Cybersecurity Insurance- A Catalyst for Security

By CIOReview | Wednesday, July 20, 2016

22 March 2016 witnessed the deadliest act of terrorism in Belgium’s history. Few hours after the bombing, the U.S. House Homeland Security Cybersecurity Subcommittee conducted a discussion session to explore the market-based incentives that cyber insurance can potentially bring to managing online risks and promoting wider adoption of cyber security industry best practices. After observing a few moments of condolence for the victims of the terrorist attacks, Subcommittee Chair Rep. John Ratcliffe broke the silence saying, “Attacks like these really cement the need for this committee to move forward with urgency on all fronts to try and prevent and protect Americans from attacks like these here in the United States.”

With the rise of the cost and frequency of cyber-related security threats, enterprises are openly accepting the buzzing cyber security insurance trend. However, the million-dollar question is how suitable it is within an enterprise security program to reduce the risk?

A Step towards Enhanced Security

Industry leaders like Symantec, McAfee, Fire Eye, and Verizon have reported whopping increases in the attack frequency over the last 8 quarters. Observing the rising security threats, numerous businesses are reassessing their security practices and strategies for amplified risk management. Hacks, breaches and network outrages not only import technological issues but also introduce financial repercussions, potential loss of customers and negative reputation in the marketplace. Forward thinking business owners are striving to adopt more-holistic approaches to security involving preventive measures as well as responsive plans. An efficient cyber security program embraces both these sides of the coin.

However, in the real world where program is defined and managed by humans—and humans make mistakes, the inevitable question that most CIOs face is how to be able to detect every attack before the damage is done or successfully mitigate every incident without negatively impacting the business. The most relevant answer to this question lies in cyber security insurance coverage.

An insurance agent named Steve Hasses through the American International Group (AIG) wrote the first cyber insurance policy in 1997. It was a third-party internet liability policy focused on the losses caused by viruses and hackers. Thereafter, the Dotcom bust in the early 2000s created a big opportunity for insurers to offer cyber insurance products to tech companies. Insurers took the opportunity to offer cyber policies that included property and liability cover, commonly called commercial general liability (CGL). Unfortunately, cyber risk insurance was unable to make it to mainstream insurance as a means of risk transfer, because the policies offered were extremely expensive with a restrictive insurance cover of cyber incidents.

Void in Progress

Though Cybersecurity insurance has been under the radar while discussing the economics of cyber attacks, it has grabbed immense spotlight recently. reports that the cyber insurance market generated $2.5 billion to $3 billion in revenue in 2015. PricewaterhouseCoopers estimates that these numbers will rise up to $7 billion to $8 billion by 2020. Another report by PwC reveals that the global cyber insurance market will reach $5 billion in annual premiums by 2018, and $7.5 billion in annual sales by 2020, from $2.5 billion this year. With the mounting high profile cyber attacks over the past years, cyber insurance premiums have skyrocketed. These figures explain the tremendously increasing sophisticated cyber attacks, indicating a rapid change in the underlying risk. In such a scenario, it is highly difficult to keep up risk analysis for underwriters and businesses alike.

The point that is noteworthy here is, “only two percent of companies in the U.S. have cyber insurance,” says Julian Waits, President and CEO of PivotPoint Risk Analytics. “The biggest problem is quantifying the risk—it’s not linear, actuarial information is immature, and therefore insurance companies are grappling with ‘how do we price this risk?’ And what and how much they need to buy, and what they’re actually getting in return.”

While planning to purchase cyber security insurance, companies find it challenging to display a picture of their risk, which is relevant to underwriters. This lack of capability to understand the exposure at all levels and the uncertainty is making risk pricing a challenge, pushing premiums to an all time high. Essentially, insurers hunt for a strong security culture within the company as a first step in risk triage. Apart from this, elements like industry, revenue size, geographical location, and actual assets at risk add to decision of pricing risk.

In the decades to come, initiative from the government along with industry efforts by insurance underwriters to better measure cyber-risk, can grab a reaction in meaningful ways regarding cyber insurance.

Ground for Cybersecurity Insurance

2011 Securities and Exchange Commission (SEC) guidance highlights that regulators observe cyber security insurance as an imperative component of a strong enterprise risk management strategy. It is capable of transferring financial risks of a security breach to the insurer. Like any other insurance program, cyber security insurance covers first and third party damages. First-party insurance plan envelops damage to digital assets, business interruptions and, sometimes, reputational harm. Whereas, Third-party insurance covers liability and the costs of forensic investigations, customer notification, credit monitoring, public relations, legal defense, compensation and regulatory fines. However, since the spectrum of cyber security threat is very broad, Daljitt Barn, director of cyber security at PricewaterhouseCoopers explains that the best approach to maintain the a secured environment, without excessive cost would be to first identify and secure the company's digital crown jewels, then quantify and insure the remaining risk.

More reason for CIOs purchase to cyber security insurance:

• Incentives- The support for market-based incentives such as insurance is increasing. That rewards strong cyber security programs with discounted premiums and broader coverage. The shortfall of powerful actuarial data to present risk and the alteration of underwriting process that validates the dynamic threat environment is a growing priority for the cyber security insurance industry.

• Insider Threats- As it is almost impossible to completely prevent attacks from inside, cyber security insurance typically provides coverage when the employee is the perpetrator, just like in the case of an external attack.

• Treating Security and Compliance Equally- Dealing with security as a compliance issue deviates the company from achieving real security, resulting in attaining a false sense of security. In spite of complying with the required standards, many companies still fall in the trap of data breaches.

• Monetizing the Cost of Security- CISOs find it challenging to quantify cyber security risks to the executive teams in terms of dollars. The premium charged by an insurance company can help them assess the exact amounts for risks.     

Future of Cybersecurity Insurance

In January 2016 the Morris, Ill., City Council bought a $2 million cyber security policy at an annual cost of $7,183. Now, there is a contrasting opinion regarding this decision. Could the city have used that money to better protect its data from cyber attacks or to train its staff to avoid a data breach in the first place?

Keeping aside the differences in view for and against the cyber security insurance, the current picture depicts its growing trend in the private sector and with more local and state governments. In addition, the majority of new technology contracts in government require vendors to carry cyber security insurance policies. Cyber insurance has improved and will continue to grow, becoming an important component of cyber security strategies in the public and private sectors.