Now’s the time for insurers to develop meaningful cyber liability policies

Industry must step up competition, speak common language, create risk profiles to attract buyers

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Uncer­tain­ty about sev­er­al key vari­ables appears to be caus­ing U.S. busi­ness­es and insur­ance com­pa­nies to move cau­tious­ly into the much-her­ald­ed, though still nascent, mar­ket for cyber lia­bil­i­ty poli­cies.

Insur­ers con­tin­ue to be reluc­tant to make poli­cies more broad­ly avail­able. The big excuse: Indus­try offi­cials con­tend there is a rel­a­tive lack of his­tor­i­cal data around cyber inci­dents, and they also bemoan the con­stant­ly evolv­ing nature of cyber threats.

This assess­ment comes in a report from the Deloitte Cen­ter for Finan­cial Ser­vices titled: Demys­ti­fy­ing Cyber Insur­ance Cov­er­age: Clear­ing Obsta­cles in a Prob­lem­at­ic But Promis­ing Growth Mar­ket

Sam Fried­man, Deloitte insur­ance research leader

Insur­ers don’t have suf­fi­cient data to write cov­er­age exten­sive­ly with con­fi­dence,” says Sam Fried­man, insur­ance research leader at Deloitte.

But the train is about to leave, and some of the stal­warts who shaped the insur­ance busi­ness into the ultra con­ser­v­a­tive (read: resis­tant to change) sec­tor it has become could very well be left stand­ing at the sta­tion.

Con­sid­er that reg­u­la­tions impos­ing tighter data han­dling and pri­va­cy pro­tec­tion require­ments are com­ing in waves. Just peek at the New York Depart­ment of Finan­cial Ser­vices’ new­ly mint­ed cyber­se­cu­ri­ty require­ments; or Europe’s recent­ly revamped Gen­er­al Data Pro­tec­tion Reg­u­la­tion.

With cyber threats on a steadi­ly inten­si­fy­ing curve, oth­er juris­dic­tions are sure to jump on the reg­u­la­tion band­wag­on, which means the impe­tus to make cyber lia­bil­i­ty cov­er­age a stan­dard part of every­day busi­ness oper­a­tions will only increase.

Relat­ed pod­cast: Cyber­se­cu­ri­ty and cyber insur­ance inno­va­tors con­verge

Mean­while, cyber­se­cu­ri­ty entre­pre­neurs, backed by savvy ven­ture cap­i­tal­ists, are mov­ing aggres­sive­ly to elim­i­nate the weak excuse that there isn’t enough data avail­able to tri­an­gu­late com­plex cyber risks. In fact, the oppo­site is true.

Mod­ern-day secu­ri­ty sys­tems, such as anti-virus suites, fire­walls, intru­sion detec­tion sys­tems, mal­ware sand­box­es and SIEMS, gen­er­ate moun­tains of data about the secu­ri­ty health of busi­ness net­works. And the threat intel­li­gence sys­tems designed to trans­late this data into use­ful oper­a­tional intel­li­gence is get­ting more sophis­ti­cat­ed all the time.

And while large enter­pris­es tend to have the lat­est and great­est of every­thing, in house, even small and medi­um-size busi­ness­es can access cut­ting-edge secu­ri­ty sys­tems through man­aged secu­ri­ty ser­vices providers.

Relat­ed pod­cast: As cyber threats rise, more com­pa­nies turn to MSSPs

Mean­while, big invest­ments bets are being made in a race to be the first ones to fig­ure out how to direct threat intel­li­gence tech­nolo­gies to the task of deriv­ing the cyber risk actu­ar­i­al tables that will per­mit under­writ­ers and insur­ers to sleep well at night. One cyber­se­cu­ri­ty ven­dor to watch in this are­na is Tel Aviv, Israel-based InnoSec.

Cyber insur­ance poli­cies are being giv­en out using prim­i­tive means, and there’s no dif­fer­en­ti­a­tion between poli­cies,” observes InnoSec CEO Ariel Evans. “It’s com­plete­ly non­com­pet­i­tive and sole­ly aimed right now at the For­tune 2000. Once reg­u­la­tion catch­es up with this, cyber insur­ance is going to be required. This is around the cor­ner.”

InnoSec was busy devel­op­ing sys­tems to assess the com­pli­ance sta­tus and over­all net­work health of com­pa­nies involved in merg­er and acqui­si­tion deals. It now has shift­ed to seek­ing ways to apply those net­work assess­ment approach­es to the emerg­ing cyber insur­ance mar­ket.

At the moment, accord­ing to Deloitte’s report, that mar­ket is tepid, at best. While some have pre­dict­ed U.S. cyber insur­ance sales will dou­ble and even triple over the next few years to reach $20 bil­lion by 2025, cyber poli­cies cur­rent­ly gen­er­ate only between $1.5 bil­lion and $3 bil­lion in annu­al pre­mi­ums.

Those with cov­er­age in minor­i­ty

Adam Thomas, Deloitte prin­ci­pal

As of last Octo­ber, just 29 per­cent of U.S. busi­ness had pur­chased cyber insur­ance cov­er­age despite the ris­ing pro­file of cyber risk, accord­ing to the Deloitte report. Such poli­cies typ­i­cal­ly cov­er first- and third-par­ty claims relat­ed to dam­ages caused by a breach of per­son­al­ly iden­ti­fi­able infor­ma­tion or some deriv­a­tive, says Adam Thomas co-author of the Deloitte report and a prin­ci­pal at the firm. In some cas­es, such poli­cies also might cov­er busi­ness dis­rup­tion asso­ci­at­ed with a cyber inci­dent.

