alphaspirit - Fotolia

Get started Bring yourself up to speed with our introductory content.

Is cyberinsurance worth the risk?

Immature products and a lack of standardization raise critical questions about first-party risk and third-party liability.

As established insurance providers and startups rush to sell cyberinsurance to companies of all sizes, many enterprises still can't find insurance policies due to the lack of product standardization and complexities of establishing adequate coverage.

High-profile breaches and the growing realization that potential revenue losses from cybersecurity risks areare on par with business interruptions and natural disasters may change those dynamics. Stricter data privacy notification laws, government incentives and cloud adoption have amplified interest in cyber risk insurance.

"There is a lot of capacity, so there are a lot of insurance carriers chasing the same customers," said Mark Greisiger, president of Philadelphia-based NetDiligence, a firm that specializes in cyber risk assessment for major insurers, brokers and industries. "You will find underwriters willing to undercut premiums and insure customers who might not have the best controls in place, because they want to put revenue on the books this quarter."

Immature products and policies

How do insurers compare risks among companies in the same industry when many companies shy away from sharing breach or security data? "By and large, the data breach loss information is very hard to get at and most of these insurance companies have very little actuarial data to support their underwriting decisions, because companies are reluctant to disclose any detailed information around their breach losses," said John Wheeler, research director for security and risk management at Gartner. "Even the insured are reluctant to file claims in some situations, because they want to keep the information closed and they are fearful of the impact to their reputations."

The lack of actuarial data, and the fact that the companies often have more information about the risk scenarios than the insurer, may lead to adverse selection -- high-risk enterprises purchasing cyberinsurance -- and "laddering," in which companies buy cyber risk policies from multiple insurers.

Used to transfer risk and protect organizations against revenue loss, cyberinsurance is usually handled by chief financial officers and risk managers. Security professionals' involvement in coverage decisions is often limited despite the critical nature of the pre-insurance security surveys that insurers use to create policies and process claims.

Analytics and modeling tools for risk managers may help purchasing decisions. Insurance broker Marsh introduced Cyber DEAL (identify Damages, Evaluate, and Assess Limits) in July aimed at helping clients determine insurance needs based on the one-year probability of a cyberprivacy incident, its severity and cost per breach. Cyber DEAL uses U.S. historical breach information dating back to 2005, according to the insurance broker, along with other data sources, including the company's proprietary database.  

Homegrown security assessments

A number of leading insurers also require a security and risk assessment of some sort. "But 99% of the time, there is no insurance company that is going to require an on-site assessment," said Greisiger, who noted that the insurance industry thinks penetration testing is "overkill."

Onsite assessments often occur when a corporate client wants it done for internal risk management. "Many times, the internal risk managers or the CFO have no idea what their actual IT guys are doing," he said, "so this is really a risk-management engagement that the organization wants to undertake, and they use the report to help their insurance underwriter's requirements."

The question is not frequency, it is severity. How bad is it going to be and are you able to control it so that it is more of a nuisance than some catastrophe?
Mark Geisigerpresident, NetDiligence

NetDiligence, whose clients include Ace, American International Group (AIG) and SafeOnline among others, generally does remote assessments using online applications that corporate candidates have to complete, detailing the organization's security practices. In addition to interviews, NetDiligence performs network vulnerability scanning to ensure that the systems are patched, hardened and can deflect 6,000 common vulnerabilities.

Insurers are interested in policies and procedures and whether or not an organization has the security practices and adequate safeguards in place for its size and industry to mitigate loss in an ongoing manner. "And that's a very subjective thing," said Geisiger. "They may not care if you have a dedicated security person because most small to medium-sized businesses … do not have the budget for that."

End-to-end encryption is a hot topic among insurers: Organizations that encrypt private data in all of the places that it resides may have safe harbor from legal liability should data exposure or loss happen. But less than 5% percent of the companies that NetDiligence works with have encryption in place throughout their organizations (in their email, databases, laptops and especially with their service providers, such as cloud services).

Limited involvement

Demand for cyberinsurance intensifies after a security incident, according to research from the Ponemon Institute; 70% of the risk managers surveyed, whose companies had experienced a security incident in the previous 24 months, said that it increased their organization's interest in cyberinsurance.

