Cyber Insurance Policies: Worth the Money?

Uploaded on 2015-10-12 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Financial

Screen-Shot-2015-09-14-at-12.24.50-PM.png

The global cyber insurance market is expected to triple in size, reaching an estimated $7.5 billion in annual premiums by the year 2020, according to a new research study from PwC. http://ow.ly/T4rW2

The report, titled “Insurance 2020 & beyond: Reaping the dividends of cyber resilience,” states that 71 percent of insurance CEOs, 79 percent of banking CEOs, and 61 percent of business leaders across all industries see cyber attacks as a threat to growth.

Respondents also ranked cyber attacks as a greater threat than shifts in consumer behavior, the speed of technological change and supply chain disruption. Furthermore, PwC’s annual survey of security, IT and business executives found that there were nearly 43 million global security incidents detected in 2014 – an equivalent of more than 100,000 attacks a day.
“Boards are coming to realize the need for safeguards against the most damaging cyber attacks,” read the report.
Cyber security concerns and massive data breaches are part of our daily news cycle. As a result, companies of every size and industry are carefully examining their cyber security preparedness, both as a matter of good business and because they are being forced to do so by regulators and their customer and client base. An integral part of that self-reflection process is (or at least should be) the availability of insurance coverage for the risks presented by security breaches.
Some companies have purchased “dedicated” cyber insurance policies that provide coverage for first-party and third-party risk exposures. Other companies are still in the evaluation phase and are appropriately wondering whether such policies are needed, and, if so, whether insurers are paying claims under them.

 Are We Covered for That?
At present, the only meaningful generality that can be made about the scope of coverage available under a dedicated cyber policy is that there is no “standard” coverage available. Several different insurers are offering cyber liability coverage and the nature of what is covered versus what is not varies significantly.
In addition, many of these policies include a series of coverage enhancements that can be added to the policy, sometimes at no additional premium. But the policyholder must be a savvy consumer who makes the right “ask” and has a good handle on the risks that it is seeking to insure.
For example, some insurers are willing to provide coverage for PCI-DSS assessments while other insurers are not. Moreover, many insurers willing to provide coverage for this type of claim will not provide “full limit” coverage for the risk exposure and instead will place a “sub-limit” for such claims.
The insurer’s willingness to provide this coverage, and the extent of limit available for it, will depend on the number of records handled, the strength of the insured’s existing procedures to prevent security breaches, and the data breach claims history.

Are Claims Being Paid?
We are still in the very early stages of evaluating the claims history associated with cyber insurance policies. For the past several years, insurers have been grappling with how to underwrite the risks that will be insured, how to offer the “right” limits, and how to appropriately price the policies, both in terms of premiums and self-insured retentions.
So far, there is anecdotal evidence to support the proposition that some of the headline- grabbing data breaches involved recovery of at least some cyber insurance. But we have not yet seen the emergence of hotly contested coverage litigation associated with new cyber insurance policies. Rather, most court battles addressing security and data breaches continue to focus on the availability of coverage under “traditional” insurance policies.

In some instances, we have seen insurers pay a claim because there was an extremely low sub-limit and the insurer recognized that the scope of the loss far exceeded any coverage fight worth having. In other instances, we have seen policyholders manage the size and scope of the risk to a level that stays within the (often very high) self-insured retention such that the insurer is not required to pay.

But earlier this year, there was an interesting lawsuit filed that suggests insurers may be prepared to pay their insureds’ claims and then pursue recovery from responsible third parties. In that case, Travelers Casualty and Surety Co. of America paid a claim submitted by its policyholder for a security breach that resulted from a hacking event.
The policyholder, Alpine Bank, had hired a professional designer to design the company’s website and maintain the host server. Hackers accessed the website and gained entry to customer information. As a result, the policyholder was required to incur significant breach-notification costs.

Travelers paid the claim and then sued the designer, alleging that the designer failed to place basic anti-malware software on the server and failed to maintain adequate encryption controls over the customer data. It is premature to predict the outcome of the lawsuit. Nevertheless, it does offer some hope that insurers intend to stand by the coverage provided under cyber policies and then take up the fight to pursue responsible third parties for breach events.
How Do We Maximize Recovery?

