Any mention of insurance conjurs thoughts of health, life, homeowners, workers comp, and car insurance. Each of these insurance categories are fully developed and have a sophisticated underwriting processes. The market for these types of insurance is driven by a common calculus: does the cost of a single—usually unforeseeable—trigger event outweigh premium costs? The resounding yes to this question is illustrated by the sheer market size of each these insurance segments and the importance that consumers place on this kind of insurance as part of an employment package or managing their cost of living expenses.
But in a world where most households (and businesses) transact their insured affairs electronically—car payments, doctors appointments, home improvements, and all the related data—how can an individual, family, or corporation manage its affairs to minimise the risk of an unforeseeable event that would jeopardise critical data and information? This is where the lesser known, but all-encompassing, market of cyber-insurance plays a crucial role in the insurance economy. There are crucial differences between the cyber-insurance market and other insurance markets, principally the unforeseeable event or risk that is being insured against is a cyber attack and this creates.
Unlike other insurance categories which have many kinds of risks and events that can represent a trigger event, cyber-insurance is dedicated to the serious, and ever increasing, risk of cyber attack. For an individuals and households, there are a few very dynamic companies which have built products and technologies to protect the home against a cyber attack. Technology, in effect, can be the insurance policy; for at-home consumers the effectiveness is compelling. Enterprises also have systems they can—and should—obtain to protect against a cyber-attack and the threshold question of system cost and cost of risk coming to fruition will always resolve itself in favour of investing in a sophisticated system to protect against cyber attack. As part of a risk management strategy companies of all shapes and sizes must periodically determine which risks to incorporate systems to guard against and which risk to be accepted or transferred. Cyber Insurance is the mechanism for a CIO to transfer risks from system vulnerabilities that may be exploited by hackers, criminals, terrorists, other entities or political actors on behalf of a country. How can a CIO determine that this kind of risk would justify the investment in a comprehensive policy?
What is a data breach?
As a threshold question, CIO’s need to develop a precise understanding of what constitutes a data breach. In 2002 California became the first jurisdiction in the world to require notification of individuals about breaches of some types of their personal information. Generally, a breach is construed as unauthorised access to or acquisition of unencrypted notice-triggering personal information that compromises the integrity, confidentiality or security of that information, or instigates a cognisable harm. The evolution of notification laws in the spirit of the California law made these types of incidents public, as well as an evaluation of their costs and (since they involved personal information and threats of identity theft and the associated fraud) offered valuable warnings to assist potential victims in protecting themselves against breaches . It is important to note that incidents involving attacks that resulted in theft of data or other assets, but were not notice-triggering, or attacks that brought down information systems or made critical data unavailable – received less popular attention.
Organisations’ information security programs typically involve levels of seriousness of incidents and responses that are evolved beyond legislation. As a general rule, corporate security processes have evolved more rapidly than law can generally evolve and have implemented compliance programs that have evolved beyond preventive safeguards to more adaptive programs responding to dynamic risks to shift focus to detection and response as well as prevention.
The Diversity of Security Incidents and Response Strategies
It is crucial to understand that security incidents are more than leaks of personal data in constructing security programs and coverages that will offer the appropriate level of protection. The harm associated with security incidents requires an examination of the many incidents now encountered, and the various approaches to prevent or avoid those harms. Some data security incidents include:
- Credit card breach: This may be the most preventable breach provided companies are able to get customers watching, and prevent all of the harm by just getting them to change the numbers at the first sign of any misuse. Ultimately there are legal limits on consumer liability and there are zero liability policies of the major card brands. This is not to say that companies have not managed to cause some consumer harm in this area, but this is harm that is easily preventable if notice is given for the initial breach.
- Email Breaches: Email breaches are generally not notice triggering events but the harm associated with breaches of email addresses is similarly manageable to the harm of credit card breaches provide effective warnings are delivered. Email breaches do not involve the same level of protection as credit card breaches, where the consumer is protected by law and zero-liability policies, the harm caused by email address breaches may be far-reaching and widespread, depending on the circumstances, since email addresses may be used in social engineering attacks. Preventing harm is harder after an email breach than after a credit card breach because of the effectiveness of phishing attacks, but harm can still be prevented and managed.
- Unpreventable Harm: There is the type of personal information data breach where the harm cannot be prevented through warning. The U.S. social security number is the best example and in that instance the hope is that the applicable details are not misappropriated or misused.
