The Hidden Strategic Advantage in Cyber Insurance By James McFarlin
"Organizations with cyber insurance benefit from a greater peace of mind as well as the opportunity for more effective cybersecurity practices and operational resiliency"
Maintaining security and integrity across an organization’s cyber networks is a complex, collaborative initiative impacting all facets of the organization. “Cyber” touches everything in the modern enterprise. Which means cyber risk exists from every angle in the organization.
In spite of steadily progressing defensive measures, the toll of successful attacks continues to spiral upward. Successful breaches against Target, Home Depot, eBay, the Defense Department and Sony are but a fraction of recent intrusions.
Particularly troubling are recent reports of serious attacks, thought to be from Iran, in which destructive malware was planted in over 50 target organizations, including airports and commercial airlines, around the world. These cases demonstrate the expanding tempo and complexity of cyber intrusions across the spectrum of global institutions.
Recovery from data breaches is a costly, resource consuming and highly disruptive process. There is a cost for protection, of mitigation, of recovery, of layering in additional defenses, and of dealing and complying with a highly complex legal and regulatory privacy landscape. Beyond hard costs, there is a growing fear of reputational risks and brand damage, the impact of which crosses into the critical areas of customer loyalty, operational dependability, even organizational viability.
Seeking to contain or at least stem the threats to their organizations, many executives are increasing cybersecurity funding. A recent PricewaterhouseCoopers survey indicates that financial services companies plan to increase cybersecurity spending by some $2 billion over the next two years. Following the recent massive data breach at JP Morgan and at least a dozen other firms, CEO Jamie Dimon spelled out his plans to double the bank’s current $250 million annual cybersecurity spending over the next five years.
Specialized business practices are being deployed to shore up security platforms and processes. Rapid data breach response teams and cyber defense exercises such as cyber war games, to name two, are seeing increasing use.
Seeking to limit their losses following attacks, organizations are increasingly pursuing cyber insurance. According to business advisor Betterley Risk Consultants, at least 75% of businesses with more than $1 billion in annual revenue are expected to have cybersecurity insurance in the next several years. Smaller and midsize firms are also exploring cyber insurance with increasing frequency.
For perspective on the fast-developing subject of cyber insurance I turned to Roberta Anderson, a partner in the Pittsburgh office of global law firm K&L Gates and co-founder of the firm’s global Cyber Law and Cybersecurity practice group. I asked her what key forces are driving the demand for cyber insurance and what advice she gives her clients on how such coverage best fits into an overall cybersecurity strategy.
“The Target data breach was a tipping point in executive thinking about cybersecurity,” she replied. “The resignation of the Target CEO and the requirement to deal with over 100 putative class action suits, shareholder litigation and regulatory investigations, coupled with the industry-wide wave of breaches which followed were a wakeup call to C-suite executives: it was time to start communicating more effectively with the chief technology, privacy or information officer.”
Leading to accelerated searches for more effective cyber defense capabilities? I asked.
“Beyond an increased defense tools focus, what is more important is the growing acceptance that effective cybersecurity strategy requires enterprise-wide participation and is not something that can just be ‘turned over to IT’ to deal with. This was also the point where cybersecurity was becoming recognized as more of a risk management issue than just a technology issue.”
Managing Director of Cybercrime at PricewaterhouseCoopers LLP MacDonnell Ulsch recently stated: “IT security discussions were once a foreign language in the boardroom. Today, many boards are racing to connect the dots between ‘IT,’ ‘security,’ ‘cyber,’ and ‘risk.’ They get risk. They have a fiduciary responsibility to do so, and [in cyber] the risk clock is ticking.”
Is this your perspective?
“Yes, and even in a broader sense,” Anderson answered. “Addressing cybersecurity as a risk management issue involves attention to vendor selection and management, organization-wide cybersecurity practices, employee training, insurance, and a host of other related issues. Cybersecurity events will happen. More often than not, executives will be judged by the board on their handling of the attack and their resilience in returning the organization to normalcy of operation.”
Normalcy to include effectiveness dealing with customers, suppliers, vendors, regulators and other stakeholders?
“Without question. What I feel is an extremely valuable aspect of cyber insurance is the degree to which even just evaluating coverage assists organizations see critical gaps in their enterprise-wide cybersecurity resilience that need to be addressed.
An evaluation leading to specific steps for cybersecurity improvement?
“The insurance evaluation process can provide the organization with a strategic roadmap for improved cybersecurity practices. Further, insurers are excellent sources of information on contacts for outside professional resources ranging from crisis management, legal and public relations support to specific technical expertise in case of a breach. This information is particularly valuable for the smaller or mid-market companies who do not have the resources of a Fortune 200 firm.”
How much cyber data breach protection is covered by general insurance policies?
“General liability coverage policies can’t be relied on to cover cyber incidents. In today’s breach-filled environment, smaller firms in particular are rolling the dice, perhaps even betting the future of the company, without at least some separate cyber coverage. The risks of not protecting against cyber intrusions are simply too high for most smaller to mid-size organizations to deal with on their own.”
I asked Anderson for her closing thoughts.
“We live in a challenging, interconnected world filled with vulnerabilities," she said. "Cybersecurity needs to be built into enterprise business practices, not merely tacked on after the fact. Second, the organization’s crown information jewels must be safeguarded. It is critical that technology be matched to the organization’s risks. Information such as client data or proprietary product research deserves greater protective measures than, say, inventories of corporate fixed assets. Without properly targeted protective measures, business models are vulnerable and in some cases unsustainable.”
“Those organizations with cyber insurance benefit from a greater peace of mind as well as the opportunity for more effective cybersecurity practices and operational resiliency," Anderson concluded. "These are gifts most do not expect but which many receive.”
James McFarlin is a former high-tech CEO, noted author and international speaker on cyber security. (Twitter:@jimmcfarlin). The second edition of his cyberthriller “Aftershock: A Novel” was released in March of 2014.