While cybersecurity may be a source of endless discussion in the security industry, cybersecurity insurance is a topic that CISOs and security directors may not be as well versed in.
What does it cover?
Put simply, cybersecurity insurance protects a company against a cyber incident.
According to Dominic Jaar, partner and national leader, forensic technology service at KPMG, a cyber incident could be a case of ransomware or a Distributed Denial of Service (DDoS) attack. It could also be an instance in which a hacker accesses your system, “downloading a large volume of intellectual property, therefore devaluing either your brand or the amount of money you spend in R&D,” he explains.
Grace Crickette Taylor, vice-chancellor for administrative affairs at the University of Wisconsin – Whitewater and a risk and compliance specialist, adds that there are a number of different categories cybersecurity insurance can cover.
This ranges from covering the “destruction, corruption or theft of electronic information assets/data,” to “business interruption loss caused by a material interruption to your computer system due to a breach of computer or network security,” to cyber extortion and cyber terrorism.
While there are a wide variety of cyber incidents, Imran Ahmad, partner at Miller Thomson LLP, believes there are three main “buckets of cost” that cyber insurance can cover.
The first bucket is legal fees. That means “everything from running an investigation from a legal standpoint to notification to individuals to dealing with regulators,” he says.
Second is the forensics or investigation aspect of a cyber incident, and making sure systems resume normal operations. According to Ahmad, this is probably the biggest cost covered by cybersecurity insurance. He estimates that insurers cover about 70 per cent of the cost of any incident.
The third bucket is providing crisis management consultants who can handle the PR and media strategy.
Greg Markell, president and CEO of Ridge Canada, a Canadian Managing General Insurance Agency that provides cyber insurance products, consulting and loss control services to insurance agents and brokers, says they chose to focus on cyber insurance because they saw an “underserved market.”
“Previously, the Canadian insurance market was providing the same applications and base policy language to companies that were $1 million in revenue to $1 billion, whether they were hospitals or widget manufacturers,” he says. “With this in mind, we continue to see an opportunity to help our broker partners with their conversations surrounding the transfer of the residual cyber risk that worries their clients.”
However, there is no standard for how much risk insurers absorb if an incident occurs.
“It’s all over the map to be honest with you,” says Dave Tyson, CEO of CISO Insights and a past president of ASIS International.
This is mainly because it is a very new area of insurance. While actuarial tables have been in place for 50 or 100 years for car insurance, for example, Tyson estimates that there is less than 10 years of data available for cyber insurance.
However, given the pervasiveness of breaches and hacking, Kirsten Bay, CEO of solutions developer Cyber adAPT, believes it’s no longer about if an incident will occur, but when.
“Customers say, ‘Well, you know I haven’t been hacked yet,’” she says, but “we see very significant indicators of compromise, and we see the adversaries trying to break in, akin to checking the windows and the doors.”
The impact of IoT
This is especially the case as Internet of Things (IoT) devices become more popular. As companies use more connected devices in their daily operations, cybersecurity insurance will change to reflect this. “The risk level or … the cybersecurity threat surface, is going to increase exponentially,” says Ahmad.
As such, he believes that doing the groundwork before buying an insurance policy will be even more important.
Insurers will look at whether vulnerabilities in one IoT device will lead to vulnerabilities throughout the company, and whether companies have layers of technology or security to ensure that this cannot happen.
Depending on how IoT devices are integrated in the company, “insurers are going to want to see that you’ve done that diligence,” Ahmad says.
Additionally, insurance firms may ask if you have reviewed your contracts with the providers of your IoT devices to guarantee that these devices have built-in security.
“What insurers are probably going to start asking for, and I’ve started to see this already, is, in your contracts, have you asked for security? Have you asked for them to give you indemnities in case something happens where their security was weak because of the hardware, and then what did you do on top of that to additionally protect yourself?” explains Ahmad.
Bay says she has also seen this happening.
“In terms of indemnifications,” she says, “I have seen, in service-level agreements for vendors, that you have to fully indemnify very large companies against an event, if … you were the initial entity by which that attack started to evolve.”
However, the strength of a cyber policy also depends on “connectivity, the type of user base you have, the type of individuals and the type of work they do,” she says. It also hinges on the type of industry the company works in.
Consequently, as IoT devices become commonplace, Bay says insurers will have to look at networking and the segmentation of networking differently because risk mitigation will be part of that discussion.
Meanwhile, Jaar believes that as IoT becomes more prevalent, more data will be gathered in real-time from different devices and systems.
Therefore, insurers will be able to determine the correlation between particular events, systems, approaches or companies.
This, in turn, “will enable insurers, as the market matures, to be extremely granular in how they price and what they decide to cover or exclude from an insurance policy,” he explains.
“If I had to look in 10 or perhaps 15 or 20 years from now, I would say cyber insurance would fluctuate every second, based on the risk that will be assessed by the system,” he adds.
Collaboration is key
So what does this mean when it comes to buying cybersecurity insurance?
