You leave kerosene-soaked rags all around your house. You chain smoke. One day, while relaxing in front of an episode of CSI:Cyber, your hand slips and a lit cigarette sets your sofa on fire. Your house burns down. The insurance company pays out your fire insurance.
That’s the world of cyber insurance today, and as should be plainly obvious, this state of affairs cannot long continue. At some point insurance companies will stop paying out for gross negligence, and insurance adjusters will go over your logs with a fine-tooth digital comb.
Cyber insurance can be an important and valuable (if small) part of enterprise risk management. Understanding what it can and can’t do — and the direction the cyber insurance industry is headed — is critical to getting the most out of a cyber insurance policy. These are the five most important considerations you need to make about cyber insurance.
Understand how much cyber risk you can transfer
You only get to pass some of the buck.
Insurance is not a magic wand that makes all your security problems go away. A cyber insurance policy is no replacement for doing the hard yards of spinning up an effective in-house security department.
Until recently, many non-technical executives, lacking training or background in cybersecurity, have underestimated the risks that security people have been screaming about for decades. Well, the Cassandras turned out to be right, and while your cyber insurance might cover public relations and incident response, it won’t cover even a fraction of the losses if you get popped.
So what risk can you transfer? That’s a private affair between an insurer and insureds, but typically policies cover only a fraction of total losses. Equifax estimated its losses at close to a billion dollars, but received an insurance payout of around US $ 100 million.
Most policies cover the aforementioned PR crisis management folks, some incident response work, including technical advice, and some losses. In the event of a major security incident, however, cyber insurance will be a band-aid on an axe gash.
Measure cyber risk as well as you can
The real utility of cyber insurance might be the work required to get the policy in the first place. Most cyber insurance policies include long questionnaires with increasingly detailed queries regarding specific security controls in place in your organization. That means to even get cyber insurance, it’s necessary to engage in a de facto audit of assets, processes and procedures, which will give both you (and the insurance company) food for thought.
“Food for thought” because insurance against cyber risk today is more art than science. Compared to the solid actuarial science behind fire, earthquake or flood, cyber insurance is hand-wavy, to say the least.
This is due to two major factors. First, the constantly changing threat landscape means it’s difficult to pin down risk at any given moment. Second, and more importantly, how do you rate risk against sabotage? No malicious human adversary causes earthquakes, and while arson does happen, it’s rare compared to accidental fires.
If you’re Sony in 2014, for example, how do you measure the risk of the North Korean military invading your networks, destroying your stuff, and dumping your intellectual property — and sensitive emails — onto the internet? Insurance companies are well aware of the need to quantify risk on a more scientific basis and are working hard to do so, but this is far from a solved problem.
Ask under what circumstances the war exclusion applies?
Does your policy cover the next NotPetya?
In 2017 the NotPetya wiperware, widely believed to be the work of Russian-sponsored attackers, destroyed data on 1,700 servers and 24,000 laptops at Mendelez International, a snack food conglomerate that owns Cadbury and Nabisco. Mendelez filed a claim for $100 million with its insurer, Zurich American Insurance Company. Zurich denied the claim on the grounds that NotPetya was a “hostile or warlike action” by Russia, and Mendelez is currently suing Zurich.
War has never been insurable, and insurance policies have traditionally excluded claims caused by acts of war. There are caveats: Piracy has long been insurable, and who decides what qualifies as an “act of war”?
When negotiating a cybersecurity insurance policy, nail down what your policy does and does not cover. You don’t want to be another Mendelez hung out to dry because of this technicality.
Of course, in the event of full-blown war your policy still won’t help you. (Indeed, insurance is likely to be the last thing on your mind.) In the event of a “warlike act” such as another NotPetya attack — or something we’ve never seen or even thought of — make sure your policy covers those contingencies.
Shop around for cyber insurance
When it comes to a cyber insurance policy, everything is negotiable. Cyber insurance, like everything on the cyber domain, remains a Wild West. Lots of folks are working to tame it, but we haven’t reached that state yet.
What’s more, cyber insurance companies are still working to build a market. Current market size for cyber insurance today is probably less than 10% of its future size. That means everything is negotiable — terms and especially price.
What does your enterprise need from a cyber insurance policy? No one size fits all. What is your vertical? What are you worried about? What specific risks do you especially want insurance to cover? What does your threat model look like? How would different cybersecurity incidents affect your enterprise?
These questions can only be answered in-house by folks with deep and broad knowledge of your enterprise’s networks, systems, controls, processes and risks. Find them and get them involved in your insurance purchasing earlier than later.
Do your due diligence
Modern office buildings contain cutting edge fire suppression systems. Why? Because fire insurance companies pushed hard for them and offered significant premium discounts for insureds who performed their due diligence and deployed that technology. Between the government regulatory stick and the insurance premium discount carrot, buildings got safer.
Expect the same to happen in CyberLand. Cyber insurance companies will tighten the screws. In the not-too-distant future, cyber insurance companies will demand greater and greater security processes and controls and staff and you name it to qualify a company for an affordable insurance policy.
Are we there yet? No. We don’t even fully understand cybersecurity risk and how to measure it, much less create meaningful actuarial science to ensure against such risk. A lot of smart people are working on the problem, and as we generate more data, the delta of known unknowns will narrow in turn.
Your enterprise probably needs a good cyber insurance policy. It’s a smart part of a balanced risk management diet, but it’s not a magic wand, and you can only pass some of the buck. The rest of the work remains in-house, like it or not.
Write to us firstname.lastname@example.org