The threat landscape has been expanding rapidly, and companies are under immense pressure to respond. A lot of companies are investing in trying to prevent attacks, but as evidenced by the massive influx of data breaches and cyberattacks, it’s impossible for a company to predict 100% of possible attacks. That’s where an emerging market is coming in: cyber insurance.
According to Accenture’s 2019 Cost of Cybercrime study, almost 80% of organizations introduce innovation to their organization faster than they can secure it. They found that the number of cyberattacks increased by 11% over the last year, and by 67% over the past five years. Further, the average cost of cybercrime was $13 million in 2018.
According to Jack Kudale, CEO of cyber insurance provider Cowbell Cyber, cyber insurance deals with the post-event of an attack, as opposed to the pre-attack, which is where cybersecurity tools would come in. The main functions of the cybersecurity market, he explained, deal with preventing and detecting cyber attacks. Cyber insurance focuses on the response and recovery of an attack.
The top 5 tips for preventing cyberattacks
IT disaster recovery planning can no longer be ignored
How to protect your organization when business services fail due to IT cyberattacks
Brian Gill, co-founder of data recovery and digital forensics company Gillware, believes there are three main reasons to use cyber insurance: maintaining the business reputation, financial protection, and crisis containment.
Cyber insurers can help a company maintain their reputation following a data breach by providing third party experts to help mitigate damages, Gill explained.
Financially, coverage under one of these policies can include reimbursement for ransomware attacks, compensation of loss of income or earnings due to a cyber breach, and even coverage of fines for compliance penalties.
In addition, according to Gill, many insurers also offer extras such as third party security experts or a press officer that can help with timely external communication to help with crisis containment.
Jim Hansen, president & COO of security company Swimlane, explained that offsetting risk using insurance coverage is both a “potent and cost-effective strategy.” He believes that it has the biggest impact on smaller firms. This is because many small businesses don’t have access to resources like mature IT management and dedicated security staff. “A well-structured cyber insurance policy can provide access to experts as well as the financial coverage for costs and damages,” said Hansen.
He recounts an experience of a friend he advised who owns a small business. The business suspected a breach, but luckily had a cyber insurance policy in place. “Within hours of notification, he had access to incident response experts who arranged to come onsite and start a professional response process,” said Hansen. “The policy also provided access to top-notch legal counsel to manage the effort and be ready for tackling breach notification. Thankfully, that service was not required as the response team did not find any evidence of a breach. The impact to the business was some lost time for the management and their IT contractor and financially a fairly small deductible. If my friend didn’t have this policy in place, the consequences could have been tens of thousands in direct costs plus the significantly degrading response as he tried to find the right experts to help out. If there actually had been a breach the costs could have destroyed the business.”
A knowledge gap between insurers and policyholders
One of the biggest challenges with cyber insurance is that there is often a gap in coverage due to a mismatch between insurer and policy holder. According to Kudale, many insurers don’t have the technical expertise to know what needs to be covered, which can lead to companies being either over- or under-insured.
Besides the lack of technical knowledge, cyber insurance also suffers from not having a “heat map” like traditional personal, auto, or home insurance.
“Unlike every other form of insurable risk, a view has prevailed that cyber risk is just too complex to quantify because we don’t have sufficient contextual loss event data,” explained Simon Mavell, partner at Acuity Risk Management.
Kudale recommends that when seeking out a policy, companies look for insurers that are digitally savvy and will use data and analytics to tailor coverage specifically for their needs. And insurers also need to be more transparents in their approach to risk assessment. He believes that cyber insurers should make all collected risk insights available to policyholders in order to help them improve their security posture.
To help alleviate the issue of a coverage gap with cyber insurance, the Object Management Group (OMG) is working to develop standards and practices for cyber insurance. OMG recently released a Cyber Insurance Request for Information (RFI) to achieve this.
The RFI will help provide a roadmap to help users select the best coverage for their level of business risk, OMG explained.
“Cloud service agreements that rely on service-based credits and defer risk through indemnification clauses no longer meet customer needs. Still in its infancy, the cyber insurance market is far too diverse and difficult to navigate,” said Tim Cavanaugh, co-author of the RFI and CISO at Maiden Global Servicing Co. “Both public and private sector need a better understanding of this emerging market to address their cyber risk. Just as importantly, the insurers need to better understand the value behind certifications, cybersecurity control audits and assessments to improve their actuarial and underwriting functions to address the market.”
The deadline for responding to this RFI is March 9.
A new market that is expected to grow
Cyber insurance is still a relatively new idea in the world of insurance, and the first cyber liability policy was not available until 2000, Kudale explained. Prior to then, cyber coverage was often provided as an add-on to other policies, often in the form of “Errors and Omissions,” he said.
Kudale explained that the cyber insurance market has grown exponentially over the past decade. He believes that growth will continue over the next decade.
Allied Market Research backs up that prediction of growth. They expect that the cyber insurance market will be at $14 billion by 2022, which is a compound annual growth rate (CAGR) of 28% between then and 2016.
Kudale believes cyber insurance will continue to grow because of something known as “selective risk transfer strategy.” This means that rather than investing in prevention tools, companies are transferring some of their risks to policies that may help cover financial losses.
According to Kudale, companies in certain industries can be more selective with their risk transfer strategy than others. For example, a data breach in healthcare would be more expensive on a per lost record basis than a breach in construction.
Use insurance only as a supplement your security strategy, not the entire strategy
Many experts, however, believe that it’s important to have a cybersecurity strategy in addition to cyber insurance. Cyber insurance should only be there as a backup for the worst case scenarios; preventing issues in the first place should still be a top priority for companies.
Lev Barinsky, CEO of insurance marketplace SmartFinancial, believes companies should be investing in both technology to prevent an attack and cyber insurance. “You can’t just do one or the other. Hackers today are sophisticated and will learn their way around new layers of protection. It’s a bit like whack-a-mole. Minimizing losses is the best you can do, and it means covering bases on both fronts.”
Chris Noles, technology advisor and president of managed IT company Beyond Computer Solutions, agrees that insurance is not a substitute for good security and maintenance. “The right strategy is to implement the right cybersecurity tools and computer hygiene and have a cybersecurity insurance policy to cover an incident in case something bad happens anyway,” he said.
Noles also added that some cyber insurance policies won’t even cover an incident if it is discovered your company did not take the proper preventative measures.
“A good cybersecurity insurance policy should be used to help cover the cost of a catastrophe and not be used as a substitute for having a strategy to keep your systems updated and protected,” said Noles. “You wouldn’t leave your doors and windows unlocked just because you have a home owners’ insurance policy, would you? Treat your cybersecurity insurance policy the same way.”