SAN FRANCISCO -- Industry experts at a 2015 RSA Conference panel warned that general insurance will not protect against data breaches, contrary to popular belief.
During the panel, various industry experts discussed the evolving state of cyberinsurance, and all agreed that major data breaches in retail from the past year, like Target and Home Depot, have brought the topic of cyberinsurance to the forefront. Yet confusion continues within organizations about their insurance coverage.
General insurance is not cyberinsurance
A major problem, according to Tracie Grella, global head of professional liability for New York-based insurance provider AIG Inc., is that enterprises often mistakenly believe that general insurance will cover cyberattacks, which is rarely true.
"When you're seeing in the news about cyberinsurance and litigation, it is talking about general coverage," Grella said. "That is not where cybercoverage exists. If you want data breach coverage, you need to buy a cyberliability policy."
Paul Ferrillo, counsel for the law firm Weil, Gotshal & Manges LLP, based in Redwood City, Calif., said that there is also too much confusion over what cyberinsurance covers.
"There are too many gaps in coverage for comfort," Ferrillo said. "There are a lot of naysayers about what is covered. For example, after the Sony hack there were questions on if acts of cyberwar were covered."
Grella noted that cyberinsurance policies are becoming more granular, and expand to cover more areas as companies learn from breaches, which has led to adding coverage for privacy issues, cloud systems, and property or bodily damage. However, insurance companies are hesitant to raise limits on coverage.
"We are willing to underwrite the top risks, but companies need to improve security processes," Grella said. "If no one is performing at the top level of security, you can't expect insurance companies to offer maximum limits."
Grella did note that it has become common for insurance companies to recommend security products to clients who are purchasing cyberinsurance.
"The insurance carriers have very close relationships with senior execs and board members," Grella said. "They have no idea what technologies are available, and we're able to bring solutions to them and new technologies that can be helpful."
James Bourie, CEO of New York-based cyber-risk assessment firm Nisos Group LLC, said that it would be acceptable if insurance carriers offer recommendations, but they need to be careful not to stray into reselling products.
"Insurance carriers should integrate cyber-risk programs into their policies," Bourie said. "Instead of being resellers of products, a risk assessment of potential insureds will allow insurers to articulate the level of cyber-risk and assign polices in accordance with their level of exposure or risk."
Insurance risk assessments as security incentive
Others on the panel thought that cyberinsurance itself could be a key incentive to push companies to improve security. Erin Kenneally, CEO of technology law consultancy firm Elchemy Inc., said that cyberinsurance companies could offer incentives similar to other insurance companies, like giving discounts for threat intelligence sharing or for having better cyber-risk assessment ratings.
Tom Finan, senior cybersecurity strategist and counsel for the U.S. Department of Homeland Security, noted that there have been discussions about adding cyberinsurance incentives to the NIST cybersecurity framework.
The NIST framework already has been invaluable in getting the conversation started in regards to increasing cybersecurity and the need for cyberinsurance, Ferrillo said.
"When you walk into a boardroom, people are starting to understand and get it, and I think the NIST framework has given that guidance and that point to latch onto," said Ferrillo. "The framework has given an enormous opportunity for us to have the conversations."
All panelists agreed, however, that the biggest impetus to get executives and board members interested in cyberinsurance has come from high-profile data breaches in retail in the past year.
"We've seen an increasing interest from CISOs," Finan said. "CISOs in 2012 were suspicious of cyberinsurance, but since Target and Sony, CISOs are becoming more empowered to pursue coverage."
Ferrillo agreed that cyberinsurance was becoming a bigger topic, but was unsure just how much value it currently brings, because not all class-action lawsuits regarding data breaches have been settled.
"When you look at the problems in corporate America over the past 14 months, you've seen a dramatic shift in remediation time and response time," Ferrillo said. "The cyberinsurance is part of the equation, but it remains to be seen what the impact is dollar-wise until we see cases settled like Home Depot."
Learn the basics on how to choose a cyberinsurnace policy
Read more about cyberinsurance policies readiness for enterprises