The insur­ance indus­try con­tends it needs more busi­ness­es to buy high­er-end stand­alone cyber insur­ance poli­cies, until such time as enough claims data can be col­lect­ed to build reli­able mod­els, much as was done with the devel­op­ment of auto, life and nat­ur­al dis­as­ter poli­cies.

But busi­ness­es, in turn, aren’t buy­ing cyber poli­cies in enough num­bers because insur­ers are adding restric­tions to cov­er­age and putting fair­ly low lim­its on poli­cies to keep expo­sure under con­trol. “It is a vicious cycle,” Fried­man says.

Insur­ers rec­og­nize that there is a growth oppor­tu­ni­ty, and they don’t want to be left out of it,” he says. “On the oth­er hand, they don’t want to take more risk than they can swal­low.”

While the insur­ance indus­try gazes at its navel, indus­try ana­lysts and cyber­se­cu­ri­ty experts say the big challenge—and opportunity—is for under­writ­ers and insur­ers to fig­ure how to offer all busi­ness­es— espe­cial­ly small- and medi­um-size companies—more gran­u­lar kinds of cyber poli­cies that actu­al­ly account for risk and pro­vide val­ue to the pay­ing cus­tomers.

Ariel Evans, InnoSec CEO

What they’re doing now is what I call the neigh­bor method,” InnoSec’s Evans says. “You’re a bank, so I’ll offer you a $100 mil­lion pol­i­cy for $10 mil­lion. The next guy, he’s a bank, so I’m going to offer him a $100 mil­lion pol­i­cy for $10 mil­lion. It has noth­ing to do with risk. The only place this is done is with cyber.”

Talk in same terms

This is due, in part, to a lack of stan­dard ter­mi­nol­o­gy used to describe cyber insur­ance-relat­ed mat­ters, says Chip Block, vice pres­i­dent of Evolver, a com­pa­ny that pro­vides IT ser­vices to the fed­er­al gov­ern­ment. The SANS Insti­tute, a well-respect­ed cyber­se­cu­ri­ty think tank and train­ing cen­ter, last year put out a report that drills down on the ter­mi­nol­o­gy conun­drum, includ­ing rec­om­men­da­tions on how to resolve it, titled Bridg­ing the Insurance/Infosec Gap.

And the poli­cies them­selves have been anoth­er fac­tor. “If you com­pare car insur­ance from All­state and Geico, a major­i­ty of the poli­cies are rel­a­tive­ly the same,” Block says. “We haven’t got­ten to that point in cyber. If you go from one under­writer to anoth­er, there is no com­mon under­stand­ing of the ter­mi­nol­o­gy.”

Under­stand­ably, this has made it hard for the buy­er to com­pare poli­cies or to deter­mine the rel­a­tive mer­its of one pol­i­cy over the oth­er. Block agrees that cyber poli­cies today gen­er­al­ly do not dif­fer­en­ti­ate based on risk profile—so a com­pa­ny that prac­tices good cyber hygiene is like­ly to see no dif­fer­ence in pre­mi­ums as com­pared to one that doesn’t.

Indus­try must get mov­ing

InnoSec’s Evans argues that even though cyber­se­cu­ri­ty is com­plex, the tech­nol­o­gy, as well as best prac­tices poli­cies and pro­ce­dures, are read­i­ly avail­able to solve the base­line chal­lenges. What is lack­ing is ini­tia­tive on the part of the insur­ance indus­try to bring these com­po­nents to bear on the emerg­ing mar­ket.

This is absolute­ly pos­si­ble to do,” she says. “We under­stand how to do it.”

Putting tech­no­log­i­cal solu­tions aside, there is an even more obvi­ous path to take, Fried­man argues. Resolve the ter­mi­nol­o­gy con­fu­sion and there is lit­tle stop­ping under­writ­ers and insur­ers from craft­ing and mar­ket­ing cyber poli­cies based on meet­ing cer­tain lev­els of net­work secu­ri­ty best prac­tices stan­dards, Fried­man says.

You look at an organization’s abil­i­ty to be secure, their abil­i­ty to detect intru­sions, how quick­ly they can react, and how much they can lim­it their dam­age,” he says. “In fact, insur­ers should go beyond just offer­ing a risk trans­fer mech­a­nism and be more aggres­sive in help­ing cus­tomers assess risk and their abil­i­ty to man­age and pre­vent.”

Thomas point­ed to how an insur­ance com­pa­ny writ­ing a prop­er­ty pol­i­cy for a com­mer­cial build­ing might send an engi­neer­ing team to inspect the build­ing and make safe­ty rec­om­men­da­tions. The same approach needs to be tak­en for cyber insur­ance, he says.

The goal is to make the insured a bet­ter risk for me,” he says.

More sto­ries relat­ed to cyber insur­ance:
Chal­lenges and oppor­tu­ni­ties ahead for cyber insur­ance indus­try
Under­writ­ers, InfoS­ec offi­cers must close gap on risk man­age­ment
Cyber insur­ance is a great invest­ment, but can’t solve all secu­ri­ty needs

 


Posted in Featured Story