lolloj - Fotolia

Manage Learn to apply best practices and optimize your operations.

Cyberinsurance policies: Getting coverage and avoiding limitations

The cyberinsurance market is maturing rapidly, but there are still gray areas to navigate. Sean Martin explains what enterprises should know about policies.

Editor's note: This is part three of a series on cyberinsurance. Part one looks at how cyberinsurance policies fit within enterprise security programs, and part two examines how elements like third-party vendor risk are accounted for in those policies.

Insurers define what's required in order to get a cyberinsurance policy, and they also determine what premium discounts will be offered. Still, not much has been defined on either side in terms of standards or best practices for coverage and pricing. Coverage amounts may have an impact on price, but since there is not a lot of competition at this stage, premiums are running high up and down the stack.

This is where premium reduction items come into play. In terms of specific controls that can be applied to reduce a premium, the requirements have hardened a bit over recent years.

"As the investment in technology grows insurers will begin to offer incentives to adopt certain risk management tools strategies through premium credits or broader coverage," said Ben Beeson, the cyber risk practice leader at insurance broker Lockton Companies. "Today is still very much the stick rather than the carrot. If a retailer has no end-to-end encryption on a point-of-sale system, then they probably won't get insurance."

While certain requirements are being defined and adjusted, there's still more to do in terms of mapping requirements to security controls, the risks and to the policy. "We still tend to live in a high-medium-low world with stoplight charts sent to the board of directors," said Tom Fuhrman, managing director at Marsh Risk Consulting. "This is not very helpful -- we need the right expression of risk, [which is calculated as] probability and severity of loss over a period of time, and the ability to talk about the business value of the resources at risk."

The loss of IP can be devastating but hard to quantify, and it's difficult to gain a mutual understanding between insured and insurer.
David BradfordAdvisen

However, a static underwriting process for a dynamic risk is increasingly unworkable. Technology and insurance are beginning to converge as insurers have started to use risk scoring tools and predictive analytics techniques to confirm their risk assumptions. "The insurance industry needs to partner with technology firms and analysts to help model the risk," Beeson said, noting that this is just the start.

Collaboration among insurers, brokers, underwriters and clients is also improving, which helps drive the types of policies, improvement of coverage and the limits organizations can receive. "Organizations and insurers have to sit down and talk -- a questionnaire alone is not enough," said Jacob Ingerslev, head of technology E&O for Cyber & Media Liability at financial services firm CNA Insurance, during an RSA Conference presentation. "We need to look deeper if we want to avoid the asbestos fiasco of years past."

Limitations in cyberinsurance coverage

While having some coverage is better than no coverage, organizations must pay attention to the clauses and limitations in their policies. Cyberinsurance experts highlighted several areas to keep in mind:

  • Intellectual property: According to Beeson, while the loss or theft of private health information and personally identifiable information are insurable, theft or loss of intellectual property is not. David Bradford, co-founder, chief strategy officer and director of strategic partnership development at Advisen, an insurance analytics firm, agreed and said determining the value of IP is challenging. "The loss of IP can be devastating but hard to quantify, and it's difficult to gain a mutual understanding between insured and insurer," Bradford said. "Therefore, the insurance industry has not done a good job coming up with products to insure IP."
  • Prior acts: Coverage on prior acts can be a challenging area as detection and identification of an attack are big problems; it can be difficult to determine the exact timeline of a security incident. "If you do not ask, you won't be given insurance if an act identified occurred before the first day of coverage," Beeson said.
  • Breach continuation: Another area to look at is the repeat aspect of a breach. "If you've been through it once, the insurer may do something with your rates," Dixon said. "Once we determine the infection has been removed from the environment, we see payouts kick in from the insurer. From what we've seen, however, there will not be perpetual payouts for ongoing attacks."
  • Claim attribution/association: Any dollars spent from payouts need to go toward the specific breach. Up until now, some insurers have been able to say where enterprises can spend those dollars, but moving forward, the payouts may not be applicable to that specific breach. "We see a lot of claims being declined if the monies are earmarked as investments in people, process or technology that should have been in place prior to the breach," Dixon said. This begs the question, when is enough enough? "When an organization becomes a cyber-fatality, how much does the insurance company cover?" asked Ken Allan, global information security leader at Ernst & Young.
  • First party restrictions: "One of the common pitfalls to avoid is the first party/liability aspect of coverage," Ingerslev said. "Since claims that relate to the first party are mostly related to legal fees, for which we've seen no settlements yet, there are exclusions around consumer protection law violations that are part of a class-action suit. Companies need to be aware of restrictions here -- exclusions that talk about lack of sufficient security or flaws in the security software could pose a huge problem at claim time."

