marrakeshh - Fotolia

Cyberinsurance: Assessing risks and defining policies

Cyberinsurance is sparking interest from enterprises, but how are security risks assessed for policies? Sean Martin takes a closer look at the process.

Editor's note: This is part two of a series on cyberinsurance. Part one of this series examines the growth of the cyberinsurance market and how policies fit within today's enterprise security strategies.

Cyberinsurance has become a bona fide market in recent years, attracting interest from a variety of enterprises and producing billions of dollars in revenue. But the market has also become complicated in terms of assessing risk and developing policies based on those risks. A key reason for this, as demonstrated by the infamous Target breach, is that businesses have more to worry about.

Given the fact that Target was breached through a third-party vendor, it's no longer enough for an organization to look solely at its own risk; businesses also need to look at the cyber risk introduced by their third-party supply chain. "We see cyberinsurance as a baseline requirement just to be able to do business with another company," said William Dixon, vice president at Stroz Friedberg, a cybersecurity and risk management company. "One of the standard questions we ask our vendors and service providers is: Do you have a cyberinsurance policy and what are the coverages associated with that policy?"

Large organizations may consider cyberinsurance a must-have, but this can't be the only factor to consider. "If you plan to do business with a large company or are being entrusted by a business partner with data that could have some classification other than public, you should see that as a signal that cyberinsurance should be considered," Dixon said.

For example, a 10-person post-production shop operating out of a garage that is working for a large movie studio might find it cost-prohibitive to hire a CISO and/or to run a formal cybersecurity program. However, this doesn't mean they are off the hook. Working through a cyberinsurance assessment as a third-party vendor could help offset the financial risk for the business they are working for. At a minimum, experts say, it would show that they have some mitigating controls in place.

"The decision to take out a cyberinsurance policy isn't just related to size," Dixon added. "It's more about the classification of the data and how critical that data, as well as the third-party business process surrounding it, are to the business."

How is cyberinsurance coverage determined?

Coverage is generally determined by the risk an organization faces with respect to the potential for loss of both data and revenue. Unfortunately, there is little historical data for the market to rely upon. "As an industry, we are looking for new ways to value risk," said David Bradford, chief strategy officer at Advisen, an insurance analytics firm. "Insurers are learning and bringing technologists on staff, but we need some dialogue to make sure the values we pick are right."

One of the standard questions we ask our vendors and service providers is: Do you have a cyberinsurance policy and what are the coverages associated with that policy?
William Dixonvice president at Stroz Friedberg

The process of defining and generating these values should involve much more than a simple risk calculation performed by the enterprise's internal IT security team; it should be a collaborative assessment performed by both sides: organization and insurer. Melissa Ventrone, partner at Wilson Elser Moskowitz Edelman & Dicker LLP and chair of the firm's Data Privacy and Security Practice Group, spoke about that balance during a cyberinsurance panel discussion at RSA Conference 2016.

"Together, a business and its insurance company need to look at what records they have, what data they hold, what they are doing with the data, what services they are providing and whether those services are relied on by other companies," Ventrone said.

One rule of thumb that could be used for calculating the cost associated with data breaches is using the estimated cost of a lost record due to a breach; for example, in a recent study the Ponemon Institute calculated that exposed data costs companies an average of $201 per capita in the U.S.This simple math could be a great way to set a baseline, right? Well, not entirely, according to experts.

"While this per record analysis is a good starting point for a dollar amount of loss, the risk value rises if the organization doesn't have a document-retention policy in place or has a lot of turnover in its systems and/or staff," Ventrone said. "Similarly, a large infrastructure could introduce more risk to those records and therefore make it more expensive to insure than a single-server environment."

Obviously, given the current market size, this ambiguity and uncertainty are not stopping policies from being written. "Carriers are being careful and don't want to put up much cover," said Jacob Ingerslev, head of technology E&O for Cyber & Media Liability at financial services firm CNA Insurance, during an RSA Conference presentation. "For example, structured as a small business, organizations can only get a limit of up to $10 million. Larger companies would need much more."

Blake Huebner, vice president of security training at Optiv, said during the panel discussion that he sees policies of up to $100 million, while Ingerslev shared stories of $500 million policies as the top coverage amount an organization can get at this stage. "Organizations need to remember that most cyberinsurance policies are only going to cover specific remediation efforts for a particular incident," Dixon said. "We have a good idea about the cost of a record that's compromised, but we don't know what the transformation of ongoing costs is going to be for better monitoring, to be more proactive, and to apply more resources."

Regardless of the coverage level an organization can secure -- $10 million, $20 million or even $100 million -- a breach that costs over $100 million will force the company to pay some amount of money out of pocket to cover the gap. And those costs are before potential data breach lawsuits. Target settled a class action lawsuit with customers for $10 million and paid more $100 million to settle claims with Visa and MasterCard.

"Target, for example, has spent well over $250 million on its breach while the company has less than $30 million in cyberinsurance to cover these expenses," said Julian Waits, president & CEO at PivotPoint Risk Analytics. "Some of the larger brokers are very good at educating about the risk and the limitations. Most others, however, are not as educated and therefore unintentionally put their insured in jeopardy as the policies they sell won't cover the true risk."

Stay tuned for part three in this series on cybersecurity insurance.

Next Steps

Find out why cyberinsurance could improve enterprise security

Experts discuss cybersecurity checklists at RSA Conference 2016

Learn how mini risk assessments can benefit enterprises

This was last published in June 2016

Dig Deeper on Security industry market trends, predictions and forecasts