Ricardo Arroyo, Sr. Technical Product Manager and ThreatSync Guru at network security company WatchGuard Technologies, discusses everything you need to know about cyberinsurance – what it is, why your business may need it and the caveats to be aware of.
Life is unpredictable. Unexpected problems can arise at any time without notice. Whether they be physical, mental or financial burdens, society has built an entire industry to mitigate those burdens. That industry is insurance. We have insurance for our home, for our cars, for our pets and for our health. Any crisis that can befall a person or company has an insurance available. The advent of the cyberintrusions also saw with it the creation of cyberthreat insurance, an attempt to offset the losses related to mitigating and recovering from a cyberincident.
What is cyber insurance?
As with all other types of insurance, cyberinsurance is meant to provide policyholders with relief, mostly financial, in the event of a cyberintrusion. Some cyberinsurance is offered as an additional coverage added to an existing policy while some is offered as a stand-alone policy. Each policy is customisable to the needs of the policy holder. This of course makes the cost variable. The core tenant of cyberinsurance deals with covering the cost of dealing with a cyberattack. This typically includes, but is not limited to, the following types of coverage:
- Data privacy – Coverage to offset the cost of losing personal data
- Loss or breach of data – Coverage to offset the cost of losing confidential company data
- Remediation costs – Coverage to offset the cost of dealing with a cyberintrusion such as customer notifications and forensic investigations
- Regulatory fines and/or penalties associated with data breaches – Coverage to offset the cost of fines or penalties enforced as part of federal, state and local laws dealing with data breaches
- Cybersecurity incidents not involving data breaches – Coverage to offset the cost of non data breach-related cyber incidents
- Business and contingent business interruption – Coverage to offset the cost of any service interruption caused by the cyberintrusion (e.g. website offline)
- Cyberextortion – Coverage to offset the cost of payments made to cybercriminals for the return of stolen intellectual property or personal data
- Media liability – Coverage to offset the cost of infringement of intellectual property, copyright/trademark infringement, libel and slander
Many insurance providers offer higher-end services or advisers to ensure policyholders have the resources they need to start reacting to a cyberattack. This typically includes, but is not limited to, the following types of services:
- Forensics – Advising or services for investigating and mitigating a cyberattack
- Notifications – Advisory or call centre services for assisting in notifying customers of a cyberincident
- Credit and ID monitoring – Services for monitoring customers for potential identity theft
- Legal services – Services or professional advice for dealing with the legal ramifications of a cyberincident, including data loss, fines and penalties
- Public relations – Services or professional advice on dealing with the ramifications the cyberintrusion has had on your public image
- Risk assessments – Services to assess the potential risk your network and computers have for being breached
- Loss prevention – Services to assist in remediating risk factors that leave you at risk for being breached. These services are typically called vulnerability or penetration tests
Cyberinsurance providers typically require potential policyholders to sign affidavits attesting to the proper deployment of information security software equipment and practices including the use of antivirus, firewalls, back-ups, etc.
Many companies will send their own inspectors to perform an information technology risk assessment using NIST or other industry standards risk assessment frameworks. Policies can cost anywhere from US$1,000 to US$8,000 per year for US$1 million in coverage depending on your company’s industry and revenue stream.
The dreaded details
If you’ve ever been in the position where an insurance claim was denied because of some obscure exemptions on page 238 of your insurance policy’s guide, of which 235 pages are in legal jargon, then you won’t be surprised to know that cyberinsurance is no different. In an attempt to ensure adequate pricing per coverage with the limited data available from the young industry, providers write some very specific and unexpected exceptions to claims. Couple that with the potential overlap that now exists between insurance types, the potential for confusion only increases.
For example, in 2016 a bank in Virginia was the victim of a cyberattack. When the claim against their US$8 million policy for cybercrime was denied in favour of a US$50,000 policy for debit card fraud, instant confusion ensued and suits followed.
The chain of events followed your typical modern-day example of a cyberintrusion. A phishing attack gained access to servers where malware was installed in order to steal usernames and passwords, which were then used to create faulty transactions using their bank’s ATM systems. The insurance provider had written an exception to the cybercrime policy when the incident deals with ‘automated mechanical devices.’
Depending on the size of your company and the sensitivity of the data your company wants to protect, it is recommended you hire an independent insurance agent that is experienced in cyberinsurance. Considering the possible loss of US$7.95 million in the example above, it might be worth the expense.
Do I need cyberinsurance?
