Cybersecurity Insurance and Analyzing the Risk
In order to be prepared to deal with a breach, companies employ a number of prevention, detection, and response methods: employing a CISO, utilizing a security product like a WAF, IDS/IPS, anti-virus solution, or — deciding to get coverage through cybersecurity liability insurance. While we may be familiar with insurance for unfortunate events like fire, flood, or a medical emergency, cybersecurity insurance is still a relatively new concept. But in recent years, this market has seen a huge surge. In 2015, for example, global insurance broker Marsh found that there was a 27% increase in cybersecurity insurance for U.S.-based clients.
Because of this lean towards the purchase of cybersecurity insurance products, the next logical question for companies may be as follows: “Is cybersecurity insurance worth it?”
It’s a great question because the reality is that security breaches cost money, and lots of it. Costs from cyber incidents come from technology and security upgrades, legal fees, protection and credit monitoring offered to those affected in the breach. The cost of a breach can therefore range widely. For example, in 2015 expected losses ranged from $25,450 to over $8.8 million according to the Verizon Data Breach Investigations Report.
If you consider the costs of medical procedures, they can range widely depending on the location, a patient’s previous medical conditions, or whether additional procedures will be necessary. Similarly, depending on what kind of attack the breach was, and over what kind of networks/servers the attack took place, and how many people it affected, costs are going to differ — no doubt about that.
However, the issue gets problematic because not only are expected losses hard to predict, reports from companies post-data breach show that the principal covered by the insurance agencies rarely make a drop in the proverbial bucket. One of the most highlighted breaches of 2017, the Equifax data breach, had claims of at least $275 million but reports showed that only $75 million was covered by the company’s cybersecurity insurance plan. Although little coverage is still coverage, it begs the question of whether cybersecurity insurance is really doing what it’s meant to do, and lessens the trust that we can have in insurance carriers.
Perhaps this is because insurance carriers are often not your cybersecurity providers. While one would think that insurance comes from the cybersecurity vendors themselves, more often than not, cybersecurity insurance will come from the same carriers that offer you your life/medical/car/etc. insurance. While insurance agents and brokers are trained on a regular basis to keep up with the demands for new insurance types, the cyber threat environment is not one that is easy to grasp. With an ever-evolving web environment and an ever-evolving network of hackers and bots, there’s a lack of actuarial data for the insurance carriers trying to come up with prices for cybersecurity insurance policies. It’s understandable as breach incidents can range from the exposure of non-sensitive information to the theft of enterprise intellectual property or even the compromise of hundreds of thousands of people’s financial credentials which would make headlines in the news.
So coming back to the question of whether or not cybersecurity insurance is worth it — you might expect the answer to be “No run far, far away.” But with an increase in web hacking incidents as well as the costs incurred for data breaches, one can never be too safe when it comes to enterprise web security. However, the cybersecurity insurance field could benefit from narrowing the gap between insurance carriers and the parties that do provide cybersecurity.
First, cybersecurity insurance carriers need to begin employing expert cybersecurity consultants who are well versed in their industry and are aware of the changing landscape of cyber threats. Going a step further, insurance carriers can partner with IT security firms to draw on their vulnerability and risk assessment expertise, or share some of their customers’ financial liability in case of a major attack. Confirm that your carrier has the domain knowledge necessary to price your policies fairly and allow for good coverage.
Second, if customers are able to demonstrate that they’re already utilizing preventive measures like a web application firewall (WAF), encryption solution, and authentication solution, security providers might be able to provide guidance for insurance carriers to lower premiums, meaning that customers get more security for their buck.
While it’s great that there are multiple industries looking to aid companies in the fight against cyber threats, stronger cross-sector cooperation is needed to help push organizations to simultaneously strengthen their prevention and response capabilities. This will ultimately benefit everyone involved from the insurance buyer, insurance carrier, all the way to the security vendors, ensuring shared stakeholdership in keeping businesses resilient against cyber attacks.