Should you use cyber insurance to mitigate risk? by William Beer
While still a relatively immature industry, cyber insurance can reduce the costs of recovering from a breach, and, as Tony Morbin reports, it can also play a role in driving adoption of best practice, including de-facto standards in critical infrastructure.
Should you use cyber insurance to mitigate risk?
Cyber insurance has been around for more than ten years, but compared to the centuries-old marine insurance market, it's still at a relatively immature stage so you can't assume that if something is covered by one provider or policy, it's covered by them all.
“There's a lack of uniformity in the cyber insurance market, both in the UK and internationally, as policies are evolving with new threats following every new solution,” Scott Sayce, European underwriting director for technology and cyber risks at CNA Europe, toldSCMagazineUK.com.
Nonetheless, there is enough data for general trends to have emerged. Banks were the first to insure for cyber-crime, and remain one of the higher risk categories due to the type of personal and financial records kept and their volume, and these criteria remain key in setting premium levels. Cyber insurance can cover both first party claims against immediate financial losses and the costs entailed in shutting down a system and remediation, but also extend to third party liabilities such as those arising from the loss of information, including payment of PCI DSS fines.
“We can cover fines where the law allows, and this varies by country – but regarding the five percent of global turnover that may potentially be fined in the next EU Data Protection regulations – there is no precedent set yet, nor is it clear whether it would be in the public interest to be able to insure against,” commented Sayce.
Sarb Sembhi, director at consultancy Storm Guidance, and a prominent member at ISACA UK toldSCMagazineUK.com: "There are different views on whether it is acceptable to insure against fines – in the US it is OK, while in the UK it is not considered something that should be insured against, but as time goes on it is likely to slowly become more acceptable, but (insuring against fines under the Data Protection Act) will have a big impact on premiums.
"It will cost a lot for companies fined, so policies may say cover the first US$ 50 million (£30 million) or US$ 100 million (£60 million), whereas the proposed maximum fine is five percent of global turnover or US$ 100 million, whichever is the greater. There is clearly dissatisfaction from the EU regarding the treatment of EU citizens by the likes of Google (so it is likely such fines will happen)."
Costs of cyber insurance are reported to have come down considerably thanks to the increased data available, with starting prices of five figures just five years ago, whereas now SMEs are able to find appropriate cover; also, business interruption cover used to start at 72 hours, and can now start after just after an hour.
Alex Deshuk manager of technology and innovation for the city of Mesa, Arizona, led a team that made the decision to purchase a cyber insurance policy to cover the city, and told SCMagazine in the US, “the cost per million [US dollars of coverage] is relatively inexpensive compared to other liability insurance in what it covers.” The US$ 5 million (£2.9 million) policy, which Mesa had underwritten by ACE Group, is “fairly complicated,” says Deshuk; but, it generally offers the city protection and coverage in the case of an online exposure.
Sembi adds: "Unlike other areas of insurance, there is not enough actuarial data. Therefore underwriters assess the probability of attacks, the likely number of attacks, and their likely cost. They don't have the data for some of the assumptions, so some policies are difficult to claim against because they have so many exclusions and extras, whereas others would cause the insurer to be stung if they were claimed against.
Sembi believes that prices may go up again as more claims are made, but then come down again as more companies accept cyber insurance and get insured." It's mostly a specialist offering, though some cover for cyber is included in some more general IT insurance policies and there is an overlap. Cyber insurance is an excellent option for risk transference of cyber risk, otherwise companies are missing a trick. But they need to choose policies carefully. Target was covered for much of the immediate costs of a breach including setting up call centres for customers. But the impact on the business and its reputation was not covered."
When looking at insuring an organisation, the decision and level of premium is decided after the insurer has undertaken an information gathering exercise, starting with the base classification of the sector – such as finance, health, retail etc – then the volume and type of records held, followed by the organisation's risk management practices, technical capabilities and administration – including both policies and personnel. It will also consider the extent of information security in place, its level, how often it is checked and tested, and whether there is external validation such as via penetration testing.
Given the variability in the insurance market, organisations are advised to work with their broker and insurer to tailor a policy to their specific needs, and not treat it as a tick box exercise. They need to identify the main threats faced and working with their insurer and broker, transfer some of the risk. As Anthony Hess, principal adviser of KPMG's information protection and business resilience practice, commented toSCMagazineUK.com, "In the ever challenging digital landscape, cyber insurance offers businesses an innovative way to distribute and mitigate the risk of large scale hacks and data breaches, which in turn helps put board members at ease."
This includes having a clear understanding of what is covered by your policy. For example, self-replicating viruses are not covered by some policies, and cyber isn't well covered by some general policies.
Hess adds: "Typical business insurance policies do not cover cyber risk. We are seeing a sharp increase in demand for cyber insurance products. Cyber-attacks have dominated the recent news agenda, which has led to it becoming a board room issue. However, many boardrooms are still grappling with the significance of this relatively new issue in the context of their business. This was highlighted in KPMG's recent Business Instincts Survey, which showed that cyber security and data protection were ranked as the third priority for the first time in UK boardrooms.”
Issues to be considered include cyber-extortion such as the recent Domino's Pizza case (these may need to be investigated to see if the threat is credible), breach of third party data, privacy breach notifications, external crisis PR to repair reputational damage (taking the emotion out of internal PR working with the CEO), and cyber business interruption, including loss of sales, which would be particularly important for an online e-commerce site.
