This article takes a look at the growing trend in “cyberinsurance” and questions whether we, as CISOs, should pursue this option for our organizations to minimize cyber risks.
To set the stage for our discussion, consider several statistics regarding cyberinsurance:
- Sixty-eight percent of U.S. businesses have not purchased any form of cyber liability or data-breach coverage, showing that businesses are not adopting cyberinsurance at a rate that matches the risks they face.
- “A majority of the 25 most-populous U.S. cities now have cyberinsurance or are looking into buying it.”
- “Legislation such as 2018’s EU General Data Protection Regulation (GDPR) is helping drive the demand for cyber insurance as healthcare providers, financial services firms, and companies in all industries are tasked with keeping user data safe — and recovering from data breaches and ransomware attacks.”
- “Market forecasts for cyber insurance policies range from $14 billion by 2022 to $20 billion by 2025, up from less than $1.5 billion in 2016.”
Personally, during the last few years of my tenure as a CISO, we looked into cyberinsurance on two occasions. We had a complex business environment comprised of typical corporate computing systems such as sensitive human resource and financial systems, point of sale systems, operational security-related (SCADA) systems and law enforcement systems. At the time, these diverse systems were scrutinized and audited under various cyber security frameworks such as compliance with general accounting practices by outside auditors, FISMA, and PCI-DSS among others.
In the beginning...
In the first instance, we presented our PCI-DSS program which, as we were a Visa-designated Level 1 Merchant, had audit evidence provided by a 3rd party assessor regarding our compliance with the standard. At this point in time, significant credit card and point-of-sale security breaches influenced the focus of the insurance underwriter’s overall view into our cyber security program. Additionally, I was able to provide insights into our security program in regard to budget, security team numbers, roles and makeup, security systems and countermeasures, etc. We made a compelling argument as to the robustness of our cyber security program, so the matter really came down to a business decision as to what the cyberinsurance actually covered and at what cost.
The underwriters provided several options – that is, cyberinsurance providers with various permutations of coverages and premiums. The selection process was analogous to choosing a wireless telephone vendor where no plan provides exactly what you want and the price is too expensive for any plan. Fortunately, we had a separate department dedicated to our various insurance programs since we had vast real estate holdings across the United States and other complex insurance needs. Having this cadre of insurance-savvy professionals was essential in wading through the morass of insurance-related jargon, legalese and other nuances. Ultimately, we decided to not purchase cyberinsurance due to the high premium costs and arguably less-than-adequate coverages. We would table cyberinsurance for a future time.
Well, the future time arrived and under a new Chief Financial Officer we decided to revisit cyberinsurance. This time, the exercise was more problematic than the first. Now, the focus was on Industrial Control System (ICS) security due to it being the “hot topic” in cyber security. The underwriters decided to conduct a “focus group” type of exercise, comprised of key members of management from all areas of the company. A group of about 30 people gathered in the company’s board room and the exercise was facilitated by the underwriters.
Essentially, the group was asked a number of questions about their perspective on the company’s ICS security. With all due respect, the group was not qualified to assess the company’s ICS security. They had no knowledge and evidence other than unsubstantiated perceptions to provide the facilitated input. Ultimately, the “tabletop” assessment report espoused a robust and secure ICS environment.
Just prior to our revisiting the cyberinsurance question, I had initiated an in-depth review of our ICS security using a trusted 3rd party security assessor. As might be typical of ICS in general (and as depends on the organizational structure), ICS systems were not under the management of the IT department, and, by extension in our case, the CISO. My ICS assessment team went into the proverbial “weeds” by scanning systems for vulnerabilities, checking server configurations, malware systems, policies and procedures, etc. The review exposed the fact that our ICS environment did not comply with our corporate security program and was at significant risk of a breach.
We were in a dilemma with two diametrically opposed views regarding the state of our ICS environment’s security. Obviously, I sided with my team’s assessment based on factual evidence over the perception-based “tabletop” exercise. Our in-house “insurance team” unsuccessfully looked for ways that the underwriters could save face in light of our security assessment. I retired before the matter was resolved, and I am not sure what the outcome was and if the company bought the cyberinsurance.
The lesson learned is to be aware (and beware) of the assessment/review process that will be used in determining the state of your cyber security program for cyberinsurance coverages and premiums.
Other things to think about with cyberinsurance:
Insurance companies may not cover cyber-attacks.
In 2017, snack foods company Mondelez International fell victim to the NotPetya cyberstrike where the company lost 1,700 servers and 24,000 laptops. When the dust settled, Mondelez suffered $100M in losses and Mondelez’s insurer, Zurich Insurance, did not pay up, citing a common, but rarely used, clause in insurance contracts - the “war exclusion.” The war exclusion protects insurers from being saddled with costs related to damage from war. Zurich argued that Mondelez was deemed collateral damage in a cyberwar. Also, consider other non-covered items such as potential regulatory fines. Equifax, for example, will pay up to $700 million to settle with the Federal Trade Commission and others over the massive 2017 data breach that exposed the private data of nearly 150 million people.
Cyberinsurance is an immature industry.
Cybersecurity is a relatively new industry with a threat landscape that changes daily. So, insurers don't have the historical data with which to build reliable predictive models. Additionally, they fear a costly accumulation of claims if a major attack were to hit multiple insured customers such as happened with WannaCry and NotPetya ransomware. Insurers offer policies focused on the protection of personally identifiable information (PII) and exclude more current attacks - ransomware, cyber extortion, etc.
Cyberinsurance isn’t a replacement for cybersecurity.
The concern is that once an organization has invested in cyberinsurance they may become complacent with maintaining, investing, and advancing their cyber security programs. As we have seen, even the most “bulletproof” cyberinsurance policy may not cover all business losses after an attack.
When it comes to cyberinsurance, YMMV – Your Mileage May Vary. Every situation is different, as the cyber threats evolve on an almost daily basis. Recognize that the cyberinsurance industry is maturing and the old adage still applies – “buyer beware”.
Share This Article