There are two critically important steps that companies must take to maximize the likelihood and amount of their insurance recovery under cyber policies.

First, companies must take great care to conduct detailed and comprehensive due diligence during the application process of buying the cyber policies. Many insurers are requiring prospective insureds to supply a warranty letter along with a formal insurance application before issuing the cyber policy. Policyholders are well served to provide more, not less, information from the appropriate constituencies in connection with these requirements. Robust disclosure will reduce an insurer’s attempt to cry “foul” after a loss has occurred.

Second, companies must understand the importance of providing timely written notice after a loss, even if the loss may not exceed the retention. The new cyber policies are written on a “claims-made” basis such that a delay in providing notice of the claim may result in complete forfeiture of coverage. Moreover, insurers will not give credit to dollar amounts spent against the retention unless and until they are on notice of a claim.

PWC: http://ow.ly/T4rW2
Security Affairs: http://bit.ly/1OihiBM
WW2: http://bit.ly/1jMcrOj

 

« Bitcoin Made Official by US Trade Commission
Where’s The Money in Data? »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

Conceptivity +360 Cybersecurity

Conceptivity +360 Cybersecurity

Conceptivity +360 Security addresses advanced cybersecurity and supply chain security issues in policy, regulatory, legislation, standardisation, compliance and project management areas.

SecureKey Technologies

SecureKey Technologies

SecureKey is a leading identity and authentication provider that simplifies consumer access to online services and applications.

Maticmind

Maticmind

Maticmind is an ICT System Integrator providing solutions and specialized skills in Networking, Security, Unified Communications & Collaboration, Datacenter & Cloud and Application.

Blockchain Solutions

Blockchain Solutions

Blockchain Solutions Limited is a technological One Stop Solution provider, for Blockchain technology.

TechDemocracy

TechDemocracy

TechDemocracy are a trusted, global cyber risk assurance solutions provider whose DNA is rooted in cyber advisory, managed and implementation services.

ThreatX

ThreatX

ThreatX provides complete web application & API protection to address expanding app footprints and complex attacks.

Research Institute in Verified Trustworthy Software Systems (VeTSS)

Research Institute in Verified Trustworthy Software Systems (VeTSS)

The main purpose of VeTSS is to support program analysis, testing and verification, to achieve guarantees of software correctness, safety, and security.

Cybots

Cybots

Cybots is a multinational cyber defence brand founded in Singapore in 2018 to help organizations stay ahead of increasingly sophisticated threats from cyber criminals.

Intracom Telecom

Intracom Telecom

Intracom Telecom is a global telecommunication systems & solutions vendor offering a complete range of professional services and solutions including Information Security.

Xscale Accelerator

Xscale Accelerator

Xscale's vision is to create world-class startups out of India by transforming sales and providing access to global markets.

Imageware

Imageware

Imageware is a leader in biometric cybersecurity. Protect against costly, damaging ransomware hacks by employing biometric cybersecurity solutions.

Mr Backup (MRB)

Mr Backup (MRB)

MRB offers Data Protection as a Service for businesses looking to reduce the time, cost and complexity of securing your company data.

Bright Security

Bright Security

Bright Security is a developer-centric Dynamic Application Security Testing (DAST) solution that helps organizations ship secure applications and APIs quickly and cost-effectively.

MicroAge

MicroAge

Powered by five decades of experience, lasting partnerships, client relationships, and the values that guide us daily, MicroAge is here to help you secure, accelerate, and transform your business.

Stacklok

Stacklok

Stacklok are an Open Source first security company enabling safe Open Source Software consumption.

ZILLIONe

ZILLIONe

ZILLIONe is one of Sri Lanka´s top enterprise technology solutions providers.

Aegis9

Aegis9

Aegis9 is an Australian owned and sovereign consultancy that specialises in providing tailored security solutions for both public and private sector clients based on their specific needs.