Cybersecurity insurance is being heralded as a viable solution for recovering from a cyberattack. However, Jeff Bounds, in his D Magazine article The Pros and Pitfalls of Cybersecurity Insurance, suggests it might be more complicated than just purchasing a new policy.

“Large players like AT&T have come forward with insurance to offer protection and help companies recover in the wake of data disasters,” writes Bounds. “But the relative novelty of the policies can make it difficult to know what they will and won’t pay for.”

And that’s not the only consideration. “On the other side, insurers are struggling to determine what damages they should cover from tech crimes and what they should charge for premiums,” adds Bounds. “That’s partly because corporate secrecy about hacks means nobody knows how often companies get hit–or what the bottom-line impact truly is.”

SEE: You’ve been breached: Eight steps to take within the next 48 hours (free PDF) (TechRepublic)

What is considered a cyber risk?

The insurance industry is trying to sort out what should be considered a cyber risk. To get an idea of what’s involved, Bounds interviewed Ernest Martin Jr., a partner at Haynes and Boone who also chairs the firm’s insurance recovery group.

Martin mentions that more companies are looking for cybersecurity insurance, but the lack of common contractual language is making things difficult, adding, “Purchasing them (cybersecurity-insurance policies) is not as easy as purchasing general-liability insurance.”

Emphasis on cybersecurity cleanup not prevention

It seems everyone is resigned to the inevitability of a cyberattack. “Something that can hurt stock prices, make customers lose trust, and endanger executive employment,” writes Bounds. “Auditors are also checking that companies are meeting their regulatory obligations around cybersecurity.”

Needless to say, corporate executives are inclined to show they’ve done everything possible to protect their businesses from becoming a victim of a cyberattack. “If you don’t have a well-defined security plan that you’ve tested and enforced, you are (corporate execs) hanging out on a limb,” Layne Bradley, instructor of information systems and supply-chain management at Texas Christian University, tells Bounds.

And, one way of showing that everything is indeed being done is to research–and if the numbers add up–obtain cybersecurity insurance. Bounds writes that doing so can help pay for:

  • The damage intruders cause;
  • Hiring consultants to remove viruses from a company’s digital equipment; and
  • Defending the company from lawsuits or regulatory claims that can ensue.

SEE: Incident response policy (Tech Pro Research)

Concerns about what is covered

Ernest Martin Jr. mentioned cybersecurity insurance is trying to protect a new and volatile industry; a good example would be determining how to insure a business that locates the company’s technology (hardware and/or software) in a third-party’s data center, which is becoming a common practice.

“Even when a cyber policy provides a particular type of coverage, the actual scope of that coverage can be restricted in many ways,” Dallas attorney Amy Elizabeth Stewart explains to Bounds. Stewart suggests firms that outsource their digital assets should understand how the coverage works when third-party vendors are involved, if they want to avoid unpleasant surprises.

SEE: Marriott faces massive data breach expenses even with cybersecurity insurance (ZDNet)

Examples of what companies are running into with cybersecurity insurance

Bounds offers an example from Renee Hornbaker, former financial chief for Stream Energy Inc. as well as Flowserve Corporation (now retired). Hornbaker told Bounds she did not look forward to getting cybersecurity insurance, adding, “I found it to be costly, difficult to purchase, and the application process was onerous.”

Bounds brings up another good point about what could be a problem to some company executives: Obtaining insurance likely will entail disclosing a lot of sensitive information to the insurer, such as infrastructure setup and security practices.

What leaders should should consider about cybersecurity insurance

After consulting with experts, Bounds offers the following suggestions as a means to drive down perceived risk and possibly lower premiums. Those responsible in the company:

  • Should consider buying more cybersecurity coverage when there’s a heavy reliance on technology due to the lack of in-house cybersecurity expertise;
  • May find they need less insurance coverage if appropriate cybersecurity practices are employed, and there are in-house experts; and
  • Should keep insurers informed on how they communicate cybersecurity measures to employees.

The best suggestion I found was from Gavin Phillips in his MakeUseOf commentary Do You Really Need CyberInsurance? 4 Questions to Ask Before You Get It. He spent several paragraphs explaining the importance of reading the “fine print.”

SEE: Security awareness and training policy (Tech Pro Research)

A peek into the crystal ball

Insurance gets called many things–for example, a necessary evil, though “necessary” says it all. Bounds believes the cybersecurity-insurance market is set to explode. “According to AT&T, more than 50 insurers now offer digital policies with net premiums totaling $2 billion,” he writes in his conclusion. “That’s less than one percent of property and casualty premiums that U.S. insurers wrote in 2017.”