How cyber insurance can help you better manage security risks

How cyber insurance can help you better manage security risks

November 13, 2014

by Joe Nocera.

Cyber incidents continue to increase and financial losses related to these compromises are mounting apace. In the 2015 Global State of Information Security® Survey, we found that the number of detected incidents in 2014 increased 48% over last year, while the estimated average financial loss attributed to those compromises climbed 34%. In today’s elevated threat environment, most businesses need help to manage cybersecurity risks. The purchase of cyber insurance to protect against financial losses from cyber risks is ranking as high as other insurable risks.

And, in fact, many organizations are beginning to take action. Our annual information security survey found that 42% of US respondents said they have purchased cyber insurance, up from 33% in 2013. Among those that have, 41% of US respondents said they have made a claim, and 36% have collected on a claim. This rising interest in cyber insurance is due, in part, to the string of high-profile—and high-cost—data breaches of US retailers. In two of the biggest breaches, it has been widely reported that both businesses had at least $100 million in cyber insurance, and expect to offset the costs of mitigating the breaches through insurance coverage.

Perhaps more significant is that some companies are leveraging cyber insurance as a way to improve their information security program. A significant number (43%) said they have taken steps to enhance their security posture in order to lower their insurance premium. Moreover, in some industries, regulators are beginning to suggest that businesses have cyber insurance.

Consider, for instance, guidance recently released by the US Securities and Exchange Commission (SEC) Office of Compliance Inspections and Examinations (OCIE). The OCIE said it plans to examine the cybersecurity preparedness of more than 50 registered financial services broker-dealers and investment advisers. One likely question in the examination will be on details of the firm’s cybersecurity insurance coverage, as well as if the business has filed claims and the results of those claims.

What policies do—and do not—cover

Cyber-insurance policies can cover both damage and liability stemming from attacks that could damage, corrupt, or disclose specific classes of data assets or technical infrastructure—risks that are typically excluded from traditional commercial liability coverage. Policies may cover damages such as data destruction, denial of service, theft, and extortion; incident response and remediation, investigation and security-audit expenses; and losses arising from errors and omissions, regulatory failures, and inadequate data-security safeguards.

However, the cyber insurance market is relatively new, and insurers face some key challenges. One is a lack of historical loss data attributed to cyber-attacks that can help estimate probabilities of loss and calculate loss values. The absence of data makes it difficult to determine appropriate premiums. The insurance industry also has difficulty covering losses resulting from stolen intellectual property and trade secrets. These losses often include intangibles that are almost impossible to calculate in dollars, such as damage to future growth potential and brand reputation. As the cyber-insurance market matures and more IP and trade-secret theft cases are litigated, insured companies will be better positioned to recover these types of losses.

Identifying the right policy

Cyber insurance can be an effective tool to help reduce information security risks, and companies should consider it within the context of their enterprise risk-management programs. As a first step, businesses should proactively evaluate available cyber-insurance products and understand pricing and coverage. In doing so, they should discuss with insurers the fundamentals of good security that drive risk-control elements and how adoption of these practices can affect coverage and premiums.

Buyers of cyber insurance also should carefully consider insurance conditions, exclusions, and limitations. In other words, they should determine what costs and risks are covered, and under what conditions. Of specific concern are due diligence concerning past breaches and the possibility that a cyber attacker might have been present in a corporate network before purchase of a policy. Conducting a breach-indicator analysis can be useful in helping identify specific indications of known attackers.

Additional actions to take when evaluating cyber-insurance providers and policies include:

  • Mandate compliance with reasonable security standards;
  • Require threat- and breach-indicator assessments to determine if specific threats are present in your environment;
  • Require periodic reviews and assessments for both the security program and possible breaches;
  • Create a list of qualified providers of incident-response and forensics services;
  • Factor in coverage for business interruption and lost revenue; and
  • Consider the cost of forensic investigations and regulatory responses.

A carefully considered cyber insurance policy can help businesses strengthen their cybersecurity programs and improve their overall enterprise risk-management posture. Given the rising costs of today’s data breaches, it can be a valuable tool to lessen the risks of compromises that are all but certain to happen.

Interested in reading more about this subject?

Download our white paper: Managing cyber risks with insurance: Key factors to consider when evaluating how cyber insurance can enhance your security program.

 

 The Global State of Information Security® is a registered trademark of International Data Group, Inc.

Previous post:

Next post: