Cyber Liability Insurance’s Data Problems

 
Cyber liability insurance is becoming an increasing necessity for businesses

Cyber liability insurance is becoming an increasing necessity for businesses and could easily become a requirement similar to E&O insurance not just for large corporations, but also small- to medium-sized businesses. The challenge is to properly understand how much coverage, as well as the scope of the coverage, organizations need to properly offset cyber risk.

KPMG recently conducted a survey where they discovered 74 percent of businesses do not have any sort of cyber liability insurance. Of those that did have cyber liability insurance, only 48 percent believed their coverage would cover the actual cost of a breach. The sentiment amongst those surveyed is that the market for cyber liability insurance is not mature, and lacks the comprehensive packages to provide adequate coverage.

I asked one insurance agent at a dinner how much coverage should businesses buy, his answer was simple: “As much as they are willing to buy.” Although the insurance agent’s answer was tongue-in-cheek, there is an element of truth to it.
Much like deployment of security infrastructure, cyber liability insurance follows the law of diminishing returns. You can pay for 100 percent coverage for every possible instance, but the costs of your policy can easily scale beyond what the actual cost of a breach may be – still, there is no guarantee every possible aspect will be covered.

One of the reasons that the costs of cyber liability insurance can skyrocket is the insurance industry’s own ambivalence and the unknown risks associated with cyber security. The insurance industry is one of the most data-driven industries there is, and cyber security is still relatively new, volatile and unpredictable, with very limited data to understand impact and frequency.

When it comes to more traditional forms of insurance, there is a wealth of data that can be mined to understand risks and they are easily quantifiable – home-owners insurance is limited to the cost of the house and its contents, for example.
When it comes to cyber liability the risks are much more diverse and widespread, depending on multiple factors, such as the data your organization stores from customer data to intellectual property and the cascading effect that can have on the costs of a claim.

A good way to look at the challenges cyber liability insurance is to compare it to car insurance. The cost of an insurance policy incorporates two key factors: the vehicle and the driver. Simple enough right? Actually, not so much.
When it comes to your car insurance premiums the insurance industry uses ISO Symbols, which are metrics used by Insurance Services Office, Inc. (ISO) to match premiums to particular types of cars and associated losses. The ISO Symbol is a dynamic metric that changes based on what the insurance industry experiences in actual claims with regards to these losses.

The ratings incorporate a number of factors, including the cost of repairs, damage to other vehicles, injuries, frequency of theft, among others. The ISO offers two symbols in their rankings – the first is Personal Auto Physical Damage and the other is Liability and PIP/Medical Payments – one ranking for damage to the vehicle itself, and another for the damage the vehicle causes to other vehicles, as well as passengers.

The liability and comprehensive coverage is the tricky part when it comes to cyber liability coverage, as you are dealing with the collateral damage of customer data and other elements. The liability costs associated with a breach can be unpredictable once you factor in things like breach clean up, external forensic teams, identity theft monitoring, lawsuits and fines, as well as other factors like dips in share price, damage to brand reputation and consumer confidence.
Most of these elements are trickier to quantify and are often not elements covered by cyber liability insurance.
The other factor in car insurance is the driver, their driving record and general trust that they can safely operate a vehicle. Insurance companies make similar appraisal’s of businesses, identifying the likelihood they will be victims of a breach, as well as the scope.

Over the past several years the Department of Homeland Security’s (DHS) National Protection and Programs Directorate (NPPD), brought several insurance carriers, risk managers and security experts to examine the current state of the cyber liability insurance market and how to best advance its capacity to incentivize better cyber risk management.
The group identified four “pillars” of an effective cyber risk culture that carriers had identified as particularly attractive from an underwriting perspective:
The first two elements are about establishing “safe drivers” of cyber security, starting with leadership who are engaged in the security of their infrastructure, followed by a culture of security through educating employees. The third factor with regards to “cost-effective technology investments” is like safety features in your vehicle, ensuring that organization have proper security controls, processes and frameworks in place.

The fourth pillar from the NPPD is about sharing of information both amongst organizations as well as with insurance companies so they can better understand risk. The insurance industry is seeking to enhance their ability to quantify cyber risk through anonymized cyber incident data repository, as well as through enhanced cyber incident consequence analytics, which requires access to more data on cyber incidents. This process will take time and a high level of collaboration between insurers and industries they are seeking to cover.

Although cyber liability insurance is still maturing, the need for it has never been greater. It is critical for businesses to understand how it can help curb risk, as well as its limits and restrictions. Security leaders need to understand their role in helping the insurance industry either through sharing of information, or providing greater transparency with regards to practices and metrics.

Tripwire

 

« Cyber Peace? The U.S and China Reach an ‘Understanding’
8 Ways to Fend Off Spyware »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

TrustedIA

TrustedIA

TrustedIA is a cyber and protective security company. Our mission is to help businesses protect themselves from disruptive events that can impact their successful operation.

Censornet

Censornet

Censornet's autonomous, integrated cloud security gives mid-market organisations the confidence and control of enterprise-grade cyber protection.

AppViewX

AppViewX

AppViewX is a global leader in the management, automation and orchestration of network services in data centers.

Preempt Security

Preempt Security

The Preempt Platform delivers adaptive threat prevention that continuously preempts threats based on identity, behavior and risk.

Subex

Subex

Subex leverages its award-winning telecom analytics solutions in areas such as Revenue Assurance, Fraud Management, Asset Assurance and Partner Management, and IoT Security.

Skurio

Skurio

Skurio create cost-effective, intuitive and powerful Cloud based solutions to identify threats, detect data breaches outside the network and automate the response.

Jeffer Mangels Butler & Mitchell LLP (JMBM)

Jeffer Mangels Butler & Mitchell LLP (JMBM)

JMBM is a full service law firm providing counseling and litigation services in a wide range of areas including cyber security.

Ampliphae

Ampliphae

Ampliphae gives you an easy-to-deploy, sophisticated and affordable cloud-discovery, security and compliance platform.

INFRA Security & Vulnerability Scanner

INFRA Security & Vulnerability Scanner

INFRA is a powerful platform with an easy interface for any kind of Ethical Hacking, from corporate monitoring and VAPT (vulnerability assessments and penetration testing) to military intelligence.

Visible Statement

Visible Statement

Visible Statement is a computer-based delivery system designed to insure the retention and recall of your most important security training messages.

HORNE

HORNE

HORNE is a professional services firm supporting clients in public, private & government sectors nationwide.

Secure Cyber Defense

Secure Cyber Defense

Secure Cyber Defense provides expert cybersecurity consulting and managed detection and response services to companies, local government, schools and universities.

Cloud Seguro

Cloud Seguro

Cloud Seguro are leaders in the development of cloud solutions, Ethical Hacking, Privacy and Information Security.

NoviFlow

NoviFlow

NoviFlow is a leading provider of terabit networking software solutions for Communication Service Providers (CSPs).

Athena7

Athena7

Athena7 is a dedicated assessment practice committed to helping organizations understand how their infrastructure, backups, and security controls will withstand the latest threat actor tactics.

Velotix

Velotix

Velotix empowers organizations to maximize the value of their data while ensuring security and compliance in a rapidly evolving regulatory landscape.