The right coverage can help soften the blow of a data breach. But don't expect to be bailed out if your security plan is flawed. Security
When Sony Pictures disclosed last November that hackers had plundered its networks and accessed virtually all of its data assets, loss estimates for the company ran from the tens of millions of dollars to the hundreds of millions. Similar data breaches at TJX andHeartland had cost each company well over $100 million, and there was little to indicate that Sony would fare any better.
So when CEO Michael Lynton disclosed in a media interview earlier this year that Sony's intrusion-related costs would be almost entirely paid for by insurers, the news renewed attention on the topic of cyber insurancein a major way.
It was one of the few times that a victim of a major data breach had publicly talked about how an insurance policy had actually helped offset the cost of the breach. In a sense, Lynton's comments were a message to skeptics that cyber policies aren't a waste of time and money — they can actually soften the financial blow of a security incident. And while some have questioned whether the $60 million or so that Sony is believed to have in cyber insurance will be enough to cover the company's full losses, the breach has raised awareness about cyber insurance.
Analyst firm Gartner defines cyber insurance as protection against losses stemming from data theft and data loss, or business interruptions caused by malware or a computer malfunction. Covered under the definition are losses attributable to fines and lost income as a result of a network intrusion or security breach.
"Cybersecurity policies provide necessary coverage for claims of loss or theft of personally identifiable information and other sensitive information," says Chris Pierson, general counsel and chief security officer at Viewpost, a supplier of online invoicing and payment platforms.
Cyber insurance provides funds for crisis management, media and intellectual property claims that fall under a media liability policy, and privacy claims. "These types of coverage are no longer part of an ad hoc protection scheme, but are more and more an expected part of a well-governed and risk-controlled environment," Pierson says.
A new era, with surging demand
Policies for protecting companies against cyber losses have been available for several years. But it is only with the recent breaches at Sony, Target, Home Depot, JPMorgan Chase and elsewhere that interest in such policies has begun to pick up, says Kevin Kalinich, global practice leader for cyber risk at insurerAon Risk Solutions.
The staggering costs associated with data compromises are driving more companies to seriously consider cyber insurance, and plenty of insurers are stepping in to meet the demand. Kalinich estimates that more than 65 companies cover a broad range of cyber losses for companies of all sizes.
Estimates of the overall market for cyber insurance range between $2 billion and $4 billion. That's infinitesimally small compared to the general insurance market, where net premiums total $1 trillion, according to the Insurance Information Institute. Yet, the growth has been impressive, according to Kalinich.
Prices for cyber insurance run the gamut. Businesses with revenue of less than $20 million can get cyber coverage as part of their business owner's policies or general liability policies. Such companies can get coverage of up to $5 million for premiums ranging from $1,000 to $7,500 per $1 million of coverage, Kalinich says.
Companies with $20 million to $1 billion in revenue can get coverage for higher limits, but the premiums are higher as well, ranging from $5,000 to $25,000 for every $1 million in coverage. Large enterprises can get cyber insurance coverage of between $200 million and $300 million for premiums between $10,000 and $75,000 per $1 million worth of coverage.
IT can play a role in assessing a company's cyber insurance needs by identifying systems that are critical to business operations, such as those handling customer transactions or applications like email, says Richard Stiennon, principal analyst at security consultancy IT-Harvest. "Just as IT develops a disaster recovery plan for critical assets, they should supply a replacement cost for assets that could be compromised or destroyed in a cyberattack, along with [an estimate of] the time it would take to restore those systems," he says.
The IT organization can also help business people generally understand threats to critical assets and the potential consequences of a major data compromise, Kalinich adds.
Here are five points to keep in mind as you consider your cyber insurance options.
1. Insurance isn't a proxy for security
An organization should consider cyber insurance only after it has deployed all recommended security controls for its environment.
"You shouldn't even think of cyber insurance until you have implemented security best practices," says Stiennon.
"You need to have all your vulnerability management, patching, intrusion-detection and other systems in place" before calling an insurance company, he says. "Cyber insurance should be viewed as this last coverage against the unknown."
In other words, cyber insurance isn't for organizations rolling the dice with security, says David Jordan, chief information security officer for the government of Virginia's Arlington County. Think of it as a rainy day fund for lapses that may be inevitable even if you're doing everything right, he says.
Organizations with technology or skills gaps are better off investing in those areas first before spending money on insurance, he says. Insurance companies will either refuse to cover companies that don't demonstrate security due diligence, or they will attach costly exclusions, caveats and upfront deductibles to their policies.
"Insurance companies are in business to make money. They are not in business to bail you out because you did a crappy job on security," Jordan says.
