Cyber insurance — like other forms of insurance – is a double-edged sword: It’s costly, but can be a wise investment for organizations to protect them from cyber risks and breaches.
While many enterprises have some form of cyber insurance coverage, only 26% have a standalone policy that specifically addresses cyber risk, according to Heidi Shey, a principal analyst at Forrester.
This is a relatively new thing that “the market has forced into existence,’’ Shey said. It was spurred by the Petya malware in 2017. “Up until then there were silent cyber policies that sort of covered cyber,’’ she notes, but “it was not clear what they would and wouldn’t cover. That caused lawsuits about payouts.”
The insurance sector realized it had to be very clear on what policies would cover, which led to standalone cyber policies that are very specific, she said. For example, cyber risk can be more than a breach and some policies will cover an organization that has been hit by ransomware that causes a business interruption. They could also cover business email compromise (BEC), which is not necessarily a business breach, Shey noted.
For most industry, only between 30% and 40% of businesses have cyber insurance policies — and it’s mainly large enterprises, says Tara Wisniewski, an executive vice president at the nonprofit cybersecurity training firm ISC2.
“As can be expected, businesses with billions in revenue are far more likely to purchase cyber insurance coverage than small-to-midsize businesses or organizations with more minimal revenue or perceived lower risk,’’ Wisniewski says. “The most uninsured industries tend to fall under critical infrastructure, likely, because they face extreme cyberattacks, both in terms of quantity and impact and therefore struggle to get insurance providers to cover their organizations.”
Wisniewski adds that “insurers don’t want to take on such monumental risk, especially after seeing an attack like the Colonial Pipeline ransomware incident.”
Risks of not having cyber insurance
When you opt not to get a standalone cyber insurance policy, you’re literally on your own covering the costs of recovery after an attack.
“For some companies, that may be okay if they’ve set aside money for this purpose and they may not need cyber insurance,’’ says Shey. But your third-party partners might request it, even if your company has mature security controls in place.”
“Having cyber insurance means there’s money set aside to pay off ransoms from cyber criminals, cover legal expenses associated with cyber incidents and cover any additional monetary ramifications of a hack or data breach,” Wisniewski says.
When you don’t have that insurance partner and policy, you’re putting your organization at risk of having to scrape the money together to deal with these negative impacts of cyber incidents, she adds.
Yet, despite these dire scenarios, the experts all say cyber insurance should not be mandated.
“It should be a strategic choice for a company to transfer certain business risks associated with cybersecurity threats, which exceed an acceptable level of risk, to an insurer,” says Kayne McGladrey, a senior member of the IEEE. “The expectation is that the insurer will help lessen the financial impact of significant cyber incidents or data breaches.”
However, this approach assumes companies maintain risk registers with clear definitions and measurement criteria for various risk categories, he notes. “It also presumes they use compliance operations to continuously assess the effectiveness of their current controls in reducing or mitigating these risks.”
A pricey proposition
Further, not all companies can afford cyber insurance and finding adequate coverage can be challenging, observes Lee Kim, a cybersecurity attorney and faculty member at security advisory firm IANS Research. “Each company needs to conduct a cost-benefit analysis and look at the economic impact,’’ Kim says.
Cyber insurance is a smart investment if you can get it, says Wisnewski, “but prices on premiums are astronomical right now.” This is because insurers initially underestimated the frequency and severity of cyberattacks,” so they priced premiums pretty moderately until their loss ratios became unsustainable.”
This prompted them to raise the premium rates by 75% between 2020 and 2021 and 50% between 2021 to 2022, she says. “In a perfect world, yes, everyone would have cyber insurance, but to make it a requirement right now, presumably, with a punishment for any organizations who didn’t hold policies, would be unreasonable.”
For organizations that want to explore cyber insurance, an experienced broker can assist in obtaining a policy, however, policies and brokers vary in quality, McGladrey points out. “To acquire a policy that aligns with a company’s needs, the company must be prepared to be forthcoming about its internal controls and the effectiveness of these controls’ regular operation.”
