How Much Cyber Insurance Is Enough?

Uploaded on 2017-01-30 in BUSINESS-Services-Financial, FREE TO VIEW, NEWS-Cybersecurity News

How a top security manager feels about cyber insurance often may have a lot to do with the type of company he or she works for.

Take Jim Motes, vice president for information security at Kohler, the large privately-held global manufacturer best known for its plumbing and other home products based in Kohler, Wis.

Motes says there are three broad areas most companies would consider cyber insurance for: to protect against breaches of B2C e-commerce or a breach at a physical retail store, protect intellectual property, trade secrets and the PII of employees and recover from a breach into a manufacturing facility, an IoT event.

“Since we don't do that e-commerce and have a minimal retail footprint, I don't see the value proposition in cyber insurance for B2C cases,” says Motes. “And with intellectual property, it's really difficult to come up with a financial value for what could potentially be lost. There are numerous variables to consider, such as who the attacker is, whether they are a nation-state or if they are a competitor that will try to use the information to gain some form of economic advantage.”

On the IoT front, Motes says he's very interested in how the cyber insurance industry plans on addressing the growth of IoT devices and the risk of cyber-related events targeting connected manufacturing facilities around the world.

“That's an area that makes sense for me,” he says. “While there's a definite financial number I can allocate for a day of downtime at a plant, from what I can tell, I don't know that anyone has developed a comprehensive insurance portfolio to address that scenario yet.”

Motes says for now, he's partnered with his security peers at four other Wisconsin companies.

“We've agreed to support one another if another member of our group suffers a breach,” explain Motes. “We are also able to call on one another to perform validation of our security controls, such as vulnerability assessments or pen tests.

Besides giving our teams more real-world experience, we offer each other additional training opportunities, and the members have augmented their security staff when it counts at no incremental cost. It's very difficult to find qualified security people, and this arrangement benefits all group members and their security teams.”

Making Some Progress

David Shearer, executive director of (ISC)2, says his organization has been focused on giving companies the tools to make financial determinations on a security breach so they can apply more accurate values to cyber-insurance.

“There's a lot of emphasis put on technical capabilities or whether a company is B2B, B2C or a manufacturer concerned about IoT security,” says Shearer. “What companies need is a way to put a value to a cyber event and explain it in a way that will make business sense to the people in the C-Suite so they can in turn explain it to the insurance company.”

Shearer says (ISC)2 recently entered into a partnership with RiskLens, which has developed a cloud-based enterprise risk management product that helps companies determine specific values to a security breach. The product combines modern analytics with the Factor Analysis of Information Risk (FAIR) methodology developed more than a decade ago by RiskLens co-founder Jack Jones.

Nick Sanna, CEO of RiskLens, says FAIR breaks an event down into two discrete categories. Primary loss includes downtime, and response and replacement costs. Secondary loss takes into consideration fines and judgments from criminal penalties, reputation loss (think Target or Home Depot), reimbursement of money stolen and the cost of credit monitoring services.

“Now, if something were to happen, the company can run an analysis of what a breach will cost,” explains Sanna. “It puts them in a better position to determine not only how much coverage they need, but the type of coverage the company needs.”

Jim Bramlett, director of risk management at Home Depot, says anything companies can do to work more closely with insurance companies definitely helps the process.

Bramlett says Home Depot had taken on cyber-insurance long before its major breach a couple of years ago, but adds that they now work more closely with the insurance companies than ever before.

“We have the underwriters point out what their areas of concern are,” he explains. “We then have our security team work with the insurance company's IT consultants to explain what the risks are.”

Roxane Divol senior vice president and general manager of website security at Symantec, adds that the insurance industry has also taken steps to better understand how to value cyber-insurance. She says Symantec has been working with many of the leading insurance companies over the past several months to help them better evaluate risk.

“The insurance companies need tools that give them a better sense of risk,” she says. “And while I know there's been a tendency on the part of CISOs not to take on cyber-insurance, they'd rather spend money on security infrastructure, I think more of them are seeing the need to take on a policy. Think of it like a homeowner, you'll put a dead bolt on your door but you also need homeowner's insurance. The same holds true with security. You need a good security infrastructure, but you also need cyber-insurance to cover a breach.”

Most analysts report that the cyber-insurance market will grow exponentially in the years ahead. PwC estimates that annual global spend on cyber-insurance premiums will grow from about $2.5 billion today to $7.5 billion by 2020.