- Commercial Espionage: Commercial espionage is a comprehensive theft that fundamentally involves knowledge assets consisting company-confidential information and trade secrets. It may involve non-personal information such as product design, pricing, financial reports, strategic and commercial plans, code and other confidential and proprietary information. The personal information that it may effect is typically in a grey category not protected by breach notification laws. It could involve customer information or other sale related information. The breach may cause a competitive harm but not necessarily personal harm to the impacted persons.
- System and Public Services Breaches: These breaches raise threats to public welfare beyond individual threats of fraud or identity theft and may involve attacks on critical infrastructure areas such as health care or the energy grid or other attacks that may bring power or medical systems down in ways that directly threaten public safety. These threats are systemic more than they are personal and the potential damage is staggering—medical devises hacked to malfunction, cars directed to crash, electricity loses that diable security systems or vital refrigeration and lighting—and exceeds the realm of foreseeable.
What is the role of a cyber insurance policy?
Against this backdrop of dynamic and complex risks, where does cyber insurance play a role in risk mitigation strategies? Relative to its peer categories in the insurance industry, cyber insurance is still in nascent stages with no single standard for underwriting cyber insurance policies. Fundamentally cyber insurance is dedicated to minimise risk by providing a potential offset to recovery costs triggered directly by a cyber-attack or, in some instances, third party costs generated as a consequence of a cyber attack. Even in its early stage, the total value of cyber insurance premiums is expected to reach somewhere between $5 and $10 billion by 2020, which is a reflection of the scale and value of the underlying assets considered at risk of cyber attack. By way of comparison, workers compensation is a $55 billion market. At present, approximately 30% of US companies purchase a form of cyber insurance.
What is covered?
There are a wide range of reimbursable expenses that an underwriter will be willing to cover and, in many instances, the reimbursable expenses are bespoke given the uniqueness of technology businesses and the kind of data that could be vulnerable. As a general practice, the following areas are the most standard reimbursables:
- Business loss: This includes business interruption, monetary loss caused by network downtime, data loss recovery and costs involved in managing any ensuing crisis from the breach, which may involve repairing reputation damage. The policy may include similar items that are covered by an errors & omissions policy such as negligence.
- Investigation: A detailed investigation is essential to determining what occurred, how to minimise and repair damage and how to avoid the same type of breach from re-occuring. The costs triggered by the investigation process following a cyber attack are typically generated by the services of a third party security firm or coordination with law enforcement entities.
- Litigation and extortion: The costs associated with the release of confidential information and intellectual property, legal settlements and regulatory fines are standard coverage items in a cyber insurance package. In some instances it may include the costs of cyber extortion, such as from ransomware.
- Privacy and notification: This includes data breach notifications to customers and other impacted and related parties, which are required by law in several jurisdictions. It also includes credit monitoring for customers whose information was or may have been breached.
Pre-incident services such as certain network security costs, employee training, and incident planning, are typically covered and are dependent upon the occurrence of a breach. These features should be considered as part of the broader incident prevention strategy implemented and applicable technology platform for safeguarding against attack.
Coverage scope varies between policies, but generally reputation damage is not covered because it is hard to quantify. Cyber-related bodily harm and property damage, including stolen intellectual property are also generally not covered in light of the difficulty of putting a price tag on them.
This is by no means a complete list of potential coverage areas. Cyber risks are dynamic and changing, both in terms of methods and ultimate economic impact (which can have a very complicated a far-reaching trickle down effect). Cyber insurance should be viewed in tandem with best in class technological tools implemented by a CIO and risk management team to mitigate the possibility of any such cyber attack. In short, cyber insurance complements technology, but it does not replace it’s essential function.
What is not covered?
The cyber insurance market has focused on the immediate and obvious losses arising out of data breaches, including the first party costs of a breach, and the third party liability for the release of others’ information (PHI, PII, and payment card information). Such losses are a major concern. It is important to note that while many cyber policies focus on the popular notion of a data breach, it is often to the exclusion of risks and loses that are beyond the immediate scope of the underlying breach. Some of the losses which are not covered include the following:
- Loss of revenue triggered by reputational harm rather than network interruption;
- Limited definitions of “privacy” or “security” acts;
- Trade secrets exclusions;
- Limited data asset recovery coverage;
- “Acts of foreign enemies” exclusions; and
- Bodily injury/property damage exclusions.
Developments in the cyber coverage market to address losses beyond traditional first party coverage and third party liability coverages generally available in the market will require policyholders and their insurance brokers to be acutely deliberate and creative in negotiating wording, while maintain the requisite specialised knowledge to help carriers become amenable to their risk profile.
