Washington, DC - Today we’re going to talk about cyber insurance, sometimes known as cybersecurity insurance, cyber risk insurance, etc. Specifically, we’re going to discuss what it is and whether or not it’s worth the investment.
We arrived on this topic because of a report commissioned by the data analytics firm FICO. You may know FICO because of the FICO score, which is a credit risk score. Well FICO (formerly Fair, Isaac and Company) measures other things, too. One of them is cybersecurity preparedness by industry. And unfortunately, the healthcare industry – one of the highest value targets online – does not have much in the way of cybersecurity coverage. In fact, just three out of ten organizations had any coverage at all.
That’s quite a ways off the 76% mark for all US respondents, in fact it weighs that figure down. And even that 76% is misleading, because only 32% have comprehensive coverage.
But is that really a big deal? What is Cyber Insurance? And do you need it?
Let’s hash it out.
What is Cyber Insurance?
Cyber liability insurance, as the name suggests, insulates your company or organization from damages incurred during a security incident. The idea being that you shift some of the risk to the insurance company. There is a second form of cyber insurance, which is for individuals instead of companies. Individual cyber insuranse is more aimed at combating identity theft. For the sake of this discussion we’re talking about cyber policies for businesses.
It’s also worth noting at the outset that cyber insurance is not the same as general liability insurance. General liability takes care of bodily injuries and property damage that result from your products, services or operations. With most insurers, cyber risks are not included under this umbrella. Do not make the mistake of assuming they are. Sony made that mistake during its 2011 breach and it ended up costing $171 million dollars.
Cybersecurity insurance primarily covers breach events where personal identifying information is lost, disclosed or stolen.
Examples of PII include:
- Social Security numbers
- Credit Card information
- Account numbers
- Driver’s License numbers
- Healthcare data
In Europe this is called Personal Data. Regardless of where you hail from though, the definition of a data breach is pretty universal. Even the smallest incident, like accidentally disclosing a single customer record to the wrong party, qualifies as a personal data breach. And while there is a requirement to report breaches to the appropriate authorities, not every incident rises to the level of reporting.
Cybersecurity insurance is still relatively new, so in many ways it’s still evolving. Generally, cyber insurance covers legal fees and expenses associated with a breach, in addition to:
- Assisting with customer notifications following an incident
- Working to restore the personal identities of affected customers
- Recovering data that was compromised during the incident
- Repairing damaged computer systems and networks
Many insurance policies will also offer affected customers credit monitoring services as well, which can help to rebuild your company or organization’s reputation following a security incident.
Kip Boyle is a former cybersecurity consultant for the Stanford Research Institute and the current CEO of Cyber Risk Opportunities. He breaks the current cyber insurance landscape down into two varied approaches.
“The first one is to get just the financial coverage you need, at the least possible premium cost. This is ideal for companies who can and will handle cyber failures on their own.
“The second strategy is to get the financial coverage and use advanced policy features to augment your cyber incident Respond and Recover capabilities. With this strategy, the insurance company will provide, typically on-demand, with pre-selected vendors, and at no additional charge, services such as digital forensics, crisis communications, legal defense, and data breach notification. Policyholders also get free access to a data breach coach, usually a lawyer, who will expertly guide the them through the entire process.”
Do I need cyber insurance?
That’s a question that your organization is going to need to answer itself. There are a multitude of factors to consider, including organizational size, budgets, your threat model, risks, potential liabilities. It would be patently irresponsible for us to advise you one way or another, though – in sticking with our usual MO – we always suggest that you err on the side of caution.
It may be worth mentioning that, according to one study 66% of SMBs would not survive a data breach on their own. Also, the cybercrime industry (yes, it’s an industry) has never been more profitable.
Trave Harmon, the CEO of Triton Computer Corporation, a Massachusetts-based technology solutions company that offers cybersecurity insurance recommends it to every business owner.
“Similar to general liability insurance, health insurance, auto and home, you need to be protected when you are practicing industry-standard safety and security online and with other people’s data. We have institutions which contain financial, medical and tax information and our requirements are very clear. We cannot guarantee an attack will not occur. You need to be prepared in the event that something happens. We don’t know what it [may be], but it’s best to have something in place.”
Writing in a 2017 Business Journal article on cyber liability insurance, Heiman Landa, the founder and CEO of Optimal Networks, put it this way:
“Think of it as living in a flood plain — would you buy flood insurance? Whether you’re dealing with protected data or not, I tend to think about cyber insurance as another layer of business continuity; if your company were to experience a disruptive security incident, this would help keep you operational.”
Adds Judy Selby, a cyber insurance consultant and former insurance coverage litigator:
“[It’s] particularly [important] for small and midsize companies that lack the financial and technical resources to respond to a cyber incident. Enterprises need to realize that 100% cyber security is impossible, given increasing data volumes, digitization, and work force mobility combined with an evolving threat landscape and greater regulatory compliance concerns. Today’s companies should take a risk management approach to cyber security issues, including transfer of risk through insurance.”
In addition to insulating your business from some of the damage that coincides with a security incident, having cybersecurity insurance can also help with optics. It shows that your organization takes its security obligations seriously. A prompt response, bolstered by a strong cybersecurity insurance policy, says that you had plans in place should the worst come to pass, and you weren’t caught flat-footed by it.
That may seem small, but every little bit helps when it’s your company’s reputation on the line.