“You need to get to a solution that works for your business, and one where you feel comfortable about what you are paying for,” adds Sayce.
Target said that of the US$ 61 million (£36.65 million) in breach-related expenses incurred in the quarter following the theft of about 40 million credit and debit card records and 70 million other records, US$ 44 million ($26.43 million) was offset by an insurance payment covering costs for reissuing cards, lawsuits, government probes and enforcement proceedings, legal expenses, investigative and consulting fees, and capital investments.
However, while this initially looks like significant mitigation, Target will probably have to pay out as much as US$ 2 billion (£1.2 billion) just for credit monitoring provided to customers, according to Vormetric.
Garry Sidaway, global director of security strategy at NTT Com Security agrees on the need for companies to understand what insurance covers.
"Traditionally, general insurance doesn't cover a general security breach. We only have to look at previous breaches, and see that general insurance wasn't covering them. For example, is an organisation covering against Botnets, Malware or DDOS?” To identify areas needing cover, Sidaway adds: "First, organisations need to understand the context and put the necessary controls, processes and operations in place. It's only then they should look at the gaps, which enables them to tell insurers what risk controls and risk exposures there are in the business."
Outsourcing, including the use of cloud providers, does not indemnify organisations against claims, such as for data loss, and while companies should have carried out due diligence and put good contractual indemnities in place, at least to the level of their own company's indemnities, with audits too if appropriate, they remain responsible. And while the costs of being compromised due to a third party can be insured against, often in conjunction with their professional indemnity, companies are still expected to employ best practice security.
“You still lock the door when you go out from your house even though you have a burglar alarm – and you might not be covered by your insurance if you didn't,” comments Sayce, adding that best practice is to act as if you don't have insurance.
Beyond commercial loss
But cyber insurance is not just about covering potential financial or reputational loss in commercial organisations; the insurance industry also has a key role to play in helping governments and critical infrastructure businesses prepare for cyber-attacks according to AEGIS London's active underwriter David Croom-Johnson, speaking at the Electrical Industry Security Summit at the end of June. Electric & Gas Insurance Services Limited
The assertion contradicts a recent BBC report that claimed, “power companies are being refused insurance cover for cyber-attacks because their defences are perceived as weak.” This led some commentators (promoting the launch of the Government's new Computer Emergency Readiness Team - CERT-UK) to ask, would the money spent on insurance not be better placed to develop security infrastructure? Why did we find out from the insurance industry that energy suppliers' cyber security isn't up to scratch? Have these underwriters suddenly become experts in cyber security?
Explaining the role of the insurance industry in such scenarios, Croom-Johnson drew parallels between the insurance industry's reaction to the sinking of the Titanic and resulting calls by insurers for greater safety improvements and the role it could also play in preparing countries to manage future cyber terrorism and cyber warfare. “We know there is growing regulatory and compliance fatigue over the question of cyber security. (However, despite conflicting national government responses).... Critical infrastructure companies would like unified guidance; no-one wants a repeat of the situation which occurred after US retailer Target was attacked, with regulators and shareholders becoming increasingly aggressive and militant.”
Mick Ebsworth, information security consulting practice director at NTT Com Security notes how ability to get insurance will also influence security quality, commenting to SC: “Insurance companies are likely to either refuse to insure or make premiums extremely high for organisations that cannot demonstrate that they have considered risk, implemented protective controls and applied governance around demonstrating the controls are adequate."
Ebsworth adds: "Organisations need to consider two things here; firstly the impact to them of obtaining insurance and what that means to their risk and security teams and the impact on their business processes; secondly as organisations either decide to take up insurance or decide not to, will it demonstrate that weakness or strength from a risk and security perspective.
Croom-Johnson also pointed out that governments need to understand that insurance cannot be the total solution to cyber risk. He said: “Governments tend to think there is unlimited capacity within the insurance market. This is far from the case. Insurers have only a finite capacity to respond, and indeed some will not wish to respond at all. Governments need to work with us with the objective of increasing cyber risk management and risk modelling capabilities and of improving security.”
“Governments are curious to know if insurance is available for critical infrastructure, and if it can protect the public and private entities servicing these, but the question is if they have the budget for it,” Max Perkins, underwriter at specialist insurance business Beazley Group told SCMagazineUK.com. He added that definitive terms – as well as attractive financial incentives – will need to be rolled out if insurers are to team up with the UK government in protecting CPNIs.
“All the insurers I've been in conversation with are open to [protecting CPNI] but how much risk are they expected to take on?” asked Beasley, who added that war cannot be insured against.
Beasley said that the US is slightly ahead of the curve as it implemented the Terrorism Risk Insurance Act (TRIA) in 2002, enabling insurers and brokers to back companies against terrorism-related activity. “It came out of 9/11,” said Beazley. Insurance losses after the Al Qaeda attack are estimated to have been more than £20 billion.
A report from Experian late last year found that just 31 percent of US companies had cyber insurance policies in place. However, another study from risk management research firm Betterley Risk Consultants founds that the annual gross premium for US cyber insurance policies was US $1.3 billion (£734 million).
Multinational insurance provider AIG told The Financial Times in January that sales of cyber insurance policies increased by 30 percent in 2013, when compared with the year before. “What we've being seeing is significant growth,” Tracie Grella, who oversees AIG's cyber insurance initiatives as the head of professional liability told SCMagazine.com.
Based on current trends, the nascent cyber insurance market looks set to play an increasingly central role in the industry going forward.