Insurance is a way of life for businesses, as it’s essential to protect company property and personnel. It can also help alleviate the pain of cybersecurity incidents, which can cost anywhere from $1.25 to $8.19 million.
Scott Matteson: What is cyberinsurance?
David Dufour: Cyberinsurance is designed to help organizations minimize cyber risk by offsetting the costs involved with recovering from breaches or other security incidents.
As cyber risk continues growing, the cyberinsurance market has grown along with it; the US market reached $1.8 billion in 2018, three times what it was in 2015, according to an April 2019 report by global insurance broker Marsh. Additionally, over the past four years, the number of Marsh’s US customers buying cyberinsurance has doubled, from 19% in 2014 to 38% in 2018.
Scott Matteson: How does it work?
David Dufour: Cyberinsurance doesn’t protect businesses against cybercrime, but it gives them a better chance to maintain financial stability if a serious security event does occur.
Cyberinsurance policies can include first-party and third-party coverage. First-party coverage applies to losses sustained by the victim organization directly, such as loss of income, ransom or other extortion demands paid, notification costs and reputation damages. Third-party coverage applies to losses resulting from lawsuits by other organizations or people who claim to have been damaged by the incident, such as lawsuits over network security liability, network privacy liability and electronic media liability.
Cyberinsurance can be worth the investment, especially for SMBs, but it depends on a number of factors. When evaluating their specific needs and the best matching policies, organizations need to ask:
- Are you trying to protect a brand?
- What kind of intellectual property or data are you protecting?
- Do you have sensitive data that could leave you liable for lawsuits if leaked? (This is especially likely in the healthcare and financial industries.)
- What expenses are you trying to cover in case of an incident?
- What do you need to cover to ensure you aren’t vulnerable to bankruptcy in case of an incident?
- Do you need to hire to fully understand or capitalize on your policy?
Scott Matteson: Who provides cyberinsurance?
David Dufour: According to a June 2019 report by credit rating agency A.M. Best, 528 US insurers reported writing cyberinsurance in 2018, up from 471 in 2017. That report found that the top five cyber insurers of 2018 according to direct premiums written were Chubb, AXA US, AIG, Travelers and Beazley; the top five cyber insurers of 2018 in terms of quantity of policies were The Hartford, Liberty Mutual, Farmers, Cincinnati and Berkshire Hathaway.
Scott Matteson: What are the benefits?
David Dufour: Cyberinsurance can help organizations deal with the wide range of costs of dealing with a data breach: professional services like the forensic teams required to help clean up and discover what happened; the data recovery teams that work to recover compromised sensitive data; non-security services such as public relations to manage the story and to help interface with external stakeholders; credit monitoring services for customers if required; and legal services to manage possible lawsuits from vendors, partners, customers, or compliance and regulatory entities.
Scott Matteson: What are the risks?
David Dufour: Only 18% of organizations leveraging cyberinsurance are comprehensively covered for the cyber risks they face, according to the May 2019 World Insurance Report by Capgemini, a leading technology consulting company, and Efma, a non-profit financial industry consultant. This is unsurprising given how many organizations struggle to know what they need as well as what they’re getting. They also face a number of challenges, such as:
- You need to be able to prove an incident occurred (i.e. not just some lost data on a hard drive)
- You need to have basic security and compliance protections in place and prove that you’ve been following them (i.e. incidents resulting from social engineering attacks or weak user passwords are often not covered)
- You need to be able to prove you were compliant to whatever specific level was required by the insurance provider
There is also the risk of the insurance provider finding some sort of loophole or leveraging a technicality to avoid paying out. This is why I recommend that organizations try to find a provider with a history of protecting against cybercrime damages that has demonstrated they actually go through the whole process of filing and processing claims and paying out.
Many companies purchase cyberinsurance believing they can use it to pay for a breach and with that policy in hand, they ignore fielding or properly resourcing a mature security program. But if the company is found to be liable for the breach due to negligence such as poor security hygiene, it’s generally unable to use its cyberinsurance policy for recovering from the breach.
Scott Matteson: What are the costs?
David Dufour: Deductibles can be quite high depending on the size of the company, with examples seen in the millions and multi-millions. It depends on the size of the company and policy; some businesses pay $500,000 or more in deductibles before their coverage ever kicks in; Target had $100 million in cyberinsurance coverage during its massive data breach, with a $10 million deductible.
The average cost for cyberinsurance rose about 5% in 2019, despite the large increase in the number of attacks and claims files, according to a September 2019 report by business insurance advisory firm AdvisorSmith. The cost increase bumped up the average annual premium to $1,501 for a business facing moderate risks with liability limits of $1 million, a $10,000 deductible, and $1 million in company revenue.
In November 2017, Utah paid $230,000 a year for $10 million in cyber coverage and had a $1 million deductible
Scott Matteson: Does cyberinsurance cover lost revenue as the result of a data breach or bad publicity in the aftermath?
David Dufour: Technically anything could be insured but that would be challenging to price. Most insurance typically covers cost to recover and professional services such as legal and brand protection due to an incident.
Scott Matteson: What are some real-world examples?
David Dufour: Cyberinsurance has been in the spotlight lately with the rash of ransomware attacks targeting public entities and their stance of paying the ransom. The Florida town of Lake City authorized its insurer to pay the nearly half a million dollar ransom via bitcoin. The city of Atlanta famously declined to pay the ransom and build the infrastructure from the ground up, yet it cost them millions to recover versus the roughly $50,000 ransom. For an SMB, it may be worth it to have the expertise and counsel on your side when it comes to deciding to pay.
Scott Matteson: Where is the field headed?
David Dufour: It desperately needs to be standardized. In March, some leading insurance providers led by Marsh & McLennan announced they’re planning a “Cyber Catalyst” alliance to create a consumer ratings service for the cybersecurity industry to standardize cyberinsurance, primarily by highlighting weak or risky cybersecurity products that should be avoided by manufacturers in the supply chain (including firewalls and encryption, tools for monitoring threats, and training and incident-response planning).
This is definitely a step in the right direction, but it needs substantial participation to have much impact – as lack of participation has hindered previous initiatives of this type. I think it will take some type of government-sponsored initiative that provides a financial incentive for organizations and consumers to get involved, for an initiative like this to be truly impactful on a broad scale.