When evaluating whether your company needs cyberinsurance, you must first evaluate what virtual assets are most important to your company’s livelihood. If your company performs any of the following activities, you might want to consider getting a cyberinsurance policy:
- Accepts or processes digital payment
- Uses computers and mobile devices and Wi-Fi
- Stores personally identifiable information or other confidential customer information
- Stores medical or financial data
- Stores highly valued intellectual property
Other less ‘tangible’ advantages to carrying cyberinsurance include:
- Policies may be very cost effective if the premium plus deductible cost is less than the cost of incident response, credit monitoring and legal services
- The piece of mind gained by knowing that the financial burden that a cyberattack can put on your company is significantly reduced
- Publicising the fact your company caries cyberinsurance can provide customers with piece of mind and may even differentiate you in your market
The addition of cyberinsurance does not mean you have the freedom to be lax on implementing cybersecurity, incident response and recovery measures. Remember, by the time you make a claim against your cyberinsurance policy you’ve already lost system access, intellectual property or personal information. Cyberinsurance is merely part of a comprehensive plan to mitigate risk and defend against cyberattacks.
The industry in confusion
Big Data has made the greater insurance industry very precise in how they price and plan coverage. Thousands of risk factors are fed into a data model that has been trained on decades worth of data to determine the price of your policy and what that policy covers. That volume of data is just not available for cyber intrusions. For example, Verizon only started releasing their Data Breach Investigations Report in 2009. Even liberally, there’s likely 15 years’ worth of cyberintrusion data to work with. In the end, this sector of the insurance industry is still young and susceptible to fluctuations based on cyberincident activity changes.
Also, IoT is drastically affecting the cyberinsurance scene in a few different ways. First, most inexpensive Internet-connected devices tend to be lax on security. This is because cybersecurity is expensive. The amount of manpower required to secure such a cheap device would become cost prohibitive. Each of these insecure devices contributes to extra risk, potentially increasing your premiums.
Second, with every electronic device we own connected to the Internet, where do traditional insurance and warranty policies end and where does cyberinsurance begin? Your refrigerator gets hacked and the hacker overloads your compressor, is this covered under a cyberinsurance policy or the refrigerator warranty? Your company’s headquarters central building automation system gets hacked and they burn out your door locks. Is this covered under the building insurance, or cyberinsurance? A truck from your company’s fleet gets hacked and causes an accident. Is this claimed against your automotive insurance or cyberinsurance?
Put these two factors together and you get massive confusion and potential fluctuations in what you can expect from a policy.
Trends to look for
Fraud is a plague that the insurance industry has to deal with constantly. Insurance companies will spend millions of dollars to detect and recuperate faulty claims. People will always look for new ways to defraud an insurance company for a big payout. Add in the complexity behind most modern-day cyberintrusions that few are well equipped to understand, let alone deal with, and you get the ideal recipe for a perfect storm. A company with a million-dollar cyberinsurance payout can hire hackers to intrude in their network for a few grand.
As more coverage occurs we should also see an uptick in cybercrime, especially cyberextortion. Ransomware is a good example.
Some ransomware campaigns are well-organised criminal endeavours. The goal is not to extort thousands of dollars from a single victim but to extort a few hundred from a large pool of victims. To this day, the most robust defence against ransomware is to frequently back up files; therefore you can recover from the loss instead of paying to retrieve locked files. If your company has coverage for cyberextortion you will more likely be willing to pay the ransom to retrieve the files versus restoring from the last backup. If you were to publicise the fact you carry cyberinsurance, it could make you a target of a more focused campaign.
Lastly, cyberinsurance adoption, either as a stand-alone policy or as a policy extension, will only continue to rise. This is for two main reasons. First, the rate at which intrusions are occurring to big names has never really fallen since the steep uptick in 2013/2014.
The names continue to get bigger too, with the targeting of the DNC in 2016 that continues to this day. Second, as laws pertaining to data privacy, and very specifically laws directed at the company protecting the data, continue to become enacted there is a chance, depending on what state or country you live in, that the penalty for failing to protect data privacy exceeds the cost of cyberintrusion recovery. Examples of these laws are California’s Notice of Security Breach Act and the all-encompassing General Data Protection Regulation (GDPR).
Conclusion
Cyberinsurance is not for everyone. There are many factors that need consideration including the sensitivity of the data you are protecting, the industry you work in and the size of your revenue stream. Once you have determined that cyberinsurance is for you, be sure to hire an experienced insurance broker with cyberinsurance experience.
Always remember, it is not a matter of if you will experience a cyber intrusion, it’s a matter of when you will experience one. Cyberinsurance does not make up for sloppy security practices but is a powerful piece of a comprehensive plan to mitigate risk and defend against cyberattacks.