Cyber Liability Insurance’s Data Problems

 
Cyber liability insurance is becoming an increasing necessity for businesses

Cyber liability insurance is becoming an increasing necessity for businesses and could easily become a requirement similar to E&O insurance not just for large corporations, but also small- to medium-sized businesses. The challenge is to properly understand how much coverage, as well as the scope of the coverage, organizations need to properly offset cyber risk.

KPMG recently conducted a survey where they discovered 74 percent of businesses do not have any sort of cyber liability insurance. Of those that did have cyber liability insurance, only 48 percent believed their coverage would cover the actual cost of a breach. The sentiment amongst those surveyed is that the market for cyber liability insurance is not mature, and lacks the comprehensive packages to provide adequate coverage.

I asked one insurance agent at a dinner how much coverage should businesses buy, his answer was simple: “As much as they are willing to buy.” Although the insurance agent’s answer was tongue-in-cheek, there is an element of truth to it.
Much like deployment of security infrastructure, cyber liability insurance follows the law of diminishing returns. You can pay for 100 percent coverage for every possible instance, but the costs of your policy can easily scale beyond what the actual cost of a breach may be – still, there is no guarantee every possible aspect will be covered.

One of the reasons that the costs of cyber liability insurance can skyrocket is the insurance industry’s own ambivalence and the unknown risks associated with cyber security. The insurance industry is one of the most data-driven industries there is, and cyber security is still relatively new, volatile and unpredictable, with very limited data to understand impact and frequency.

When it comes to more traditional forms of insurance, there is a wealth of data that can be mined to understand risks and they are easily quantifiable – home-owners insurance is limited to the cost of the house and its contents, for example.
When it comes to cyber liability the risks are much more diverse and widespread, depending on multiple factors, such as the data your organization stores from customer data to intellectual property and the cascading effect that can have on the costs of a claim.

A good way to look at the challenges cyber liability insurance is to compare it to car insurance. The cost of an insurance policy incorporates two key factors: the vehicle and the driver. Simple enough right? Actually, not so much.
When it comes to your car insurance premiums the insurance industry uses ISO Symbols, which are metrics used by Insurance Services Office, Inc. (ISO) to match premiums to particular types of cars and associated losses. The ISO Symbol is a dynamic metric that changes based on what the insurance industry experiences in actual claims with regards to these losses.

The ratings incorporate a number of factors, including the cost of repairs, damage to other vehicles, injuries, frequency of theft, among others. The ISO offers two symbols in their rankings – the first is Personal Auto Physical Damage and the other is Liability and PIP/Medical Payments – one ranking for damage to the vehicle itself, and another for the damage the vehicle causes to other vehicles, as well as passengers.

The liability and comprehensive coverage is the tricky part when it comes to cyber liability coverage, as you are dealing with the collateral damage of customer data and other elements. The liability costs associated with a breach can be unpredictable once you factor in things like breach clean up, external forensic teams, identity theft monitoring, lawsuits and fines, as well as other factors like dips in share price, damage to brand reputation and consumer confidence.
Most of these elements are trickier to quantify and are often not elements covered by cyber liability insurance.
The other factor in car insurance is the driver, their driving record and general trust that they can safely operate a vehicle. Insurance companies make similar appraisal’s of businesses, identifying the likelihood they will be victims of a breach, as well as the scope.

Over the past several years the Department of Homeland Security’s (DHS) National Protection and Programs Directorate (NPPD), brought several insurance carriers, risk managers and security experts to examine the current state of the cyber liability insurance market and how to best advance its capacity to incentivize better cyber risk management.
The group identified four “pillars” of an effective cyber risk culture that carriers had identified as particularly attractive from an underwriting perspective:
The first two elements are about establishing “safe drivers” of cyber security, starting with leadership who are engaged in the security of their infrastructure, followed by a culture of security through educating employees. The third factor with regards to “cost-effective technology investments” is like safety features in your vehicle, ensuring that organization have proper security controls, processes and frameworks in place.

The fourth pillar from the NPPD is about sharing of information both amongst organizations as well as with insurance companies so they can better understand risk. The insurance industry is seeking to enhance their ability to quantify cyber risk through anonymized cyber incident data repository, as well as through enhanced cyber incident consequence analytics, which requires access to more data on cyber incidents. This process will take time and a high level of collaboration between insurers and industries they are seeking to cover.

Although cyber liability insurance is still maturing, the need for it has never been greater. It is critical for businesses to understand how it can help curb risk, as well as its limits and restrictions. Security leaders need to understand their role in helping the insurance industry either through sharing of information, or providing greater transparency with regards to practices and metrics.

Tripwire

 

« Cyber Peace? The U.S and China Reach an ‘Understanding’
8 Ways to Fend Off Spyware »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Lima Networks

Lima Networks

LIMA design and deliver IT Infrastructure solutions and services including managed Security Monitoring services.

IT Security Guru

IT Security Guru

IT Security Gurus publish daily breaking news. interviews with the key thinkers in IT security, videos and the top 10 stories as picked by our Editor.

Identiv

Identiv

Identiv is a global security technology company that establishes trust in the connected world, including premises, information and everyday items.

Forensic Control

Forensic Control

Forensic Control specialise in providing simple & straightforward Cyber Security to organisations, helping them assess, prevent and respond to cyber threats.

Cyber Fusion Center - Maryville University

Cyber Fusion Center - Maryville University

Maryville University Cyber Fusion Center is a virtual lab for working on real-world cyber security challenges.

Fasoo

Fasoo

Fasoo provides data-centric security to protect data within the organizational perimeter and beyond by limiting access to sensitive data according to policies that cover both users and activities.

I-Tracing

I-Tracing

I-TRACING are experts in IT security, specialized in legal compliance of information systems, security of information systems, and the collection of digital evidence and traces.

Cyberwrite

Cyberwrite

Cyberwrite was founded to provide underwriters around the world a unique and innovative Cyber Underwriting platform.

Veriato

Veriato

Veriato develops intelligent solutions that provide companies with visibility into the human behaviors and activities occurring within their network, making them more secure and productive.

TCN

TCN

TCN is an advanced System Integrator and Infrastructure Company in Albania.

CYSEC Academy

CYSEC Academy

CYSEC Academy offer cyber certifications, cyber assurance and cyber defense training, hands-on learning training modules, public, private and bespoke training courses.

Department of Justice - Office of Cybercrime (DOJ-OOC)

Department of Justice - Office of Cybercrime (DOJ-OOC)

The Office of Cybercrime within the Philippines Department of Justice is the Central Authority in all matters relating to international mutual assistance and extradition for cybercrime.

Encore Media Group

Encore Media Group

Encore Media Group provide an international enterprise technology event series exploring IoT, Blockchain AI, Big Data, 5G, Cyber Security and Cloud.

Experis

Experis

Experis provide IT resourcing, project solutions and managed services. We enable organizations to cultivate individuals and teams prepared for the digital age.

Runecast Solutions

Runecast Solutions

Runecast Solutions is a global leader in AI-powered risk mitigation, security, continuous compliance and more efficient IT operations management.

Vonahi Security

Vonahi Security

Vonahi Security is a cybersecurity SaaS company that pioneered automated network penetration testing.