photon_photo - stock.adobe.com
Data protection in the digital age is constantly evolving. Cybersecurity insurance, also known as cyberinsurance, is just one of the many significant shifts in recent years. The U.S. cyberinsurance market, currently estimated between $2.5 billion and $3.5 billion, is projected to grow an additional $2 billion over the next three years, according to PwC.
The advent -- and subsequent popularity -- of cyberinsurance correlates with a reluctant acknowledgement that no organization, regardless of industry, is immune to security incidents.
In fact, 47% of respondents to the 2019 Marsh Microsoft Global Cyber Risk Perception Survey reported they have cyberinsurance, up from 34% in 2017. Of those with policies, 89% said they were highly or fairly confident their policies would cover the cost of a cyberevent.
Sherri Davidoff, CEO of LMG Security and author of Data Breaches: Crisis and Opportunity, said cyberinsurance coverage is a must-have in today's environment. With the threat and legal landscapes always shifting, the right insurance policy could be the constant organizations need in times of immense change, she said.
But the trend of purchasing cyberinsurance policies and having a thorough understanding of the details or limitations of those policies is not mutually exclusive. Organizations must accept that simply having a policy will not inherently make them safer from cyber-risks. But it will help in the aftermath. This means that policies cannot prevent a data breach from occurring, but they may cover, for example, digital forensic investigation costs or provide access to cybersecurity experts that companies might not otherwise have had.
Anticipate change when choosing a policy
When organizations choose their insurance policy, they should "think about how that's going to be relevant for not just today's threats, but for threats in six months, threats in a year, threats in two years or five years," Davidoff said.
Coverage also isn't one size fits all. Speakers at the 2019 Black Hat conference predicted cyberinsurance plans will become hyperspecialized in the future. For example, a company may need one policy to cover ransomware attacks and another to insure data breaches that expose personally identifiable information. This reflects the way risk profiles vary drastically in organizations of different sizes and industries, as well as the ways compliance standards may affect data security practices.
How cloud affects cyberinsurance coverage
When companies consider making the transition to the cloud, they should also discuss cyberinsurance coverage, Davidoff suggested.
"As we move to the cloud, think about what your organization's requirements should be in terms of insurance coverage for your third-party providers. If your data in the cloud gets breached and it's the cloud provider's fault, you may still need to notify the people whose data was on there," Davidoff said, adding that notification costs can be burdensome.
Sherri DavidoffCEO, LMG Security
On top of notification responsibilities and cost, remember it is the business's name in the headlines, not necessarily the third-party cloud provider. Reputational damage often comes with not just a consumer trust loss, but also a financial price tag. Post-breach consumer trust issues may require a delicate but costly public relations (PR) campaign. Will the insurance provider pay for the PR team's response to a data breach? Will the provider select and hire a PR firm? Will the insurance provider reimburse the company for damage control costs? Who is responsible for managing the campaign? These, Davidoff said, are all important questions to ask before choosing a policy and provider.
Cyberinsurance policies not the be-all and end-all of security
One of the attractions of cyberinsurance coverage is it provides peace of mind to organizational leaders concerned about security incidents. But, to be clear, an insurance policy is not going to stop a cyberattack from happening.
"Often, organizations are just checking a checkbox when they sign up for the insurance," Davidoff said. This could be attributed to miscommunication and a lack of understanding on the part of multiple parties, including the organization's leadership.
The importance of policy decision coordination cannot be understated, Davidoff said. She warned of frequent situations where "executives are involved, legal is involved, but IT is not involved." This contributes to situations where executives experience an inflated sense of security once they've obtained cyberinsurance coverage. "They think all of their cyber-needs are covered when, in reality, every policy has limitations," she said.
Security leaders understand the dangers of overconfidence and a false sense of immunity when it comes to an organization's security. To avoid these dangers have an accurate understanding of what your risks are from a technical perspective, Davidoff said. "It's really important, not just for your policies to be harmonized, but for the whole organization to be involved in contributing to the decision-making process," she said.