Data that can be monetized is, simply put, a magnet for the bad guys. No matter whether your organization is big or small, if you have desirable data, you can no longer afford to wonder whether or not to invest in cybersecurity insurance.
“Are you in the risk zone?” asks Jeremiah Grossman, founder of WhiteHat Security, a Santa Clara, Calif.-based web application security company. “Do you have medical data or credit-card data? Are you a stock brokerage firm? Are you something like Ashley Madison? Can your data be used for extortion? It's not everybody who needs cyberinsurance, but it's a certain number of people and organizations.”
Grossman points out that the cybersecurity insurance industry, which barely existed five years ago, has been growing more than 60 percent per year over the past three years – paying out premiums of around $2 billion per year. It makes sense, he says.
“You can't escape the headlines that everything's getting hacked,” he says, adding that in survey after survey a solid 60 to 70 percent majority of CISOs say they expect to be hacked within the next 12 to 18 months. It's no surprise, then, that cybersecurity insurance is booming.
Eireann Leverett, senior risk researcher at the Cambridge University's Centre for Risk Studies, says that it is often small businesses – typically late adopters – who need cybersecurity insurance the most.
Small businesses don't make enough to have an internal security program, Leverett says, and wouldn't know where to start if they did. “If you are a large company with a GRC, technical security program and incident response team, you are basically ‘self-insuring.' You believe you can manage the risk internally and you probably have a war chest for incident response and clean-up costs associated with a breach.”
Jeremiah Grossman, founder, WhiteHat Security
Eireann Leverett, senior risk researcher, Centre for Risk Studies, Cambridge University
Ira Scharf, general manager for worldwide cyberinsurance, BitSight Technologies
Adam Shostack, author of Threat Modeling and The New School of Information Security
Any organization considering insurance needs to conduct a thorough risk assessment to understand what that insurance will be used to protect, and therefore what kind of investment it will require, says Adam Shostack, author of Threat Modeling and The New School of Information Security.
“When I say a risk assessment, what I'm thinking of is some attempt to assess the probability of loss and the magnitude of that loss,” he says. “So if we get broken into, and someone steals our customer database, it would cost us this much. The trick is to know why you're buying the insurance. When the payout comes, what are you going to do with that money to ensure the continuity of the organization and the business?”
Subsequent to careful self-assessment, says CU's Leverett, “you likely know something about where you're failing and where you're succeeding.” Perhaps you know the threat profile will be high during a specific period, he says. Perhaps an audit has turned up a systemic issue that cannot be handled for a predefined period. “This is where insurance can plug a gap, until technical control is regained.”
This is, Shostack says, a necessary starting point, because cybersecurity insurance only provides relief from certain kinds of losses. For the hard costs of financial losses that can be repaid, it is very useful. However, for the soft costs of loss of intellectual property or damage to reputation, its effectiveness is limited.
“The place to start with cyberinsurance is identifying the things that would be very expensive to deal with, but that money can solve,” he counsels. “One place cyberinsurance can make a lot of sense is around breach notifications and response.” In that scenario, a company would hire people to come in and do forensics, update the systems, write letters apologizing to customers and give them some credit monitoring and identity-theft insurance. You set up a call-center to answer the phones. “Each of these is a known, manageable and unbudgeted cost.”
However, Leverett underlines the need to consider insurance a tool rather than a cure-all. The question is not, What does cyberinsurance cover?, he says, but rather, “If I buy this policy, what will it cover?”
Some policies cover extortion and others breach or brand damage, he says. Very few cover operational technologies and death or dismemberment due to cyberattack. Other contracts, such as technology E&O insurance, can cover vendors of technology from liability to users of their technology.
Buying cyber insurance may connect you to companies who can help protect you better, says Ira Scharf, general manager for worldwide cyber insurance at BitSight Technologies, a Cambridge, Mass.-based firm that offers a way for companies to rate the security performance of their internal systems.
“A good cyberinsurance policy will not only cover some or all of the potential financial loss from a breach, but it will also introduce the company to best-in-class cyberrisk mitigation strategies that can help mitigate a potential loss altogether,” he says.
This is useful because most would agree that security and insurance should not operate at the expense of one another, but rather as two separate functions.
“Both are important as part of a comprehensive cyber risk management strategy,” Scharf says. “Often cyberinsurance policies offer a discount on security products and risk mitigation tools. It's a good idea to ask about these benefits as they may help offset some of the costs.”
Yet at the moment, part of the reason that cybersecurity insurance rates are so high – averaging $10,000 per $1,000,000 in coverage – is that few actuarial tables exist to set base security standards.
WhiteHat's Grossman (left) looks forward to a time when companies will be able to sell insurance according to an organization's level of vulnerabilities, their metrics and the amount of time they would require to recover from an attack. However, such actuarial understandings are rare today.
“What we really don't have as an industry is something like the FAA does: An understanding of how the hacks transpire,” he says.
For the moment, it's important to negotiate with insurance companies in order to settle on a policy with extensions and extra coverage that reflect your organization's needs and security level, Leverett says. He counsels companies to be honest with insurers about prior attacks they've suffered.
“I'd certainly be more likely to underwrite a company that had detailed records of previous incidents,” he says. “I'd even consider cutting the price if they could show me [how] previous breaches had improved the responses of the company.”
Still, discussions about cyberinsurance come down to knowing what the policy will cover – and what it won't.
“The worst-case scenario would be buying insurance, thinking you're covered, getting hacked, making a claim and discovering that it won't be paid,” Grossman says.
“When you're thinking about buying insurance, you're thinking in the jargon they use, which is ‘coverage' and ‘exceptions,'” Shostack adds. “You want broad coverage and you want to make sure that the exceptions are controlled, and that you understand when they'll kick in.”
Exceptions can include things like “acts of war,” which, Shostack (right) notes, is a situation no one can identify precisely. Were the 2012-2013 DDoS attacks acts of war? Was the Sony hack? By the same token, even the notion of basic negligence, which is used to dismiss insurance claims, is harder to define once it leaves the physical realm of cause and effect.
“There are lots of lists of advice that say you should do these things to be secure, but none of them will make you perfectly secure – the lists of things are somewhat different,” Shostack says. If a company carefully follows one list of security requirements (such as the 12 controls of the PCI Data Security Standard) but not another (such as the 20 of the NIST Cybersecurity Framework), he posits, can it be said to have been negligent?
The bottom line, all agree, is to buy insurance conscientiously and discuss these issues carefully with insurers. As a result, one gains the ability develop their organization's security in a manner specific to specific needs.
“Insurance is not a panacea,” Leverett concludes, “but it can be a tool in the tool box.”