According to Ken Westin, senior security analyst at Tripwire, cyber liability insurance is becoming an increasing necessity for businesses and could easily become a requirement similar to Directors and Officers (D&O) liability insurance. The challenge for most organizations is determining how much coverage to purchase and how specified amounts of coverage offset cyber security risks.
KPMG recently conducted a survey that found 74 percent of businesses do not have any sort of cyber security liability insurance. Of those that did, only 48 percent believed their coverage would cover the actual cost of a breach. The sentiment among those surveyed is that the market for cyber security liability insurance is not mature, and comprehensive packages that provide “adequate” coverage are not available.
“Much like the deployment of cyber security infrastructure, cyber security liability insurance follows the law of diminishing returns,” said Westin “Insurers can pay for 100 percent coverage for every possibility, but the cost of this policy would easily exceed the actual expense of a breach. Even if these policies were available and affordable, there’s no guarantee that every possibility would be covered.”
One of the reasons that the cost of cyber security liability insurance is skyrocketing is the insurance industry’s lack of hard data about cyber security risk. The insurance industry is extremely data-driven, and quantifying those risks is still a relatively new discipline. The threats are volatile and unpredictable, and data that can be analyzed to understand the potential impact and frequency of cyber security threats — as well as the beneficial effects of cyber security controls — is limited.
“Part of the challenge is that businesses don’t have a consistent approach to calculating security risks, and the process of determining what is acceptable to the business varies from industry to industry,” said Sarb Sembhi, director at STORM Guidance. “In addition, other factors also affect these calculations. There is also no driver at the moment to take a single consistent approach in putting real monetary values on costs of breaches. We hope as the market matures both insurers and businesses will agree on some consistent approaches that will ultimately benefit both parties.”
Traditional forms of insurance offer a wealth of data that can be mined to understand and quantify risks. For example, homeowners insurance is limited to the cost of the house and its contents.
Westin continued, “When it comes to cyber security liability, the risks are complex and widespread and they depend on a variety of factors, such as the type of data each organization stores. These factors can have a range of cascading effects on the eventual costs of a claim.”
Liability and comprehensive coverage are tricky with cyber security insurance because they deal with collateral damage connected with customer data. Because cyber security is an emerging discipline, it’s difficult for insurers to assess which organizations are most likely to become the victim of a breach. It’s also challenging to quantify the potential scope of a breach.
In addition, the liability costs associated with a breach can be difficult to predict because they include a variety of hard costs, such as breach clean up, external forensic consulting, credit monitoring, lawsuits and regulatory fines, and soft costs, such as dips in share price, damage to brand reputation and loss of consumer confidence. The soft costs are difficult to quantify and are often not covered by cyber security liability insurance.
The Department of Homeland Security’s National Protection and Programs Directorate (NPPD) recently identified four “pillars” of an effective enterprise culture that will reduce cyber security risk; insurance carriers have identified these pillars as particularly attractive for underwriters:
- Engaged executive leadership.
- Targeted cyber risk education and awareness.
- Cost-effective technology investments.
- Relevant information sharing.
Westin noted: “The first two pillars are about establishing the equivalent of ’safe drivers’ in cyber security, by identifying leaders who are engaged in the security of their infrastructure, and corporate cultures that value security through their investment in education for their employees. The third pillar is similar to the safety features in your vehicle: it ensures that organizations have proper security controls, processes and frameworks in place. The fourth pillar is about information sharing between organizations and insurance companies so that both parties can better understand these rapidly changing risks.”
Although cyber security liability insurance products are still maturing, the need for them has never been greater. It is critical for businesses to understand the limitations and restrictions of cyber security insurance as well as how it can help curb risk. In order for the insurance industry to expand its cyber security risk knowledge, security leaders need to share information and provide greater transparency into their organizations’ security practices and metrics.