Credit: Shutterstock
The right coverage can help soften the blow of
a data breach. But don't expect to be bailed out if your security plan is
flawed. Security
When Sony Pictures disclosed last November that hackers had
plundered its networks and accessed virtually all of its data assets, loss
estimates for the company ran from the tens of millions of dollars to the
hundreds of millions. Similar data breaches at TJX andHeartland had cost each company well over
$100 million, and there was little to indicate that Sony would fare any better.
So when CEO Michael
Lynton disclosed in a media interview earlier this year that Sony's
intrusion-related costs would be almost entirely paid for by insurers, the news
renewed attention on the topic of cyber insurancein a major way.
It was one of the few
times that a victim of a major data breach had publicly talked about how an
insurance policy had actually helped offset the cost of the breach. In a sense,
Lynton's comments were a message to skeptics that cyber policies aren't a waste
of time and money — they can actually soften the financial blow of a security
incident. And while some have questioned whether the $60 million or so that
Sony is believed to have in cyber insurance will be enough to cover the
company's full losses, the breach has raised awareness about cyber insurance.
Analyst firm Gartner
defines cyber insurance as protection against losses stemming from data theft
and data loss, or business interruptions caused by malware or a computer
malfunction. Covered under the definition are losses attributable to fines and
lost income as a result of a network intrusion or security breach.
"Cybersecurity
policies provide necessary coverage for claims of loss or theft of personally
identifiable information and other sensitive information," says Chris
Pierson, general counsel and chief security officer at Viewpost,
a supplier of online invoicing and payment platforms.
 |
| Chris Pierson |
Cyber insurance provides
funds for crisis management, media and intellectual property claims that fall
under a media liability policy, and privacy claims. "These types of
coverage are no longer part of an ad hoc protection scheme, but are more and
more an expected part of a well-governed and risk-controlled environment,"
Pierson says.
A new era, with surging demand
Policies for protecting
companies against cyber losses have been available for several years. But it is
only with the recent breaches at Sony, Target, Home Depot, JPMorgan Chase and
elsewhere that interest in such policies has begun to pick up, says Kevin Kalinich,
global practice leader for cyber risk at insurerAon
Risk Solutions.
The staggering costs
associated with data compromises are driving more companies to seriously
consider cyber insurance, and plenty of insurers are stepping in to meet the
demand. Kalinich estimates that more than 65 companies cover a broad range of
cyber losses for companies of all sizes.
Estimates of the overall
market for cyber insurance range between $2 billion and $4 billion. That's
infinitesimally small compared to the general insurance market, where net
premiums total $1 trillion, according to the Insurance Information Institute.
Yet, the growth has been impressive, according to Kalinich.
 |
| Kevin Kalinich |
Prices for cyber
insurance run the gamut. Businesses with revenue of less than $20 million can
get cyber coverage as part of their business owner's policies or general
liability policies. Such companies can get coverage of up to $5 million for
premiums ranging from $1,000 to $7,500 per $1 million of coverage, Kalinich
says.
Companies with $20
million to $1 billion in revenue can get coverage for higher limits, but the
premiums are higher as well, ranging from $5,000 to $25,000 for every $1
million in coverage. Large enterprises can get cyber insurance coverage of
between $200 million and $300 million for premiums between $10,000 and $75,000
per $1 million worth of coverage.
IT can play a role in
assessing a company's cyber insurance needs by identifying systems that are
critical to business operations, such as those handling customer transactions
or applications like email, says Richard Stiennon, principal analyst at
security consultancy IT-Harvest. "Just as IT develops a
disaster recovery plan for critical assets, they should supply a replacement
cost for assets that could be compromised or destroyed in a cyberattack, along
with [an estimate of] the time it would take to restore those systems," he
says.
The IT organization can
also help business people generally understand threats to critical assets and
the potential consequences of a major data compromise, Kalinich adds.
Here are five points to
keep in mind as you consider your cyber insurance options.
1. Insurance isn't a proxy for security
An organization should
consider cyber insurance only after it has deployed all recommended security
controls for its environment.
"You shouldn't even
think of cyber insurance until you have implemented security best
practices," says Stiennon.
"You need to have
all your vulnerability management, patching, intrusion-detection and other
systems in place" before calling an insurance company, he says.
"Cyber insurance should be viewed as this last coverage against the
unknown."
In other words, cyber
insurance isn't for organizations rolling the dice with security, says David
Jordan, chief information security officer for the government of Virginia's
Arlington County. Think of it as a rainy day fund for lapses that
may be inevitable even if you're doing everything right, he says.
Organizations with
technology or skills gaps are better off investing in those areas first before
spending money on insurance, he says. Insurance companies will either refuse to
cover companies that don't demonstrate security due diligence, or they will
attach costly exclusions, caveats and upfront deductibles to their policies.
"Insurance
companies are in business to make money. They are not in business to bail you
out because you did a crappy job on security," Jordan says.
