Cyber Liability Insurance’s Data Problems

Uploaded on 2015-09-29 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Financial

 
Cyber liability insurance is becoming an increasing necessity for businesses

Cyber liability insurance is becoming an increasing necessity for businesses and could easily become a requirement similar to E&O insurance not just for large corporations, but also small- to medium-sized businesses. The challenge is to properly understand how much coverage, as well as the scope of the coverage, organizations need to properly offset cyber risk.

KPMG recently conducted a survey where they discovered 74 percent of businesses do not have any sort of cyber liability insurance. Of those that did have cyber liability insurance, only 48 percent believed their coverage would cover the actual cost of a breach. The sentiment amongst those surveyed is that the market for cyber liability insurance is not mature, and lacks the comprehensive packages to provide adequate coverage.

I asked one insurance agent at a dinner how much coverage should businesses buy, his answer was simple: “As much as they are willing to buy.” Although the insurance agent’s answer was tongue-in-cheek, there is an element of truth to it.
Much like deployment of security infrastructure, cyber liability insurance follows the law of diminishing returns. You can pay for 100 percent coverage for every possible instance, but the costs of your policy can easily scale beyond what the actual cost of a breach may be – still, there is no guarantee every possible aspect will be covered.

One of the reasons that the costs of cyber liability insurance can skyrocket is the insurance industry’s own ambivalence and the unknown risks associated with cyber security. The insurance industry is one of the most data-driven industries there is, and cyber security is still relatively new, volatile and unpredictable, with very limited data to understand impact and frequency.

When it comes to more traditional forms of insurance, there is a wealth of data that can be mined to understand risks and they are easily quantifiable – home-owners insurance is limited to the cost of the house and its contents, for example.
When it comes to cyber liability the risks are much more diverse and widespread, depending on multiple factors, such as the data your organization stores from customer data to intellectual property and the cascading effect that can have on the costs of a claim.

A good way to look at the challenges cyber liability insurance is to compare it to car insurance. The cost of an insurance policy incorporates two key factors: the vehicle and the driver. Simple enough right? Actually, not so much.
When it comes to your car insurance premiums the insurance industry uses ISO Symbols, which are metrics used by Insurance Services Office, Inc. (ISO) to match premiums to particular types of cars and associated losses. The ISO Symbol is a dynamic metric that changes based on what the insurance industry experiences in actual claims with regards to these losses.

The ratings incorporate a number of factors, including the cost of repairs, damage to other vehicles, injuries, frequency of theft, among others. The ISO offers two symbols in their rankings – the first is Personal Auto Physical Damage and the other is Liability and PIP/Medical Payments – one ranking for damage to the vehicle itself, and another for the damage the vehicle causes to other vehicles, as well as passengers.

The liability and comprehensive coverage is the tricky part when it comes to cyber liability coverage, as you are dealing with the collateral damage of customer data and other elements. The liability costs associated with a breach can be unpredictable once you factor in things like breach clean up, external forensic teams, identity theft monitoring, lawsuits and fines, as well as other factors like dips in share price, damage to brand reputation and consumer confidence.
Most of these elements are trickier to quantify and are often not elements covered by cyber liability insurance.
The other factor in car insurance is the driver, their driving record and general trust that they can safely operate a vehicle. Insurance companies make similar appraisal’s of businesses, identifying the likelihood they will be victims of a breach, as well as the scope.

Over the past several years the Department of Homeland Security’s (DHS) National Protection and Programs Directorate (NPPD), brought several insurance carriers, risk managers and security experts to examine the current state of the cyber liability insurance market and how to best advance its capacity to incentivize better cyber risk management.
The group identified four “pillars” of an effective cyber risk culture that carriers had identified as particularly attractive from an underwriting perspective:
The first two elements are about establishing “safe drivers” of cyber security, starting with leadership who are engaged in the security of their infrastructure, followed by a culture of security through educating employees. The third factor with regards to “cost-effective technology investments” is like safety features in your vehicle, ensuring that organization have proper security controls, processes and frameworks in place.

The fourth pillar from the NPPD is about sharing of information both amongst organizations as well as with insurance companies so they can better understand risk. The insurance industry is seeking to enhance their ability to quantify cyber risk through anonymized cyber incident data repository, as well as through enhanced cyber incident consequence analytics, which requires access to more data on cyber incidents. This process will take time and a high level of collaboration between insurers and industries they are seeking to cover.

Although cyber liability insurance is still maturing, the need for it has never been greater. It is critical for businesses to understand how it can help curb risk, as well as its limits and restrictions. Security leaders need to understand their role in helping the insurance industry either through sharing of information, or providing greater transparency with regards to practices and metrics.

Tripwire

 

« Cyber Peace? The U.S and China Reach an ‘Understanding’
8 Ways to Fend Off Spyware »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

eco

eco

eco, with more than 950 member organizations, is the largest Internet industry association in Europe.

Fasoo

Fasoo

Fasoo provides data-centric security to protect data within the organizational perimeter and beyond by limiting access to sensitive data according to policies that cover both users and activities.

Decision Group

Decision Group

Decision Group are a Total Solution Supplier offering Network Forensics and Lawful Interception tools.

IGX Global

IGX Global

IGX Global is a provider of information network and security integration services and products.

Council for Information & Communication Technologies (CTIC)

Council for Information & Communication Technologies (CTIC)

CTIC was set up to address specific issues in the field of ICT relevant to the implementation of electronic government.

CyberQ Group

CyberQ Group

CyberQ is an award winning cyber security consultancy and services provider and an innovator in Artificial Intelligence and Automated Cyber Security.

Agio

Agio

Agio is a hybrid managed IT and cybersecurity provider servicing the financial services, health care and payments industries.

TM One

TM One

TM One is the enterprise and public sector business solutions arm of Telekom Malaysia Berhad (TM) Group.

Chainlink

Chainlink

Chainlink expands the capability of smart contracts by enabling access to real-world data and systems without sacrificing the security and reliability guarantees inherent to blockchain technology.

Sentor Managed Security Services

Sentor Managed Security Services

Sentor Managed Security Services is a cybersecurity company that enables organizations to exist in a digitally connected world.

Magna5

Magna5

Magna5 is a managed IT service provider focusing in network and server monitoring, backup and disaster recovery, cybersecurity, help desk and SD-WAN.

Sekur Private Data

Sekur Private Data

Sekur Private Data Ltd. is a Cybersecurity and Internet privacy provider of Swiss hosted solutions for secure communications and secure data management.

Astute Technology Management

Astute Technology Management

Astute Technology Management helps businesses take control of their technology and work with greater confidence.

Knowit

Knowit

Knowit support customers in the digital transformation, simplify people’s everyday lives and create secure and innovative solutions enabling a sustainable future.

Incode

Incode

Incode is the leading provider of world-class identity solutions that is reinventing the way humans authenticate and verify their identities online.

Amtivo Ireland

Amtivo Ireland

Amtivo Ireland (formerly Certification Europe and EQA) offers a range of certifications and related services.