how they need to handle things when a claim is made.
Industry experts agree that a static approach doesn't work. "This is still a market whose prices are driven by supply/demand -- not a price that actually reflects risk," Beeson said. "As part of the convergence between technology and insurance, think of a telematics black box in a car used to get better premiums. We will start to see dynamic analysis as a means to drive incentives for lowering premiums and risk."
Speaking at a cyberinsurance panel discussion at RSA Conference 2016, Melissa Ventrone, partner at Wilson Elser Moskowitz Edelman & Dicker LLP and chair of the firm's Data Privacy and Security Practice Group, said it's also important to remember that insurance companies aren't the enemy. "Insurance companies want to insure and come to the table with a lot of unique tools to help mitigate risk and reduce the claim," she said.
Paul Calatayud, CISO at healthcare IT firm Surescripts, said the process of obtaining a cyberinsurance policy offered tangible benefits beyond the policy itself. "Even with a strong cybersecurity practice in place, such as those at a Fortune 100 company, this process helped me think of things differently -- such as other ways of slicing this up and by bettering the risk management and security management programs," he said. "For organizations that are not heavily regulated, this is a huge validation of their security program. It could help get funding to mitigate the risks."
Per Dixon's suggestion, it's best to proactively come up with a cyberinsurance plan that documents where the dollars will go and what will be covered if a policy is executed. Enterprises should also budget where the money will be used and identify any gaps in coverage. As organizations work their way through the process, they will start to right-size their policies. If cyberinsurance will only pay for specific issues or occurrences, the leftovers should be part of the ongoing security budget.
Given the realities of security protection and response programs, organizations need to face up to the fact that they won't be able to detect every attack before the damage is done. They also won't be able to successfully handle every incident without negative impact to the business, and at some point, human error will inevitably occur. Cyberinsurance has appealed to many enterprises on that front, as it can alleviate some of these concerns.
But enterprises today find themselves in a bit of pickle when it comes to cyberinsurance. The insurance industry is still wrestling with how to structure such policies and define standard practices. But if companies sit around and wait for the market to mature further, they won't have this tool as part of their enterprise security programs.
Experts warn against relying too heavily on cyberinsurance policies
How to make a winning risk assessment plan in five steps
Why security teams need to be involved in cyberinsurance plans