Despite high demand for cybersecurity insurance, insurers are playing it safe. EY's Robert Reeves recommends drafting the policy you want, and then shopping it around.
Cyber insurance is still in its infancy when compared to other forms of insurance, which represent traditional markets with hundreds of years of data.
As Robert Reeves of Ernst & Young's (EY) Fraud Investigation & Dispute Services explained, "insurers are under a lot of pressure to get into the marketplace." However "they are being very conservative about what they are selling," meaning that there are "low policy levels, high deductibles with a lot of exclusions, and some confusion about what the policies actually cover."
During his telephone interview with TechRepublic, Reeves advised that "if you want cyber insurance, then have someone write the policy that you're looking for." Draw up the sort of policy that you need, and shop it around. This takes longer, said Reeves, but he argued that you'll probably end up with more than what the cyber insurance market is generally offering.
Reeves also offered this solid piece of advice: have your response team in place before you experience a major cyberattack. Instead of taking several weeks to interview people while you are in crisis mode and your company might be front-page news, hit the ground running with a team and a plan.
TechRepublic: How would you describe the cyber insurance market at present, given the sharp rise in cyber risk?
Robert Reeves: Cyber insurance is a very new market. Other types of insurance have been around for hundreds of years. But cyber insurance is very new, and there's not a lot of information about it. It's a market that's growing, but people are not always sure what they are selling, and clients are not sure what they're buying.
One of the things we are seeing is that it varies by industry. Retailers seem to be ahead of the curve, because a lot of the breaches that we've seen publicly acknowledged have been by retailers. Healthcare, I think, is also ahead of most industries. Also, from what we've seen, financial services have started to try to catch up a little bit.
Because they see there is a big opportunity for growth, insurers are under a lot of pressure to get into the marketplace. They are being very conservative about what they are selling, and so you are seeing low policy levels, high deductibles with a lot of exclusions, and some confusion about what the policies actually cover. The market is in its infancy. Right now it is growing very, very quickly, and is misunderstood by a lot of people.
TechRepublic: What are the types of cyber insurance available to an enterprise, and what risks do they address?
Robert Reeves: We have helped clients that have had cyber breaches from nation-states, from individual hackers, from their employees, and have seen a variety of things that are covered.
Typically, there are the investigative costs. IT professionals understand that when a breach occurs, it can take months to investigate. So one of the things that cyber insurance covers is the cost to investigate the breach.
It then covers the costs to remediate the breach, such as notification costs. So in the case of a retailer, this is when they've had a breach and have to notify their credit card customers. We have seen times where it covers a customer whose financial information has been breached, it will pay for some sort of credit monitoring, some sort of cost of not only notifying the party but also trying to remediate the individual's cost. Also, advertising costs to try to repair reputational damage can be covered.
One of the variables in coverage has been business interruption. So if you've got a business interruption impact from the attack, then you're actually losing revenue. Is that covered or not, and how is it measured? That is one that we see less often.
TechRepublic: Please evaluate this argument: "Insurers have yet to develop an evidence-based method to assess a company's cyber risk profile," which can result in high premiums, low coverage, and broad exclusions. (Ira Scharf, DarkReading.com, June 17, 2014)
Robert Reeves: I agree with the statement. I think another big part of it, which I have mentioned before, is that other types of insurance — life, health, property insurance, whatever — there is hundreds of years of data on them. So insurers have a really good sense of what they're underwriting, what the risks are, and how to set a price appropriately.
Since cyber insurance is so new, and the nature of cyber attacks is evolving so quickly, insurers are taking the conservative approach. And that approach is: let's have low coverage limits, make sure that the premiums are higher and that there are broad exclusions. And I understand what the insurers are doing.
We were talking to a client in Houston recently that had the same experience that you describe in the question. The insurance broker came to them with a cyber policy that they had asked to see, and they said, well, it costs a lot of money, it really doesn't cover much, and it has exclusions for most of the things that we are interested in.
Based on their experience, I would say to a client that if you want cyber insurance, then have someone write the policy that you're looking for. Draw up the cyber policy that you want — what's covered, what's included, the policy limits, all of those things — and then shop it around. We have seen clients have much better success in doing that, versus just trying to take what insurers are putting on the market. It is a longer and more arduous process to try and get that policy, but you are in a better position to try and understand what's available, and you've got a policy that matches your exact needs.
The other thing you can do is — drawing on the quote that says there is not an evidence-based method — develop your own cyber risk profile. You can do some of the legwork for cyber risk insurers, which is different from the traditional insurance market, which has lots of data. Go ahead and go to them with the data that they need so that you can obtain the policy that you want to buy. You can show how much risk is really out there, and what you're asking to be covered.
TechRepublic: What policies and programs can best help a company recover from a cyberattack?
Robert Reeves: One of the takeaways that we have seen from the companies that have had a big cyber event, and they've got insurance in place, is that you really need to have your response team in place ahead of time.
When someone is in crisis mode and they are on the front page of The Wall Street Journal after a big cyberattack, they don't want to spend a couple of weeks trying to figure out who can help them, whether they are hiring a law firm, or hiring a technical firm to remediate the impact. When you're in crisis mode, you don't want to spend a lot of time interviewing people — you want to hit the ground running right away.
TechRepublic: How are disruptive technologies such as big data and the Internet of Things complicating matters both for cyber insurers and enterprise risk managers?
Robert Reeves: It has a lot to do with the number of entry points. I think that the more entry points there are, the more chance they have of being attacked. Big data in the Internet of Things is making this more complicated, and insurers are trying to write coverage for events that are getting riskier. For IT professionals, protecting the network is getting more and more difficult.
When you look at some of the retailers that have been hit, for example, Target — their hack came through a HVAC contractor that had a separate entry point to their system. While they were focused on their main risk, which was their own network, it was the side network that got them in trouble.
- Security and Privacy: New Challenges (ZDNet/TechRepublic special feature)
- Investment firms become cybercrime focus, highlights insurance need (ZDNet)
- Cybersecurity insurance may push companies to better security (ZDNet)
- Anatomy of the Target data breach: Missed opportunities and lessons learned (ZDNet)
- Cybersecurity in 2015: What to expect (ZDNet)
- Ebook: Executive's guide to the next wave of security challenges (TechRepublic)
- Research shows growing security concerns and budgets for 2015 (TechRepublic)
Disclaimer: ZDNet and TechRepublic are CBS Interactive properties.