2. Look beyond the quote sheets
When purchasing insurance coverage for data breaches, pay attention to the fine print. Cyber insurance is an emerging field, and insurers don't yet have a body of historical data to rely on when issuing policies, experts say. Policies that indemnify holders against losses due to cyberthreats are far less standardized than policies for other types of insurance. They often contain caveats and exceptions, making the coverage less comprehensive than it might appear on a quote sheet.
"My experience has been that companies will only look at the quote sheets from the insurer or broker to determine the level of coverage," says John Wheeler, an analyst at Gartner. "However, cyber insurance policies are currently underwritten on an individualized basis, since most insurers do not have broad claims data to support actuarial analysis required for standardizing these polices."
Insurance underwriters will often include coverage sublimits, or exclusions that pertain specifically to the risk profile of the company seeking the insurance, Wheeler says. When a business submits a policy application, the insurance company will use the information contained in the application to identify risks or gaps in the company's security practices, he says.
"The insurer will include the policy application as an addendum to the policy, so that if any discrepancies are discovered when a claim is made, the claim can be denied or the policy nullified," Wheeler says.
3. Know your exposure
The Sony breach showed that organizations risk losing a lot more than financial data and personally identifiable information in a data breach. Malicious intrusions can result in the exposure of trade secrets and intellectual property, and in disruptions to an organization's supply chain, customer service operations and critical functions.
It may not be possible to put dollar figures on all problems associated with breaches, but that doesn't mean certain risks don't count as vulnerabilities, Kalinich says. When considering cyber insurance, risk managers need to look beyond breach notification costs, expenses associated with patching systems and similar costs. They also need to consider issues like what would happen if a critical system were down for an hour, or two hours. Or the ramifications of a 10% slowdown in system performance — and, say, how the situation would be exacerbated if performance declined by 50%.
"What we are saying is, try to value your tangible assets and the intangible assets," Kalinich says. "Exposure is not just limited to the data. It has to do with critical operational issues as well."
Certain types of breaches — like the one at Sony, the one that comprised security vendor RSA's core encryption technology and the one at security firm HBGary — show how malicious intrusions can expose far more than just financial and personal data, Stiennon says. In some cases, cyber incidents can even put a company out of business, especially small and midsize ones, he says.
Insurers often don't want to cover threats to infrastructure and those that target an organization's very ability to operate. But risk managers need to be aware of such threats when purchasing cyber insurance, Stiennon says.
Ultimately, knowing how much insurance to buy should be based on an estimate of the potential losses caused by any one event and the likelihood that the event will occur, Pierson says.
"We generally see coverage for between $5 million and $10 million as the more expected starting amounts that will begin to cover an incident. This will not mitigate a larger breach, but it goes a long way to cover immediate losses," says Pierson.
4. Understand what insurers want
Because of growing demand, cyber risk insurance has become a lucrative and increasingly competitive product for insurers, says Rick Dakin, CEO of Coalfire, a company that conducts security audits and assessments for insurers and for customers in financial services, healthcare, government and other sectors. But as recent breaches have demonstrated, potential claims can be tremendous. So insurers are being forced to develop much more sophisticated programs to help them gather information for making underwriting decisions, Dakin says.
Several are gathering historical and actuarial data to better align coverage and limits with premiums, Dakin says. "Many are developing programs to evaluate their clients and give them credit for having safeguards in place to reduce risk," he says.
But no two businesses are the same when it comes to cyber insurance, he says, and that makes it difficult to devise policies and set premiums. In comparison, the traditional property and casualty insurance business involves a fairly straightforward process of determining the value of a building and verifying that it is up to code, has a tested sprinkler system and is equipped with locks and alarms, for example.
"Cyber insurers have a more difficult problem," Dakin says. Therefore, "many now conduct evaluations, some paid for by the insured, to make sure that IT policies are in place relevant to the insured operations and industry."
5. Know how to minimize deductibles
Having a rigorous and properly vetted cybersecurity program can go a long way toward keeping deductibles and insurance premiums at manageable levels. "Not only will an insurer likely give the insured credit for this with reduced premiums or increased limits, but the potential for even filing a claim is reduced," Dakin says. Enterprises can help themselves by keeping data collection to a minimum and ensuring that all personally identifiable information collected is properly stored and disposed of.
Organizations that lack the resources or the ability to keep sensitive data safe should consider using hosted systems from service providers, Dakin says.
Because insurance costs vary widely, companies must shop around and use a broker or trusted resource to navigate the options, Pierson adds. "The key here is to spend wisely on a policy that does not have a lot of exemptions and covers your most likely issues," he says. "No matter what policy, it is advantageous to an applicant to demonstrate their commitment to security through yearly certifications and audits."