But IT security professionals have "significant involvement" in cyberinsurance decisions only 32% of the time, according to the August 2013 study (sponsored by Experian), while 33% of respondents said they have "no involvement" (see table).

IT security's level of involvement in determining adequacy of coverage
IT security's level of involvement in determining adequacy of coverage

Not involving security officers in cyberinsurance decisions is ill advised, according to Gartner. "I think they need to be involved at the forefront of considering this sort of insurance, especially given the fact that we are in an immature market and the underwriters are looking at these policies on a case-by-case basis and solely relying on the application," said Wheeler. "If the security folks are not involved at the front end and providing the best characterization of their own security practices, then essentially that policy is being underwritten using information that is not accurate, so the value of the policy itself is suspect."

If security professionals are brought in midstream, they may not understand the full ramifications of some of the exclusions and what these relate back to in terms of the application. "There is no way that an organization can make a truly informed decision without them at the table," he said.

Many organizations have good security practices in place, but that doesn't stop events from happening every few years. "A lot of the information security guys feel that insurance isn't needed because they've got the back of the company; they are doing a good job on security and nothing is going to happen," said Geisiger. "And for many organizations, that's true. The question is not frequency, it is severity. How bad is it going to be and are you able to control it so that it is more of a nuisance than some catastrophe?"

Insurance products offer first-party coverage (direct losses to your organization) for network intrusions and breaches, loss of income or business interruption, crisis management, breach notification and even credit monitoring for potential victims and even call centers after an event.

 Third-party protection can include privacy liability and damages against third-party computer systems, data losses or services. Most companies purchase both types of coverage, according to Gartner.

The privacy and security issues can get a "little muddy." One in three events NetDiligence witnesses are caused by a third-party vendor or service provider that the insured business relied upon. "What IT needs to understand is that these policies are very wide angled," said Geisiger. "They are focused on protecting private information no matter where it resides, and it might fall outside of the IT department. Maybe the marketing department is doing things for big data trending outside of their privacy policy, and now it's an acceptable trade practice issue."

Risk ownership

Which parties are responsible for cyber risk remains an open question, however. The Department of Homeland Security National Protection and Programs Directorate (NPPD) is looking at the issues surrounding insuring first parties versus third parties. Since November 2012, the NPPD has held three workshops to examine cyberinsurance issues. The initial meeting included insurance carriers, cyber risk managers, information technology and cybersecurity experts, academics and social scientists and critical infrastructure operators. Who "owns" the risk was among the questions raised.

Insurance outside of critical infrastructure operators -- where fears of a "cyber hurricane" have led some to suggest that the fedneral government act as a reinsurer for a limited period of time, as it did in the Terrorism Risk Insurance Act of 2002 -- are no less complicated.

A New York judge ruled in February in favor of two cyber insurers -- Mitsui Sumitomo Insurance and Zurich American Insurance. The insurance companies did not have to pay for defense coverage on Commercial General Liability (CGL) policies that protected Sony Corp. of America and Sony Computer Entertainment of America -- the providers of the PlayStation Network and Online Entertainment services. According to the judge's ruling, the data breach did not constitute oral or written publication violating a person's rights to privacy because the confidential information was "published" by third parties -- in this case, the hackers responsible for a massive cyberattack on the Playstation Network in April 2011 that resulted in a data breach that affected millions of gamers and Sony Entertainment users. Organizations that try to extend their CGL policies to include cyber risk and liability protections may face an uphill battle.

 Insurance coverage typically pays for the costs of responding to the event; hiring legal counsel; navigating federal and state compliance requirements; and conducting computer forensics after an incident, which can be expensive, according to Geisiger. "Did the bad guy touch private information? What controls were defeated that allowed this to happen? That information can be submitted to the insurance company so that they can pay your claim," he said. One key area that it doesn't cover is theft of intellectual property and trade secrets.