What should I look for in a cyber insurance policy?
At this point, most major insurance companies are offering some form of cybersecurity liability coverage. Again, there isn’t a standard yet, so the policies may differ from company to company.
So, what should you be looking for when you shop around for a policy?
Well, let’s start with the points we mentioned earlier: coverage of legal fees & expenses incurred, assistance with customer notification, personal ID restoration services, data recovery, and help repairing damaged systems. That should be a baseline. Any policy that doesn’t include these is probably not worth the paper it’s printed on.
“There often are major differences between cyber policies,” says Selby. “Its important, therefore, for companies to get a good understanding of their company’s specific cyber risk profile and look for coverage that matches up well with their needs. For example, a company that is subject to certain data protection regulations, such as HIPAA or GDPR, should look for broad regulatory coverage. Companies that have migrated their data to the cloud or that rely on data hosting vendors will need strong third-party service provider coverage. Today’s cyber insurance market is quite competitive, so companies should shop around and exercise their leverage to negotiate for the best coverage based on their unique cyber risk profile.”
So what questions should you be asking while you look for a cyber insurance policy? Here are a few things to consider:
- When you’re choosing an insurer, see whether or not their cybersecurity coverage is an extension of an existing policy or a standalone policy. Oftentimes you’ll find that standalone policies are more robust, with more comprehensive coverage. Also, find out if the insurer can tailor the policy to your organization and its unique risks or if it’s just the same boilerplate legalese for all policies.
- Remember to actually shop around, deductibles and premiums vary. According to the FICO study we cited earlier, 73% of organizations with cybersecurity insurance don’t believe that their premiums are based on an accurate assessment of their actual risk. Whether or not you’ll be able to find a quality policy that is priced more to your liking is another story, but if you can find an insurer that can tailor you a policy, you might be able to find a premium that is tantamount to your actual risk.
- Find out whether the policy’s coverage and limits apply to third parties, too. Third party risk is one of the biggest threats facing businesses in the digital age. In fact, studies show that half of all data breaches are initiated within the supply chain. You may also want to check and see if any of your service providers have their own policies and whether that may have any impact on your agreement.
- Specifically, what attacks does the policy cover against? This is where you’ll want to make sure have someone with sufficient knowledge of your organization’s threat model involved. Not all policies cover against all forms of attack. You’ll need to know exactly what the policy covers. This is also a good time to ask about non-malicious employee behavior like negligence or simple mistakes, as well as social engineering. Does the policy cover any cyber incident or does it only kick in when your organization is the victim of an attack?
It’s also good to get some clarity on the timeframes involved in the policy. If an attack is discovered after a policy has expired, but it occurred during the policy’s validity period, is it still covered? That sounds elementary, but it’s best to cover all your bases.
“Today, the market is non-standard, which makes it difficult to understand the coverage being offered so you can compare quotes,” says Boyle. “I suggest finding a good broker who has current experience evaluating cyber insurance. The broker will make sure you get all the right coverages, while watching for key exclusions.”
What insurers look for when writing cyber insurance policies
Here’s a list of insurers that offer cyber insurance policies, we like to remain brand agnostic so the list is alphabetized:
- ABA Insurance
- AIG
- AXIS Capital
- BCS
- Chubb
- CNA
- Data Breach Insurance
- Insureon
- Liberty Mutual
- Nationwide
- RSA Broker
- Travelers Insurance
- XL Group
Purchasing cyber insurance does not absolve your organization of its security obligations. Quite the opposite, in fact. Whatever insurer you decide on is going to want to see that your organization takes its security seriously first. This includes conducting a full risk assessment, following industry best practices, and demonstrating a strong security posture, patching cadence and general readiness.
They may also suggest that your organization put employees through security training to ensure some level of awareness regarding phishing, social engineering and other threats. 70% of US employees have no idea about cybersecurity best practices. We say it all the time (and studies show), your employees are one of the biggest threats to your business—and not always maliciously, either.
If your organization has had any third-party assessments done or participates in any programs like EU-US Privacy Shield, this would be a good time to mention that as well.
The future of cyber insurance
As we have covered, cyber insurance is still in its infancy. Insurers and companies alike know they need it, but we’re still working out the details.
“In the future, the price of cyber insurance will better reflect the reality of the claims and the policies will standardize,” says Boyle. “But, we don’t know how long these changes will take.”
In the meantime the threat landscape is constantly evolving, new threats are presented every day as enterprising hackers and cyber criminals look for new ways to exploit our systems. Cybercrime is now a 1.5 trillion-dollar industry.
And it’s not just big enterprises that are being victimized, according to Symantec 43% of attacks in 2015 were launched against small and medium-sized businesses.
Cybersecurity has never been more critical. Now it’s up to insurers to keep up.
“Just as cyber risks have evolved, so has cyber coverage,” says Selby “Cyber insurance isn’t just for data breaches anymore. Many carriers offer coverages for today’s most vexing cyber threats, including social engineering, ransomware, contingent business interruption, property damage, bodily injury, and more. At least one carrier offers management liability coverage in its cyber form. I expect that carriers will continue to update their policies to keep pace with emerging risks, particularly concerning regulatory exposures and technological advances.”
So, to answer our original question. Is the fact that 7 in 10 healthcare organizations don’t have cyber insurance really a big deal?
Absolutely.