Data that can be monetized is, simply put, a magnet for the bad guys. No matter whether your organization is big or small, if you have desirable data, you can no longer afford to wonder whether or not to invest in cybersecurity insurance.
“Are you in the risk zone?” asks Jeremiah Grossman, founder of WhiteHat Security, a Santa Clara, Calif.-based web application security company. “Do you have medical data or credit-card data? Are you a stock brokerage firm? Are you something like Ashley Madison? Can your data be used for extortion? It's not everybody who needs cyberinsurance, but it's a certain number of people and organizations.”
Grossman points out that the cybersecurity insurance industry, which barely existed five years ago, has been growing more than 60 percent per year over the past three years – paying out premiums of around $2 billion per year. It makes sense, he says.
“You can't escape the headlines that everything's getting hacked,” he says, adding that in survey after survey a solid 60 to 70 percent majority of CISOs say they expect to be hacked within the next 12 to 18 months. It's no surprise, then, that cybersecurity insurance is booming.
Eireann Leverett, senior risk researcher at the Cambridge University's Centre for Risk Studies, says that it is often small businesses – typically late adopters – who need cybersecurity insurance the most.
Small businesses don't make enough to have an internal security program, Leverett says, and wouldn't know where to start if they did. “If you are a large company with a GRC, technical security program and incident response team, you are basically ‘self-insuring.' You believe you can manage the risk internally and you probably have a war chest for incident response and clean-up costs associated with a breach.”
Jeremiah Grossman, founder, WhiteHat Security
Eireann Leverett, senior risk researcher, Centre for Risk Studies, Cambridge University
Ira Scharf, general manager for worldwide cyberinsurance, BitSight Technologies
Adam Shostack, author of Threat Modeling and The New School of Information Security
Any organization considering insurance needs to conduct a thorough risk assessment to understand what that insurance will be used to protect, and therefore what kind of investment it will require, says Adam Shostack, author of Threat Modeling and The New School of Information Security.
“When I say a risk assessment, what I'm thinking of is some attempt to assess the probability of loss and the magnitude of that loss,” he says. “So if we get broken into, and someone steals our customer database, it would cost us this much. The trick is to know why you're buying the insurance. When the payout comes, what are you going to do with that money to ensure the continuity of the organization and the business?”
Subsequent to careful self-assessment, says CU's Leverett, “you likely know something about where you're failing and where you're succeeding.” Perhaps you know the threat profile will be high during a specific period, he says. Perhaps an audit has turned up a systemic issue that cannot be handled for a predefined period. “This is where insurance can plug a gap, until technical control is regained.”
This is, Shostack says, a necessary starting point, because cybersecurity insurance only provides relief from certain kinds of losses. For the hard costs of financial losses that can be repaid, it is very useful. However, for the soft costs of loss of intellectual property or damage to reputation, its effectiveness is limited.
“The place to start with cyberinsurance is identifying the things that would be very expensive to deal with, but that money can solve,” he counsels. “One place cyberinsurance can make a lot of sense is around breach notifications and response.” In that scenario, a company would hire people to come in and do forensics, update the systems, write letters apologizing to customers and give them some credit monitoring and identity-theft insurance. You set up a call-center to answer the phones. “Each of these is a known, manageable and unbudgeted cost.”
However, Leverett underlines the need to consider insurance a tool rather than a cure-all. The question is not, What does cyberinsurance cover?, he says, but rather, “If I buy this policy, what will it cover?”