2. Look beyond the quote sheets
When purchasing
insurance coverage for data breaches, pay attention to the fine print. Cyber
insurance is an emerging field, and insurers don't yet have a body of
historical data to rely on when issuing policies, experts say. Policies that
indemnify holders against losses due to cyberthreats are far less standardized
than policies for other types of insurance. They often contain caveats and exceptions,
making the coverage less comprehensive than it might appear on a quote sheet.
 |
| John Wheeler |
"My experience has
been that companies will only look at the quote sheets from the insurer or
broker to determine the level of coverage," says John Wheeler, an analyst
at Gartner. "However, cyber insurance policies are currently underwritten
on an individualized basis, since most insurers do not have broad claims data
to support actuarial analysis required for standardizing these polices."
Insurance underwriters
will often include coverage sublimits, or exclusions that pertain specifically
to the risk profile of the company seeking the insurance, Wheeler says. When a
business submits a policy application, the insurance company will use the
information contained in the application to identify risks or gaps in the
company's security practices, he says.
"The insurer will
include the policy application as an addendum to the policy, so that if any
discrepancies are discovered when a claim is made, the claim can be denied or
the policy nullified," Wheeler says.
3. Know your exposure
The Sony breach showed
that organizations risk losing a lot more than financial data and personally
identifiable information in a data breach. Malicious intrusions can result in
the exposure of trade secrets and intellectual property, and in disruptions to
an organization's supply chain, customer service operations and critical
functions.
It may not be possible
to put dollar figures on all problems associated with breaches, but that
doesn't mean certain risks don't count as vulnerabilities, Kalinich says. When
considering cyber insurance, risk managers need to look beyond breach
notification costs, expenses associated with patching systems and similar
costs. They also need to consider issues like what would happen if a critical
system were down for an hour, or two hours. Or the ramifications of a 10%
slowdown in system performance — and, say, how the situation would be
exacerbated if performance declined by 50%.
"What we are saying
is, try to value your tangible assets and the intangible assets," Kalinich
says. "Exposure is not just limited to the data. It has to do with
critical operational issues as well."
Certain types of
breaches — like the one at Sony, the one that comprised security vendor RSA's
core encryption technology and the one at security firm HBGary — show how
malicious intrusions can expose far more than just financial and personal data,
Stiennon says. In some cases, cyber incidents can even put a company out of
business, especially small and midsize ones, he says.
Insurers often don't
want to cover threats to infrastructure and those that target an organization's
very ability to operate. But risk managers need to be aware of such threats
when purchasing cyber insurance, Stiennon says.
 |
| Richard Stiennon |
Ultimately, knowing how
much insurance to buy should be based on an estimate of the potential losses
caused by any one event and the likelihood that the event will occur, Pierson
says.
"We generally see
coverage for between $5 million and $10 million as the more expected starting
amounts that will begin to cover an incident. This will not mitigate a larger
breach, but it goes a long way to cover immediate losses," says Pierson.
4. Understand what insurers want
Because of growing
demand, cyber risk insurance has become a lucrative and increasingly
competitive product for insurers, says Rick Dakin, CEO of Coalfire, a company
that conducts security audits and assessments for insurers and for customers in
financial services, healthcare, government and other sectors. But as recent
breaches have demonstrated, potential claims can be tremendous. So insurers are
being forced to develop much more sophisticated programs to help them gather
information for making underwriting decisions, Dakin says.
Several are gathering
historical and actuarial data to better align coverage and limits with
premiums, Dakin says. "Many are developing programs to evaluate their
clients and give them credit for having safeguards in place to reduce
risk," he says.
But no two businesses
are the same when it comes to cyber insurance, he says, and that makes it
difficult to devise policies and set premiums. In comparison, the traditional
property and casualty insurance business involves a fairly straightforward
process of determining the value of a building and verifying that it is up to
code, has a tested sprinkler system and is equipped with locks and alarms, for
example.
"Cyber insurers
have a more difficult problem," Dakin says. Therefore, "many now
conduct evaluations, some paid for by the insured, to make sure that IT
policies are in place relevant to the insured operations and industry."
5. Know how to minimize deductibles
Having a rigorous and
properly vetted cybersecurity program can go a long way toward keeping
deductibles and insurance premiums at manageable levels. "Not only will an
insurer likely give the insured credit for this with reduced premiums or
increased limits, but the potential for even filing a claim is reduced,"
Dakin says. Enterprises can help themselves by keeping data collection to a
minimum and ensuring that all personally identifiable information collected is
properly stored and disposed of.
Organizations that lack
the resources or the ability to keep sensitive data safe should consider using
hosted systems from service providers, Dakin says.
Because insurance costs
vary widely, companies must shop around and use a broker or trusted resource to
navigate the options, Pierson adds. "The key here is to spend wisely on a
policy that does not have a lot of exemptions and covers your most likely
issues," he says. "No matter what policy, it is advantageous to an
applicant to demonstrate their commitment to security through yearly
certifications and audits."
No comments:
Post a Comment