Cyber insurance is a great investment, but can’t solve all security needs

As nascent industry grows, take time to understand policy options and risk exposure

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

In the past cou­ple of years there’s been a sig­nif­i­cant uptick in talk about cyber insur­ance. This comes as no sur­prise, as risk has risen well beyond man­age­able lev­els and the costs asso­ci­at­ed with breach­es now impact bot­tom lines. The breach that hit Tar­get in 2013 drove dam­ages that exceed­ed $290 mil­lion. The attack on Sony dis­man­tled the release of a major motion pic­ture and led to the ter­mi­na­tion of at least one top executive.

ed-note_anomali_travis-farralInvest­ments in skilled per­son­nel and tech­nolo­gies that include every­thing from fire­walls to anti-virus to threat intel­li­gence plat­forms will con­tin­ue to pro­vide the best returns when it comes to reduc­ing risk. How­ev­er, cyber insur­ance also can be a valu­able tool to help address risk. It could be espe­cial­ly use­ful when gaps exist that are too hard or too expen­sive to address via oth­er means.

Relat­ed sto­ry: To stand out in a crowd, cyber insur­ance com­pa­nies offer val­ue-added services

Under­stand­ing avail­able options and your organization’s over­all risk expo­sure are keys to know­ing which cyber insur­ance path to follow.

Know what’s covered

There cur­rent­ly are no “stan­dard” cyber insur­ance poli­cies avail­able. As a result, spe­cif­ic pol­i­cy options avail­able may vary between car­ri­ers and industry.

Typ­i­cal poli­cies focus on cov­er­ing first-par­ty risk, where orga­ni­za­tions are vul­ner­a­ble to loss­es caused by attacks or breach­es. Costs to first par­ties can come in many forms, includ­ing loss­es dri­ven by busi­ness dis­rup­tion, reg­u­la­to­ry fines and oth­er par­ties that seek to recov­er relat­ed damages.

Before invest­ing your organization’s mon­ey in a pol­i­cy, it is crit­i­cal to under­stand specifics. You’ll want to know what exclu­sions exist, what the time peri­od is that the pol­i­cy cov­ers, and the types of dam­ages your car­ri­er would com­pen­sate your orga­ni­za­tion for after an inci­dent has occurred.

Insur­ers typ­i­cal­ly won’t cov­er dam­ages inflict­ed by “for­eign ene­mies” or caused by “acts of ter­ror­ism.” Exclu­sions such as these could make it extreme­ly dif­fi­cult for any orga­ni­za­tion to receive com­pen­sa­tion. Because attri­bu­tion is dif­fi­cult at best, you should make sure you under­stand how the insur­ance com­pa­ny you are con­sid­er­ing deter­mines if an attack was an act of ter­ror­ism or car­ried out by a for­eign enemy.

It is extreme­ly impor­tant to know when cov­er­age begins and what the time peri­od is that it cov­ers. If an attack­er is in your net­work pri­or to the effec­tive date of a pol­i­cy, it may be dif­fi­cult at best to col­lect com­pen­sa­tion, as most poli­cies will not cov­er inci­dents that took place pri­or to their effec­tive dates. Whether or not your orga­ni­za­tion could off­set the cost of an attack that took place in the past is extreme­ly impor­tant, espe­cial­ly when you con­sid­er the nor­mal­ly high “dwell time” the bad guys remain inside of sys­tems before being discovered.

There are dam­ages that insur­ance providers can­not and will not cover—things like impact to rep­u­ta­tion and future busi­ness loss­es that might occur as a result of an inci­dent. And, there are lim­its to com­pen­sa­tion amounts avail­able. Depend­ing on the risk being off­set, even going through mul­ti­ple pol­i­cy car­ri­ers may not yield enough cov­er­age to mit­i­gate loss­es. Remem­ber the Tar­get exam­ple? That retail­er was able to obtain $100 mil­lion in cov­er­age by going through mul­ti­ple car­ri­ers pri­or to its breach, which didn’t even cov­er half of the $290 mil­lion it lost.

Under­stand risk

The mar­ket for cyber insur­ance has been around for sev­er­al years, but it is still far from mature. Under­writ­ers are new to the cyber risk field, like­ly suf­fer­ing from the same lev­el of threat infor­ma­tion over­load that most orga­ni­za­tions are expe­ri­enc­ing, and prob­a­bly find­ing that it is very dif­fi­cult to accu­rate­ly assess risk.

Insur­ance com­pa­nies use a vari­ety of tools, ques­tion­naires and oth­er tech­niques to assess risk lev­els pri­or to approv­ing poli­cies. How­ev­er, don’t allow your organization’s pre­mi­ums to be estab­lished based sole­ly on car­ri­ers’ assessments.

Before you engage with a car­ri­er, know what your organization’s risk lev­els are, how mature its secu­ri­ty pro­grams are, and what tools are in place to defend against attacks.

To make the most of an insur­ance invest­ment, have sol­id pro­grams in place pro­vid­ing things like vul­ner­a­bil­i­ty man­age­ment, threat intel­li­gence and perime­ter defense. You also should con­duct peri­od­ic third-par­ty assess­ments that will assist with under­stand­ing your organization’s gaps and what can be done to close them.

If you don’t know the sta­tus of your organization’s secu­ri­ty pos­ture and what tools are in place, then you could put your orga­ni­za­tion at the mer­cy of under­writ­ers’ assess­ments, which could lead to over­priced pre­mi­ums or out­right rejection.

Secu­ri­ty first

There are numer­ous indi­ca­tors show­ing that cyber insur­ance demand will rise sig­nif­i­cant­ly in a short peri­od. Price­Wa­ter­house­C­oop­ers esti­mates that annu­al gross writ­ten pre­mi­ums will triple to $7.5 bil­lion by 2020 from $2.5 bil­lion in 2014. These esti­mates may indi­cate that the col­lec­tive thought among enter­prise secu­ri­ty and risk pro­fes­sion­als is that cyber insur­ance is a good idea, but it is impor­tant to remem­ber that cyber insur­ance and secu­ri­ty aren’t the same things.

When it comes to secu­ri­ty, your organization’s high­est pri­or­i­ties should con­tin­ue to be focused on employ­ing the right tal­ent, ensur­ing effec­tive com­mu­ni­ca­tion, devel­op­ing a secu­ri­ty-focused cul­ture, and hav­ing in place basic tech­nolo­gies known to pro­vide effec­tive defense.

Most impor­tant­ly though, is to always place secu­ri­ty first. All of the cyber insur­ance in the world can’t actu­al­ly defend your orga­ni­za­tion from advanced cyber threats, attack­ers, mali­cious insid­ers and heav­i­ly backed nation-state actors.

More sto­ries about cyber insur­ance and secu­ri­ty:
As threats mul­ti­ply, cyber insur­ance and tech secu­ri­ty indus­tries start to merge
Cyber insur­ance ris­es to meet increas­ing secu­ri­ty challenges
Com­pa­nies tap into cyber insur­ance to man­age busi­ness risk