Both Bay and Taylor say integrating the security practitioner or CISO into the overall business discussion is imperative to purchasing the correct policy.
Many companies, Bay says, view CISOs and security managers as separate from the rest of the business.
When buying insurance, the company should develop a “different communication structure where they’re integrating the security practitioner into the overall business discussion so they can be much more impactful in providing a view of what sort of risks can be mitigated through insurance and other risk policies,” she explains.
Taylor adds that CISOs and security managers should “partner with your chief risk officer and other experts, not just during the insurance buying process, but throughout the year with evaluation of the risk.”
She also suggests implementing a Security Enterprise Risk Management Program (SERMP) to help “keep a pulse on the exposure/risk and allow you [the CISO or security manager] to be prepared to present your organization in the best light to the insurance underwriters and obtain the broadest coverage at the optimum price for your organization.”
Jaar agrees that more collaboration is necessary for larger companies, since the CISO or CIO generally is not an insurance specialist, and a company’s insurance specialist is rarely an IT or security specialist.
“It needs to be a joint effort, talking amongst specialists,” he explains, “and if the expertise does not exist internally, then [large organizations should] rely on third party independent advice.”
However, he finds that in smaller organizations, the biggest mistake is undervaluing or overvaluing the insurance.
Some CISOs say they should take the most expensive premium because their company does not invest in IT and information security. The opposite also applies; some say they should take the smallest premium because their company is highly invested in security services, he explains.
“I think at both extremes, it’s a massive mistake,” Jaar says. “Even if you have the most robust system, methodologies and team in place, you may still want to have the most expensive insurance policy if the risk you’re trying to cover cannot be mitigated through the highest level security.”
For Ahmad, the biggest mistake CISOs and security directors make when looking to buy a cybersecurity policy is assuming it’s “one size fits all.”
“They think there’s one single product that will just be perfect for their organization, but it’s not that way. You have to have a real conversation with folks, especially on the insurance brokerage side, to figure out what works for you,” he explains.
“Working with the security industry to focus on client-oriented solutions will be paramount to provide companies with the necessary solutions and protections for an increasingly challenging operating environment,” adds Markell.
This extends beyond choosing a policy. Integrating your cybersecurity insurance into an overall risk mitigation strategy also involves collaboration.
“Like any good business strategy,” adds Tyson, “you have to have a good partnership between your cybersecurity team and your insurance team, and/or any risk managers that are involved in the decision-making.”
Additionally, CISOs and security directors should be aware that buying a cyber policy is not holistic, says Taylor.
She advises leveraging the insurance program to provide holistic coverage for information technology.
IT has a number of risks, “so the complexities of your insurance program need to align with the complexity of your information technology,” she explains.
“It’s not just insuring your system or your data, but understanding where your data goes.” Additionally, if the board of directors or leadership wants cyber insurance, strengthening and changing the policies and procedures of the company’s IT expertise environment might be necessary, she says.
“There’s a misconception in the market that you can just transfer the risk automatically,” adds Ahmad.
“The insurers will make you go through a questionnaire and make sure your risk profile is as low as possible so you can get the best premiums in place.”
Likewise, it’s important to remember that employee training, penetration testing and risk assessment are still necessary, he says.
“I think you have to do all of that, and then add the insurance piece,” he explains. “It just mitigates some of the costs relating to risk — it doesn’t take away the entire risk.”
However, Tyson says that when integrating a cyber insurance policy into a risk mitigation strategy, you should also account for the likelihood that the policy will be executed.
“A simple example would be if you have known cybersecurity holes or issues that you can fix for $1 million, and a cybersecurity policy is $1 million, the question is should you spend the money on closing the hole so you don’t get hacked, or should you just pay the insurance to try to reduce the pain if you do get hacked?” he explains.
These are the types of questions he believes CROs, CISOs and other decision-makers should address together to determine where their money is best spent.
Tyson says that he has seen many organizations who, in the process of purchasing cyber policies, had to make very detailed disclosures about their security operations.
“It’s important, I think, for cybersecurity folks or security risk managers in general to make sure that they’re answering these questions in a way that doesn’t put their companies at risk,” he adds.
“What happens if the insurance company gets breached? Now the information that they have on you about all of the inner workings of your security is publicly available,” he says. “So you’ve actually got a vendor security risk associated with this information.”
The future of cyber insurance
Consequently, Tyson is not convinced that cybersecurity insurance is a necessity right now.
“I think that there are cases and there are investment scenarios where it makes sense,” he says.
But he finds that, ultimately, “it’s about ensuring that you have the right analysis, just like any other business insurance or risk management process.”
However, cyber insurance will only become more popular, Markell says.
“This is absolutely a growth market within the insurance industry. Current penetration rates globally and Canada-specific are rising, and the prevalence of incidents is not decreasing,” he says.
Bay, Jaar and Ahmad also believe cyber insurance will gain importance.
“Given how pervasive cyberattacks are these days, [given] what feels like this ocean of adversaries who have many different ways of penetrating a network and an environment, it just is an element of protection that companies need to have,” Bay concludes.