 The ongoing ransomware attacks against hospitals raise the question for this space -- do they have protection with a policy? "We are certainly going through a wave of healthcare institutions being held ransom," said Julian Waits, president & CEO at PivotPoint Risk Analytics. "Carriers are actually limiting what they pay out on this these things -- we're not witnessing an out-of-control market; it just happens to be an inefficient market."

Tips from the insurers

The goal for this industry is to move the market forward so organizations can make informed decisions on what cyberinsurance they need, what they need to do to avoid making a claim and how they need to handle things when a claim is made.

Industry experts agree that a static approach doesn't work. "This is still a market whose prices are driven by supply/demand -- not a price that actually reflects risk," Beeson said. "As part of the convergence between technology and insurance, think of a telematics black box in a car used to get better premiums. We will start to see dynamic analysis as a means to drive incentives for lowering premiums and risk."

Speaking at a cyberinsurance panel discussion at RSA Conference 2016, Melissa Ventrone, partner at Wilson Elser Moskowitz Edelman & Dicker LLP and chair of the firm's Data Privacy and Security Practice Group, said it's also important to remember that insurance companies aren't the enemy. "Insurance companies want to insure and come to the table with a lot of unique tools to help mitigate risk and reduce the claim," she said.

Paul Calatayud, CISO at healthcare IT firm Surescripts, said the process of obtaining a cyberinsurance policy offered tangible benefits beyond the policy itself. "Even with a strong cybersecurity practice in place, such as those at a Fortune 100 company, this process helped me think of things differently -- such as other ways of slicing this up and by bettering the risk management and security management programs," he said. "For organizations that are not heavily regulated, this is a huge validation of their security program. It could help get funding to mitigate the risks."

Per Dixon's suggestion, it's best to proactively come up with a cyberinsurance plan that documents where the dollars will go and what will be covered if a policy is executed. Enterprises should also budget where the money will be used and identify any gaps in coverage. As organizations work their way through the process, they will start to right-size their policies. If cyberinsurance will only pay for specific issues or occurrences, the leftovers should be part of the ongoing security budget.

Given the realities of security protection and response programs, organizations need to face up to the fact that they won't be able to detect every attack before the damage is done. They also won't be able to successfully handle every incident without negative impact to the business, and at some point, human error will inevitably occur. Cyberinsurance has appealed to many enterprises on that front, as it can alleviate some of these concerns.

But enterprises today find themselves in a bit of pickle when it comes to cyberinsurance. The insurance industry is still wrestling with how to structure such policies and define standard practices. But if companies sit around and wait for the market to mature further, they won't have this tool as part of their enterprise security programs.

Next Steps

Experts warn against relying too heavily on cyberinsurance policies

How to make a winning risk assessment plan in five steps

Why security teams need to be involved in cyberinsurance plans

This was last published in June 2016

Dig Deeper on Information security policies, procedures and guidelines

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

5 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What is your organization's process for assessing cyberinsurance policies?
Cancel
All good points. I think it is also tough to put a dollar figure on what coverage is needed to cover the loos of data or property value. You may feel x dollars will cover my loss but the insurer may feel that it's excessive and will not issue a policy for that level of coverage.  
Cancel
The matter is: what enterpreneurs are asking for in matter insurance: In Italy we don't have coverage for human error, loss of data in sense of recovery of the value of the lossed data and the loss/theft of intellectual property, patents,... But they are asking for.

What about if an enterprise would calculate the value of some records for his enterprise, define a perimeter where this informations are stocked and how they are treated end defend?

In case i will sell my enterprise I can define a value for my customers DB for example as an intangible good. Isn'it?  They expect that the same thing will be evalueated by an insurer.
Cancel
What once was is no longer so. Patience pays off; the market for IP risks including unauthorized disclosure of trade secrets as well as infringement of patents copyrights and trademarks is growing rapidly. More companies willing to take IP risks are entering the market and prices are coming down. There even exists coverage for IP used as collateral. The policies are not unlike the collateral protection insurance offered in the auto industry and in real estate. Seek and you shall find.
Cancel
Hope you are right, bfletcher. Today there are insurers don't wont to ensure cyber related risks in the automotive sector... : ) any way we will be patient working every day for bringing complex risks on the table of the insurers...

Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close