Cyber Insurance Is Changing How We Look At Risk

Sony Pictures thought that their General Liabilities  insurance covered them against damaging a cyberattack. They learned a painful lesson.

If, or more accurately, when your company is hit by a cyber-attack, do you have what you need to recover? Do you know what kind of losses you can afford to absorb in your bottom line? How do you manage your risks? Have you thought about whether you need cyber insurance?

In 2011, Sony’s PlayStation network was breached; attackers compromised more than 77 million personal accounts, costing Sony an estimated $170 million. They thought their general liability insurance policy covered them, but they were wrong. Sony took their insurers to court, where the courts confirmed Sony’s policy didn’t cover the damages of the cyber breach.

It was a painful lesson for Sony, one they were determined to not repeat. When they were breached in 2014, they had a cyber insurance policy in place that experts predict will cover most, if not all, of their estimated $100 million in losses. Sony Pictures’ CEO confirmed the costs to recover from the latest breach “shouldn’t be anything that is disruptive to our budget.”

What we can learn from Sony

Sony learned to assess the risk a cyber-attack posed to their business and took steps to mitigate its potential impact. While your company may be smaller, and lower profile than Sony, the risk of a cyber-attack is still very real and needs to be considered in your business context.

The Verizon 2016 Data Breach Investigation Report confirms that companies large and small, across all industries, in all geographies, are at risk of being targeted by a cyber-attack; in fact, it is estimated that 62 percent of cyber breach victims are small to mid-sized businesses. The average total cost of a breach, according to the 2015 Cost of Data Breach Study: Global Analysis, is now at $3.79 million.

What are organizations doing to prepare themselves?

They are expanding their efforts to put as many safeguards as possible in place. Beyond deploying breach prevention controls in the infrastructure or beefing up managed security services, one of the safeguards gaining popularity to help companies manage their risks is cyber insurance. A recent 2016 survey found that 59 percent of organizations incorporate cyber insurance into their strategic plans to manage cyber risks, with the highest rate among large corporations.

What is cyber insurance?

Cyber insurance is a sub-category within the general insurance industry, offering products and services designed to protect businesses from internet-based risks. Although forms of cyber insurance policies have been around for the past 10 years, market awareness has recently increased exponentially, in part because of the headline-grabbing cyber breaches that have hit almost every industry.

There is no standard form for a cyber insurance policy on the market.

In addition, demand for cyber insurance has been fueled by governments, which are becoming more actively involved in policing corporate responses to cyber-attacks. There are now mandatory data breach notification laws in many countries; we are seeing organizations buy cyber insurance policies to help them cover the notification costs they will incur in the wake of a cybersecurity breach.

In just a couple of years, the US cyber insurance market has grown from about 10 insurers to 50 that provide stand-alone cyber insurance policies. In 2015, these providers generated $2.75 billion in premium revenues in the U.S. According to a recent study by PwC, this number is set to triple to $7.5 billion by 2020.
Breaking down a cyber insurance policy

Most cyber policies currently on the market offer a combination of two types of insurance coverage:

         First-party coverage: covers direct losses to the organization.

        Third-party coverage: protects against claims against the organization by third parties, such as customers or partners.

Besides financial coverage, insurers also provide risk management and post-breach services, including loss-prevention measures and remediation tools.

The trouble with assessing risk

Unlike other types of insurance, there is no standard form for a cyber insurance policy on the market. Today, before insurance companies can offer a cyber policy, they must understand the prospective client’s risk profile. To determine the premium, they look at the scale of the business, the sensitive nature of the data it handles and stores and its overall security posture.

It is difficult, however, to quantify an organization’s posture and risks. There is not a lot of credible historical data on losses and very little visibility into a prospective client’s ability to handle past and future cyber incidents. This has made insurers cautious, resulting in some insurers offering high premiums and low policy coverage or demanding clients incorporate new technologies before they can be insured.

Cyber insurance has a role to play in a company’s overall risk mitigation strategies.

Even when purchased, there’s no way to really know if it’s enough — some believe the attack on Anthem, the second largest health insurer in the U.S., could end up costing them upwards of a billion dollars, which means their cyber insurance coverage, which is estimated to be between $150 to $200 million, may not be enough to cover the final costs.

