pogonici - Fotolia
In the simplest of terms, there are two sides to every information security program: protection and response. A successful cybersecurity program requires both. However, on both sides of the coin, organizations must deal with five realities:
1. There are things they have under control and completely operationalized.
2. There are things they can handle, but it's a pain to keep on top of them.
3. There are things they have to work hard at but can still manage; somehow, barely.
4. There are things they don't know how to deal with; investments in process, technology or personnel will not make a material difference.
5. Their program is defined and managed by humans -- and humans make mistakes.
The question is: How can companies deal with these inevitable realities, especially recognizing that they won't be able to detect every attack before the damage is done or successfully mitigate every incident without negative impact to the business?
For some enterprises, the answer to these questions lies in the form of cybersecurity insurance coverage.
To set the stage, Ben Beeson, the cyber risk practice leader at insurance broker Lockton Companies, said "CISOs now understand the value of as part of their overall risk management strategy. Understanding that prevention is hard and a resilience focus is needed transferring risk clearly becomes more relevant."
Still, is cybersecurity insurance a necessary evil for every company to consider? Or, is it only a viable option for a small few? In order to answer these questions, it's important to take a look at the role cybersecurity insurance plays within an enterprise security program -- but only after a baseline view is established of what cybersecurity insurance actually is. During the RSA Conference 2016 in San Francisco, cybersecurity insurance was the focus of several presentations and discussions. In part one of this series, several experts in technology as well as financial services weigh in on the topic and how it fits within a modern enterprise security program.
The cybersecurity insurance market
Jacob IngerslevCNA Insurance
Depending on who you ask, the concept of cybersecurity insurance -- or cyberinsurance -- according to some in financial services, has been around for somewhere between 12 and 16 years. Blake Huebner, vice president of security training at Optiv Security, said during a panel discussion at RSA Conference that "cyberinsurance has been around since the '90s."
Regardless of its inception date, adoption within the cyberinsurance market -- similar to cybersecurity technology adoption -- was initially driven by privacy and data breach regulations, and more recently by actual breaches in security where action was no longer optional.
"Given the recent breaches at Target and Home Depot, this market is getting a lot of traction," Huebner said. "Healthcare has the highest adoption, followed by education, gaming, utilities, financial services and retail. It's not the wild, wild west, but it's certainly a fast-maturing market."
Having taken off like a rocket ship in the last several years, there are now many providers and brokers operating in the cyberinsurance space -- and the market is making some serious cash. "There are close to 100 insurance companies offering cyberinsurance in one shape or another," said Jacob Ingerslev, head of technology E&O for Cyber & Media Liability at financial services firm CNA Insurance, during an RSA Conference presentation. "[And] 80-90% of the business is concentrated in 10 companies."
"In 2015, the cyberinsurance market generated between $2.5 billion and $3 billion in revenue," Beeson said during a panel discussion at the 2016 Advisen Cyber Risk Insights Conference in San Francisco. "It’s a profitable market and, according to PricewaterhouseCoopers, it is set to grow nearly three times in the next four years — with an estimate of $7.5 billion by 2020."
While it's clear that the insurance companies are making money, it is coming from a small handful of organizations. "Only 2% of companies in the U.S. have cyberinsurance," said Julian Waits, president & CEO at PivotPoint Risk Analytics. "The biggest problem is quantifying the risk -- it's not linear, actuarial information is immature, and therefore insurance companies are grappling with 'how do we price this risk?' and companies are grappling with what [type of policy] and how much they need to buy, and what they're actually getting in return."
Cybersecurity insurance doesn't replace security best practices, but experts said it is a critical component that fills in the gaps of a solid, well thought out security program. "Any security professional will tell you that you can never be 100% protected against an attack," said Jonathan Niednagel, CEO and co-founder of DatumSec, a risk assessment firm based in Altadena, Calif. "If this were true, then best practices and due diligence should get you 95% of the way there, and cyberinsurance should cover the remaining 5% exposure. Too many professionals think they can accept lax security practices because they're 'covered' by insurance. This couldn't be further from the truth."
As this challenge gets sorted out, the industry could begin to see more policies written covering more organizations to fill the cybersecurity protection gap.
Where does cyberinsurance fit within an enterprise security program?
As a general rule, experts say, cyberinsurance makes a lot of sense. A policy can cost a material amount of money, but some organizations feel including cyberinsurance as part of their cybersecurity program is a safer bet.
However, it's not as simple as phoning an insurer or broker and taking out a policy. There's a lot of analysis that goes into making this decision. Complicating matters further, organizations are beginning to look at risk and cyberinsurance differently. "There is a pre-Target breach world and a post-Target breach world," Beeson pointed out.
Before the Target breach, cyberinsurance policies were written based on a static approach for evaluating the risk. Companies would fill out an assessment, deliver a presentation to the underwriters and possibly have some form of dialog with the underwriters. "Once the assessments were complete and the policy written, the insurers would leave and cross their fingers for 12 months," Beeson added.
In the post-Target breach world, we see breaches occurring all the time. But this 'hope-and-pray' model isn't working for the insurers any longer. "Cyberinsurance is a relatively new financial tool, and in my experience, up until the last seven or eight years, cyberinsurance was viewed as an afterthought on top of a company's cybersecurity program," said William Dixon, vice president at Stroz Friedberg, a cybersecurity and risk management company.
"Organizations now realize they will never be able to cover their risk 100% using people, process and technology," Dixon added. "So we see a lot of clients putting cyberinsurance into their cybersecurity programs -- not as a supplement to improve the security maturity of their technology and processes, but moreover as a means to handle the recovery in the case of a breach -- such as remediation, breach notifications, credit monitoring and added support from outside counsel."
Ken Allan, the global information security leader at Ernst & Young, explained that sometimes the obstacles to obtaining a sound cybersecurity insurance policy are too great for some enterprises. "One of our large banking clients conducted analysis to figure out what they could do with their cybersecurity investment -- looking at whether or not they could spend more money to protect more critical items," Allan said. "In some cases, the technologies were so complex, and the cost to purchase and manage them didn't justify an investment. The bank chose to cover that risk area with cyberinsurance."
Stay tuned for part two in this series on cybersecurity insurance.
Find out why cyberinsurance could improve enterprise security
Experts discuss cybersecurity checklists at RSA Conference 2016
Learn how mini risk assessments can benefit enterprises