Cyber Liability Insurance’s Data Problems

Uploaded on 2015-09-29 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Financial

 
Cyber liability insurance is becoming an increasing necessity for businesses

Cyber liability insurance is becoming an increasing necessity for businesses and could easily become a requirement similar to E&O insurance not just for large corporations, but also small- to medium-sized businesses. The challenge is to properly understand how much coverage, as well as the scope of the coverage, organizations need to properly offset cyber risk.

KPMG recently conducted a survey where they discovered 74 percent of businesses do not have any sort of cyber liability insurance. Of those that did have cyber liability insurance, only 48 percent believed their coverage would cover the actual cost of a breach. The sentiment amongst those surveyed is that the market for cyber liability insurance is not mature, and lacks the comprehensive packages to provide adequate coverage.

I asked one insurance agent at a dinner how much coverage should businesses buy, his answer was simple: “As much as they are willing to buy.” Although the insurance agent’s answer was tongue-in-cheek, there is an element of truth to it.
Much like deployment of security infrastructure, cyber liability insurance follows the law of diminishing returns. You can pay for 100 percent coverage for every possible instance, but the costs of your policy can easily scale beyond what the actual cost of a breach may be – still, there is no guarantee every possible aspect will be covered.

One of the reasons that the costs of cyber liability insurance can skyrocket is the insurance industry’s own ambivalence and the unknown risks associated with cyber security. The insurance industry is one of the most data-driven industries there is, and cyber security is still relatively new, volatile and unpredictable, with very limited data to understand impact and frequency.

When it comes to more traditional forms of insurance, there is a wealth of data that can be mined to understand risks and they are easily quantifiable – home-owners insurance is limited to the cost of the house and its contents, for example.
When it comes to cyber liability the risks are much more diverse and widespread, depending on multiple factors, such as the data your organization stores from customer data to intellectual property and the cascading effect that can have on the costs of a claim.

A good way to look at the challenges cyber liability insurance is to compare it to car insurance. The cost of an insurance policy incorporates two key factors: the vehicle and the driver. Simple enough right? Actually, not so much.
When it comes to your car insurance premiums the insurance industry uses ISO Symbols, which are metrics used by Insurance Services Office, Inc. (ISO) to match premiums to particular types of cars and associated losses. The ISO Symbol is a dynamic metric that changes based on what the insurance industry experiences in actual claims with regards to these losses.

The ratings incorporate a number of factors, including the cost of repairs, damage to other vehicles, injuries, frequency of theft, among others. The ISO offers two symbols in their rankings – the first is Personal Auto Physical Damage and the other is Liability and PIP/Medical Payments – one ranking for damage to the vehicle itself, and another for the damage the vehicle causes to other vehicles, as well as passengers.

The liability and comprehensive coverage is the tricky part when it comes to cyber liability coverage, as you are dealing with the collateral damage of customer data and other elements. The liability costs associated with a breach can be unpredictable once you factor in things like breach clean up, external forensic teams, identity theft monitoring, lawsuits and fines, as well as other factors like dips in share price, damage to brand reputation and consumer confidence.
Most of these elements are trickier to quantify and are often not elements covered by cyber liability insurance.
The other factor in car insurance is the driver, their driving record and general trust that they can safely operate a vehicle. Insurance companies make similar appraisal’s of businesses, identifying the likelihood they will be victims of a breach, as well as the scope.

Over the past several years the Department of Homeland Security’s (DHS) National Protection and Programs Directorate (NPPD), brought several insurance carriers, risk managers and security experts to examine the current state of the cyber liability insurance market and how to best advance its capacity to incentivize better cyber risk management.
The group identified four “pillars” of an effective cyber risk culture that carriers had identified as particularly attractive from an underwriting perspective:
The first two elements are about establishing “safe drivers” of cyber security, starting with leadership who are engaged in the security of their infrastructure, followed by a culture of security through educating employees. The third factor with regards to “cost-effective technology investments” is like safety features in your vehicle, ensuring that organization have proper security controls, processes and frameworks in place.

The fourth pillar from the NPPD is about sharing of information both amongst organizations as well as with insurance companies so they can better understand risk. The insurance industry is seeking to enhance their ability to quantify cyber risk through anonymized cyber incident data repository, as well as through enhanced cyber incident consequence analytics, which requires access to more data on cyber incidents. This process will take time and a high level of collaboration between insurers and industries they are seeking to cover.

Although cyber liability insurance is still maturing, the need for it has never been greater. It is critical for businesses to understand how it can help curb risk, as well as its limits and restrictions. Security leaders need to understand their role in helping the insurance industry either through sharing of information, or providing greater transparency with regards to practices and metrics.

Tripwire

 

« Cyber Peace? The U.S and China Reach an ‘Understanding’
8 Ways to Fend Off Spyware »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Exploit Database (EDB)

Exploit Database (EDB)

The Exploit Database is a CVE compliant archive of public exploits and corresponding vulnerable software, developed for use by penetration testers and vulnerability researchers.

Trustwave

Trustwave

Trustwave is a leader in managed detection and response (MDR), managed security services (MSS), consulting and professional services, database security, and email security.

Citicus

Citicus

Citicus provides world-class security, risk and compliance management software, plus supporting services.

Schneider Electric

Schneider Electric

Schneider Electric develops connected technologies and solutions to manage energy and process in ways that are safe, reliable and sustainable.

Crypta Labs

Crypta Labs

Crypta Labs is an Award Winning IOT Security startup that is developing a quantum-based encryption chip to secure the Internet of Things.

IoT Security Institute (IoTSI)

IoT Security Institute (IoTSI)

IoT Security Institute is an academic and industry body dedicated to providing frameworks and supporting educational services to assist in managing security within an Internet of Things eco-system.

CSC Digital Brand Services

CSC Digital Brand Services

Our brand protection and security expertise give our customers peace of mind that no matter how fast the digital world changes, their intellectual property and digital assets will be secure.

Research Institute in Verified Trustworthy Software Systems (VeTSS)

Research Institute in Verified Trustworthy Software Systems (VeTSS)

The main purpose of VeTSS is to support program analysis, testing and verification, to achieve guarantees of software correctness, safety, and security.

CyberRisk Alliance (CRA)

CyberRisk Alliance (CRA)

CyberRisk Alliance is a business intelligence company created to serve the rapidly evolving cybersecurity and information risk management marketplace.

Have I Been Pwned (HIBP)

Have I Been Pwned (HIBP)

Have I Been Pwned is a free resource for anyone to quickly assess if they may have been put at risk due to an online account of theirs having been compromised or "pwned" in a data breach.

Navisite

Navisite

Navisite is a combination of eight respected IT consulting and managed service providers that were brought together under the Navisite brand.

Picnic

Picnic

Picnic is a gritty, pioneering team of intelligence and cybersecurity specialists focused on solving the security challenge of our time - social engineering.

Zigrin Security

Zigrin Security

Zigrin Security offer comprehensive, hands-on security testing of internal networks, applications, cloud-based solutions, e-commerce applications and mobile devices.

American Technology Services (ATS)

American Technology Services (ATS)

American Technology Services provides unparalleled services in information technology to support small and mid-sized business. From top-level strategy, to managed services and infrastructure support.

Threatsys Technologies

Threatsys Technologies

Threatsys’s Integrated cyber security process helps your organizations to ensure that it’s secure from any fraudulent attacks.

Skylark

Skylark

Skylark is a leading global IT services provider, transforming client’s businesses through innovative and advanced technology solutions.