SC Congress Atlanta: Insuring cyberspace
A panel of industry insiders at SC Congress Atlanta looked at cyber insurance taking a look at what is driving the industry's quick growth.
The product is not new, but following a string of high-profile breaches over the past few years, has come to more prominence, said Illena Armstrong, VP of editorial at SC Magazine, welcoming attendees and introducing the session.
Cybersecurity as an insurance product has evolved dramatically, said panelist Brook Dutcher, underwriting manager, technology and cyber at Tokio Marine HCC. And there's been no contiguous path with a lack of continuity in approach, he said.
Benchmarking has been challenging, he told the audience. “The nature of exposure is entirely different in various sectors.”
Adding to the lack of clarity is the fact that cybersecurity does not have the actuarial data underwriters traditionally look to when assessing risks. “Looking at the way data is handled and how it's located changes the style we've been taking with this risk,” Dutcher explained.
Tom Costin, who works with public institutions with a fiduciary responsibility, said he tends to look at cybersecurity insurance as a risk transference. “We need to understand the risk, and in order to understand a risk mitigation plan we look at likelihood and impact,” he said. The questions that need to be asked, he added, are: What are the costs? What kind of organization is it and what data is held? In the case of financial and health care organizations, there's high risk, he pointed out.
Further, when looking at cost it's necessary to look beyond the initial impact. There is more to the situation than direct costs, he explained, namely the effect on brand and reputation. “Having cybersecurity insurance makes your risk posture stronger,” Costin said.
It was the breach at retailer Target a few years back that set the precedent for responses to an attack, Dutcher said.
Cybersecurity insurance is really just another mitigating factor, Costin added. “When responding to breaches and other cyber incursions, organizations need to have a response team in place, including a CISO, as well as technology, such as configuration management, and know how to work with it. “The importance of having a security framework is knowing where the risk is,” Costin said.
Last year was the year of the healthcare breach, with 100 million medical records exposed, Dutcher pointed out. “From our vantage point, we ask: ‘How do you assign a value to that risk and what's the volume of records and the regulatory guidelines.'” As well, he added, what are the shareholders saying?
Organizations have to keep moving forward to assess and operate with a reasonable standard of care, Dutcher said. The point is to recognize where the important data is and segment it off, he said.
When asked how buyers can make sure they are covered, Dutcher explained that claims depend on a policy addressing specific aspects of exposure. This could mean reputation, regulatory fines, etc. “Carriers have different ways to assess risk,” he said.
Today, there are a myriad of market segments, he added. For example, an Uber driver will reach different levels of coverage as they login to their app and pick up and drop off customers. The electronics can recognize the different situations and coverage is switched to recognize the various steps.
As far as what goes into an evaluation, large organizations with revenue in excess of $500 million are perceived differently than smaller organizations, Dutcher said. “We're able to encourage companies to adapt reasonable business practices, such as NIST initiatives, to provide guidance for underwriting.
And what about government entities which often self-insure? Costin said cybersecurity insurance could help public institutions with a fiduciary responsibility by limiting risk to taxpayers. However, there was a caveat. “We need to be extremely careful in our measurement of risk.” He said he wasn't sure the tools were in place to measure that risk to the level of accuracy that would support his department's financial fiduciary responsibility. “Self-insuring is essentially the default, but we work to understand the risk budget,” he said.
It will be challenging, he added, to apply an older mindset to the emerging risk landscape, particularly the Internet of Things, which, he said, is designed to be promiscuous, opening the possibilities for a huge amount of exposure.