How do you search for a policy?
Taking into the context of cyber insurance and the various limitations and idiosyncrasies described above, how do risk management professionals initiate a search for an applicable policy? Cyber insurance has become a common product offering from several large insurance companies (eg, Chubb, Travelers), but it’s important for a CIO to understand the variance between different policies, depending on the enterprise being insured, policy scope, and underwriter. The coverage items specified above are a good baseline to begin comparing policies, but limitations should be considered which typically relate to the following areas:
- Deductibles. What are the deductible levels?
- Is the cyber insurance policy a customised stand-alone insurance product or is it an extension of an existing business insurance?
- Does the policy apply broadly to attacks that impact the organisation or must the attack directly single out and be executed against the organisation?
- Are employee actions included?
- What are the time frames that would be included in the policy? Ie, does the policy cover attacks executed over a period of time?
- Are employee acts, omissions and non-malicious conduct included?
How do you decide what level of coverage to include?
Determining the appropriate level of coverage is the largest challenge for a CIO alongside assessing the scope of risk. Since cyber attacks have deep and far reaching implications that are often unforeseeable it is an event that’s economic impact can vastly surpass initial estimates of risk. As a general rule, there are two kinds of companies who purchase cyber insurance: companies with revenues below $500 million and companies with revenue above $500 million. Typically companies with revenue below $500 million will pay between $200 and $5000 per year for payout limits as low as $1 million and as high as $5 million. For this customer category the deductible amount is of particular importance in order to avoid a negative value trigger event. For companies with revenues above $500 million the annual premium can range between $100,000 and $500,000 for $5 million to $20 million in payout limits. It is important to understand that these are only rough approximations and customers needs can vary considerably based on the nature of their commercial activities and cyber exposure.
How do insurers make coverage and premium decisions?
Cyber insurance follows the same principle of risk mitigation that applies to other insurance categories: insurers want to see that a company has evaluated its degree of exposure to cyber attacks and has implemented best practices and other risk mitigants to minimise vulnerability. Best in class technology and employee training programs are key considerations. Policies, tools and methods that regularly provide threat assessments and vulnerability analysis also have an impact on coverage and premium determinations. Though legally not required, a stronger set of technological tools and practices implemented can meaningfully reduce risk and cost of cyber insurance premiums.
For small companies, ethical hacking or threat intelligence can be financially unsustainable investments; however, tools that gauge vulnerability or can probe external network defenses in single instances can provide a considerable measure of security that also enables a stronger bargaining position while negotiating cyber insurance.
For insurers the biggest financial risk is that a single security incident affecting a large chunk of companies will trigger payouts to most of their customers all at once. A breach of a major cloud provider, for example, would have a wide reaching contemporaneous effect in triggering policies. This is especially why insurers will scrutinise best practices in managing cyber attack risk as they are evaluating risks that are both inherent to a business and potentially exacerbated by the nature of their exposure in the cyber ecosystem. An attack effecting a cloud provider could, in theory, effect all users of that service the same, but it can just as easily be minimised with the right tools in place. This is something an insurer will carefully diligence.
It is also worth mention that the cyber insurance industry involves considerable concentration risk. 65% of the cyber insurance business is accounted for by 7 insurance companies, even though more than 60 insurers offer policies.
What are the business case drivers?
The range of organisations that should obtaining cyber insurance is comprehensive. Fundamentally, any company that is responsible for customer information and data, payment details, or has any exposure to the cloud should account for cyber insurance in building its annual budget. Attacks against businesses—large and small—are only increasing and the data reflects that small businesses are almost just as likely to suffer an attack than a large business. Attackers increasingly pursue small businesses because of the view that they are less likely to implement the appropriate systems, practices, and technologies to safeguard against a cyber attack.
On average the cost of a data breach is between $2 and $3 million. Companies must decide if they are able to sustain that level of risk and, if not, how cyber insurance can help defray the potential expense of an attack.
As mentioned the true cost of the policy will depend on the nature of the business, degree of exposure and practices and technological tools that have been implemented to manage risks from any perceived or known vulnerabilities. It is also useful for a company to determine at the outset which expenses it would like to have covered if a trigger event were to occur. Some insurers will provide useful tools for answering these initial questions and developing a rough estimate of cost. As cyber attacks—and methods for implementing them—continue to rise in line with companies’ cyber dependence and threat exposure, the case for cyber insurance will only be more compelling and meriting of close attention by CIOs and Boards of Directors.
By Yuri Frayman, Chief Executive and Founder of ZENEDGE.