Cyber Insurance: Time for CIOs to Invest?

The threats to your business keep coming.

Last year was the second-most-active year for data breaches, with some 6,515 publicly disclosed incidents exposing more than 5 billion records worldwide, according to a recent analysis released by Risk Based Security. The high-water mark for data breaches remains 2017, but there’s only a 3.2 percent difference in total incidents between that year and 2018.

Since a data breach remains a matter of “when” (not “if”), many enterprises are looking to other means to help mitigate the risk and stem some of the financial losses associated with cyberattacks.

One trend that has gained some traction over the past several years is cyber insurance, which can help offset some of the costs associated with data breaches. An estimate released earlier this year by security vendor Radware estimates that each incident can cost a business up to $1.1 million.

While cyber insurance might seem like a must in a world of constant breaches, these types of policies remain in their infancy. In a study released by Spiceworks, which includes responses from 581 IT professionals in North America and Europe, only 38 percent of respondents reported that their enterprise has some type of policy in place.

Of those enterprises with a cyber insurance plan, nearly half (45 percent) had a policy for under two years. Another 32 percent had a policy on the books for between three and four years. Only 24 percent have invested in one for five years or more.

This means the whole notion of insurance to protect against cyberattacks and data breaches remains relatively new and still only used by a minority of businesses. (Granted, the sample size of the Spiceworks study is somewhat low.) Still, should enterprises start investing more? Is 2019 a good year to put money into a cyber insurance policy?

Steve Durbin, the managing director of the non-profit Information Security Forum, a London-based authority on security and risk management, told Dice in an email that the changing nature of cybersecurity is altering how companies approach risk management. In light of that, CISOs need to ensure that their plans align with the board’s expectations.

“The problems will begin at the top, with misalignment between board expectations and the reality of the security function’s capability,” Durbin noted. “Having increased information security budgets, the board will expect change to happen quickly and may not fully appreciate the scale of the organization’s information security challenges. When a major incident occurs, this misalignment will be exposed for all to see.”

If an enterprise wants to invest in cyber insurance, there are two types to consider (in Durbin’s opinion): Cyber liability insurance and cyber risk insurance.

A cyber liability insurance policy provides cover for liabilities that an organization causes to its customers and others. A sizeable market exists for these products, which can cover data breach and crisis management (incident management, investigation, data subject notification, credit monitoring, legal losses, and so on), media liability (website defacement, for instance), as well as extortion and network security liability.

On the other hand, cyber risk insurance is used to cover direct losses to the organization. It is less common, not only because insurers still lack meaningful data, but also because many organizations assume that their corporate or general liability policies will cover cyber risk, Durbin notes. Cyber risk insurance may include some liability coverage, but it can more broadly cover liability, copyright, effects of malicious code, business interruption, cyberattack, technology errors and omissions, and intellectual property infringement.

“The market continues to develop, and using insurance products to treat cyber risk is an option for many organizations,” Durbin added. “It is important to note, however, that although insurance will transfer a precise amount of risk to the insurer, there will be cyber risks that cannot be transferred and which an organization will have to deal with outside of any insurance policy.”

Greg Reber, a partner at Moss Adams, a Seattle-based accounting, consulting and wealth management firm, believes that there are two reasons why cyber insurance hasn’t gotten more attention. The first is a lack of understanding of exposures, and the second is not understanding coverage policies. However, as 2019 progresses, that will change.

“Boards of Directors are being required, sometimes by regulatory pressures, to increase understanding of their companies’ security risks and what they need to do to manage them. This increased consciousness will directly affect the top reason for not buying coverage,” Reber explained in an email. “Regarding the second obstacle, some companies—too often after a breach through social engineering methods—are finding they aren’t covered for this type of attack. Unfortunately, this scenario leads to a better understanding of current limitations of their policies, and they buy more insurance.”

To help enterprises decide, Reber offered a checklist of issues to consider:

Raise Awareness

Lack of risk awareness is hurting companies. Cyber risk insurance is necessary, but knowing your own risk exposure is crucial to managing this risk mitigation/transference mechanism.

Insurance Application

Take cyber risk insurance application self-assessments very seriously. There have been legal cases that saw insurers using inaccuracies in the self-assessment to deny claims or cancel policies.

Understand Coverage

General liability may no longer cover cyber security incidents, since standalone cyber risk policies are more specific. This is good for the insured, as it will “nail down” coverage.

Risk Transference

Risk elimination is impossible, and risk mitigation or avoidance may focus more on the IT infrastructure. Transferring risk to insurance companies and cyber security vendors is one option that has to be on the table.

“General cybersecurity awareness across the board is continually increasing, and there’s no reason to believe that will change,” Reber added. “As this awareness reaches new heights in 2019, more companies will buy cyber insurance coverage.”