They also need to “review past incidents where they have utilized insurance to determine whether their current policies fulfill their needs, specifically regarding the circumstances where insurers either partially or fully covered a claim related to an incident or security breach,’’ he says.
Determining your needs
Insurance brokers can lay out what is most likely to be required to obtain a policy so you can preemptively put some of the basics in place if you haven’t already done that, Wisniewski says. To determine what coverage you actually need, “it is also imperative to accurately assess your organization’s risk. This will require gaining full visibility into your security stack and understanding how your products interact with each other and with your employees,’’ she says. “If you don’t know what you have and what risks you’re facing, you can’t have an accurate picture of your needs.”
Kim agrees, adding that “you should also take into account the level of effectiveness. Consider, too, the financial impact of what could potentially go wrong.’’
It’s important that CISOs discuss these issues with their legal and finance teams. Some risks to consider include data confidentiality and integrity, liability, network security, business interruption, IT disruption, cyber fraud and theft, Kim says.
Begin by conducting a risk assessment to identify which new, emerging, or existing risks might impact your organization, McGladrey says. “Evaluate the effectiveness of your controls in mitigating these risks. Ensure senior management agrees on their risk tolerance levels for each defined category, taking into account that this varies not only by industry and region but also by macroeconomic factors.”
Insurance should be considered when there are risks exceeding the established tolerance levels, he says. “At this stage, enhancing or modifying controls may be a more effective approach to minimize the risk before considering transfer.”
Additionally, the team assessing cyber insurance policy options should have regular, direct communication with the go-to-market team, McGladrey adds. This ensures alignment with the coverage requirements emerging from contract negotiations, thereby streamlining future processes.
“For instance, if your analysis suggests the need to transfer risk worth one million dollars, but the go-to-market team regularly encounters requirements for two million dollars in coverage, it may be more efficient to opt for the larger policy. This approach could prevent extensive, time-consuming and unnecessary negotiations when a client insists on a minimum insurance coverage limit.”
The elements to incorporate to ensure a comprehensive policy
Understand what is covered and what is excluded from your cyber liability policy and the extent to which any other insurance policies you have may cover cyber risk, Kim advises. There should also be alignment with your broker on what you believe are the cyber risks that should be covered and what is actually underwritten.
Also, make sure that the policy covers not just your data, but data that is held by vendors or other third parties and their subcontractors, she stresses. “The insurance company should have a breach hotline that is staffed 24x7x365. If you have an incident, the company should be responsive,’’ regardless of the time.
What to include in a policy is also dependent on your business objectives and what industry you’re in — but for starters, you’ll need to have the basics in place, Wisniewski says. “This includes having an incident response plan, employee cybersecurity training, multi-factor authentication, backups, firewalls, antivirus software, control of users’ access permissions and more.”
She recommends talking to multiple insurance carriers/brokers to understand what they consider to be comprehensive plans and partner with a cybersecurity risk management company to help guide you, if needed.
Ultimately, it comes down to your comfort level, says Shey. This is why it’s helpful to bring your legal counsel into the conversation. They can advise on contractual obligations and help assess the cost of a business disruption event or breach that would cause some type of exposure to the organization.
“That might give you a better sense of what deductibles make sense and what you may want to have included in your policy,’’ Shey says. “The company needs to work out potential scenarios around business email compromise or something super mission-critical … and pose that scenario and map it out to a broker and cost of recovery, to get a rough sense of what it would cost on your own versus having insurance and what’s acceptable to you.”
In the final analysis, you need to figure out what the financial and reputational fallout from a cyber event would be without cyber insurance.
“Having an insurance policy can help maintain the financial stability of an organization or reduce the financial impact after a significant cybersecurity incident,” McGladrey says.“The biggest risk is that a company might be forced to close its doors for not having adequate cyber coverage–or no coverage at all,’’ Kim says. “In the case of a massive breach, there can be regulatory fines, costs for forensic investigations, public relations costs, legal fees and more.”