NetDiligence runs an eRisk Hub that is licensed by many insurers, which offer its resources as an additional benefit to their policies. After a bad event, corporate clients have immediate access to top forensics investigators, as well as to cybersecurity and privacy lawyers. "These ‘breach coaches' are seeing one or two breaches a week," Geisiger said.

Brokers and insurance representatives have also ramped up their knowledge of cyberinsurance policies in the last few years. "Good insurance brokers will actually have the underwriters strike a lot of the exclusions -- they have a cheat sheet on every insurance carrier out there and what exclusions there are," Geisiger said. "They can get away with that, because we are in a soft market."

Adequacy of coverage

While insurance companies can provide a one-stop shop for breach notification, crisis management and public relations after a security disaster, many organizations are not aware of the sublimits of coverage on their policies -- often regulatory issues or legal defense -- until they make a claim. The sublimits "ratchet down" the value of the quoted coverage. "Typically, when clients review that, they opt not to go ahead with the purchase," said Wheeler. Gartner generally sees cyberinsurance policies of $5 to $15 million (not including laddering) with annual premiums ranging from $10,000 to $35,000 per $1 million of coverage. "I haven't seen much beyond $100 million in total aggregate for very large situations," Wheeler said.

Organizations need to pay close attention to the information that they provide in their pre-insurance applications. "It becomes a central part of their policy," said Wheeler. "When a claim is actually made, if any of that information becomes suspect or is just not valid…the insurer will use it to not pay the claimant or, in the worst-case scenario, to void the coverage altogether."

Organizations should have their risk manager, security officer and legal counsel peruse any policies before purchasing cyberinsurance. "These policies are complex, and they have definitions of definitions, and you have to be really careful of exclusions," said Geisiger, who noted that some policies can be as low as $5,000 for limited coverage.

High premiums and worries about claims actually being paid are top concerns of the uninsured. Less than one third (31%) of respondents surveyed across multiple sectors had cybersecurity policies, according to Ponemon research. Of the organizations that did not have policies, 57% reported plans to buy cyberinsurance while 43% did not have such plans -- in part, because of high premiums and too many exclusions (see table).

Main reasons for not purchasing cyberinsurance
Main reasons for not purchasing cyberinsurance

Next steps

How can you determine whether investment in cyberinsurance should be part of your organization's security strategy? Invest in a strong security program first, and use that as your "self-insurance," said Wheeler. "Beyond that, you may want to look at cyberinsurance to provide some secondary risk transfer for catastrophic losses." Some organizations also see a lot of value in the covered services, such as crisis management and breach notification.

CISOs should educate themselves on the cyberinsurance products and their limitations. They should also reach out to the insurance risk managers within the chief risk officers' organizations who deal with the brokers, to find out their awareness and understanding of these products, in order to determine whether cyberinsurance coverage is something that the company should explore, according to Gartner.

While interest in these products is high, the market remains immature. "Cyberinsurance is going to continue to grow as a cottage industry until there is some standardization of the product and the policies," said Wheeler. "It is going to take some form of government backing or incentive for that to occur."

Cyber risk and liability concerns are hotly debated in Congress, but federal legislation on breach notification and data privacy is still a ways off. "If the government would provide some legal protections," said Wheeler, "that is going to go a long way to where a standard product can be put together, but that is probably 3 to 5 years away."

President Obama issued an Executive Order on "Improving Critical Infrastructure Cybersecurity" in February 2013 that outlined plans to increase threat-information sharing and build a baseline cybersecurity framework. Some form of cyberinsurance has been proposed as incentive for companies to comply with the voluntary NIST_Cybersecurity Framework, which was published in February. "That would really propel this market forward," said Wheeler.

AIG extended its CyberEdge PC policies in April to include property damages and bodily injuries, in line with the cybersecurity framework guidelines, according to the company.

While some companies worry about moral hazard, according to Ponemon research, 62% of the risk managers surveyed indicated that with cyberpolicies their company's ability to deal with a security incident improved. The stronger security posture could be due in part to the security assessments and steps required for the audits, according to researchers.

About the author
Kathleen Richards is the features editor of Information Security magazine. Follow her on Twitter @RichardsKath.

This was last published in August 2014

Dig Deeper on Information security policies, procedures and guidelines