In the United States, there's a vast opportunity for the insurance companies to cover manufacturers. According to the PwC study, only 5 percent of manufacturing companies in the United States hold stand-alone cyber-insurance, compared to around 50 percent in the health care, technology and retail sectors.

And even with more insurance companies entering the market, which moderated prices to an increase of only 5.2 percent in Q3 2016 compared to a 6.9 percent increase during Q2 2016, according to the Marsh Global Insurance Market Index, there's a ceiling on what insurance companies will cover.

Don Ulsch, a senior managing director at PwC, says the maximum a company can be insured for is about $500 million, but the reality for many companies is that it's tough to even get coverage for $300 million.

So what should Companies do?

Ulsch says companies need to understand their risk profile. One important factor is geopolitical risk. For example, do they do business in countries with higher than normal levels of fraud and cybercrime, like Russia and Eastern Europe?

Companies also need to use available tools to get a better sense of what a breach will cost. And they need to require third-party vendors to purchase cyber-insurance.

Bottom line: What the insurance company allows your company to buy may never be enough coverage for a serious breach. Target is the classic case, where the breach cost roughly $300 million and insurance from multiple carriers covered only about one-third. But that doesn't let companies off the hook.

CISOs must be readily available to give the company's top executives a more accurate picture of the actual financial risk. Today, what's covered can be as important as how much.

SC Magazine:            Making Sense Of Cyber Insurance:     Fear Factor: Pushing Up Cyber Insurance Costs:

 

« GCHQ Wants Teenage Girls To Join The Cybersecurity Fight
Cyberwar: How Prepared Is Nepal? »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

CoSoSys Endpoint Protector

CoSoSys Endpoint Protector

Endpoint Protector by CoSoSys is an advanced all-in-one DLP solution for Windows, macOS, and Linux, that puts an end to unintentional data leaks and protects from malicious data theft.

Energy Sec

Energy Sec

EnergySec is a United States 501(c)(3) non-profit corporation formed to support energy sector organizations with the security of their critical technology infrastructures.

CloudHesive

CloudHesive

CloudHesive provides cloud solutions through consulting and managed services with a focus on security, reliability, availability and scalability.

National Cyber Security Centre (NKSC) - Lithuania

National Cyber Security Centre (NKSC) - Lithuania

NKSC is the main Lithuanian cyber security institution, responsible for unified management of cyber incidents, monitoring and control of the implementation of cyber security requirements.

Axiomatics

Axiomatics

Axiomatics provides dynamic authorization and access control solutions to protect critical data assets.

Praetorian

Praetorian

Praetorian is an offensive cybersecurity company whose mission is to prevent breaches before they occur.

Visa

Visa

Visa is a global payments technology company that connects consumers, businesses and banks in more than 200 countries and territories worldwide.

Ntrepid

Ntrepid

Ntrepid products provide protection from web threats and enable organizations to safely conduct their online activities.

e-Crime Bureau

e-Crime Bureau

e-Crime Bureau is a specialized company offering cyber/computer forensics, cyber security consulting services, forensic audit and investigations services and training to clients across Africa.

Cryptika

Cryptika

Cryptika is a fully integrated IT security and managed services provider, specialized in Next-Generation Cyber Security Technologies.

Akito

Akito

Akito was set up to become a point of reference in the ICT market for issues related to Security and in particular Cyber Security.

MedSec

MedSec

MedSec is the only company of its type focused solely on cybersecurity for hospitals and medical device manufacturers, offering both a cybersecurity software solution and consulting services.

Avrem Technologies

Avrem Technologies

Avrem Technologies is a business IT and cybersecurity consulting firm. We design, implement, manage and monitor the networks, servers, computers and software that our clients rely on each day.

CyberAntix

CyberAntix

CyberAntix offers Premium CyberSecurity for your business using an advanced Security Operations Centre technology and process platform reinforced by a steadfast and expert SOC team.

Universal Technical Resource Services (UTRS)

Universal Technical Resource Services (UTRS)

UTRS is a technology firm that delivers a wide range of engineering, technical, strategic, and digital services to the public and private sectors.

SoteriaSec

SoteriaSec

SoteriaSec is a premier cybersecurity firm providing comprehensive digital forensics and incident response services.