With this backdrop it’s easy to see how hard it is for insurers to determine what the policy’s premium should be and for businesses to determine how much coverage they are going to need. Both need a way to more accurately assess risk and determine a company’s risk profile.

The cyber insurance market, an opportunity for the cybersecurity startup ecosystem

The uncertainty in the cyber insurance market presents opportunities for risk assessment tools, which can help both insurers and insured companies determine a company’s risk posture. There are automatic tools that help with risk assessment and scoring that can bring a little more transparency to the insurance market. Companies in this space include BitSight Technologies, SecurityScorecard and PivotPoint Risk Analytics.

We believe we will be seeing more vendors enter this market, perhaps even more specialized startups operating in the cyber insurance industry exclusively. For example, QuadMetrics, a US-based startup, is already operating in this field, helping underwriters set premiums for cyber insurance policies based on a predictive cybersecurity risk analysis.

We may also see insurance companies open cybersecurity departments and offer pre-breach and post-breach services, such as security architectural analysis, monitoring, incident response, forensics and more. If this happens, we will likely see insurance companies start hiring cybersecurity specialists and even “acqui-hiring” cybersecurity startups.

This can bring interesting opportunities for the cybersecurity startup ecosystem as a whole, especially for those companies that offer products and services that can be incorporated into cyber insurance strategies.

One thing is certain, the way we look at risk is evolving and cyber insurance has a role to play in a company’s overall risk mitigation strategies. The extent to which it will enable us to better assess and ultimately combat the rising threat landscape we are facing is still to be seen.

TechCrunch: 

 

« Has The Cyber ‘Pearl Harbor’ Already Happened?
New Zealand’s Defence Is Playing Catch Up »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

authen2cate

authen2cate

Authen2cate offers a simple way to provide application access with our Identity and Access Management (IAM) solutions for enterprise, small business, and individual customers alike.

FoxGuard Solutions

FoxGuard Solutions

FoxGuard Solutions develops customized cyber security, compliance and industrial computing solutions for critical infrastructure entities and control system vendors.

Governikus

Governikus

Governikus provides solutions for secure data transport, authentication, the use of electronic signatures and cryptography as well as for long-term storage.

Bangladesh Computer Council (BCC)

Bangladesh Computer Council (BCC)

Bangladesh Computer Council (BCC) is a government body providing support for ICT related activities including formulating national ICT strategy and policy.

TCN

TCN

TCN is an advanced System Integrator and Infrastructure Company in Albania.

CERT Tonga

CERT Tonga

CERT Tonga is the national Computer Emergency Response Team for Tonga.

RUSCADASEC

RUSCADASEC

RUSCADASEC is an independent non-profit initiative on developing the open Russian-speaking international community of industrial cyber security/ICS/SCADA cyber security professionals.

Digital Magics

Digital Magics

Digital Magics is an incubator for innovative startups which offer content and services with high technological value. Areas of focus include IoT, Enterprise Software, AI, Industry 4.0 and Blockchain.

Lexsynergy

Lexsynergy

Lexsynergy is a global domain name management and online brand protection company.

Dataprise

Dataprise

Dataprise is a leading IT managed services provider offering IT Management and Help Desk Support Services, Cloud Services, Information Security Solution, IT Strategy and Consulting.

RedNode

RedNode

RedNode is a cybersecurity service provider that offers customized security testing solutions to protect any size of business worldwide.

BugProve

BugProve

BugProve offers a firmware analysis tool that speeds up security testing processes and supports compliance needs by automating repetitive tasks and detecting 0-day vulnerabilities.

Eqlipse Technologies

Eqlipse Technologies

Eqlipse Technologies provides products and high-end engineering solutions to customers in the Department of Defense and Intelligence Community.

Abstract Security

Abstract Security

Abstract Security has created a revolutionary platform, equipped with an AI-powered assistant, to better centralize the management of security analytics.

Kolide

Kolide

Kolide ensures that if a device isn't secure, it can't access your apps.

Enterprise Strategy Group

Enterprise Strategy Group

Enterprise Strategy Group, a division of TechTarget, is an IT analyst, research, validation, and strategy firm that provides market intelligence and actionable insight to the global IT community.