Cyberinsurance: How to take advantage of benefits and avoid pitfalls
Security | Jun 1, 2016
Data breach insurance, if it were like auto insurance, would be pretty straightforward: You run up a bill responding to a data breach or get into a fender bender, file a claim, the reimbursement comes in, and maybe the rate goes up a little as your risk rating increases a notch.
The trouble with data breach coverage – also referred to as “cyberinsurance” – is that it’s nothing at all like auto insurance, which has had a century of actuarial data from which carriers can determine premiums and reimbursement rules, said Chris Novak, director of investigative response for Verizon’s RISK Team in a presentation at Guidance Software’s Enfuse 2016 user conference. Auto insurance typically pays a higher share of the claim than even the best cyberinsurance will offer.
Novak, who isn’t affiliated with any insurance carrier but works with many of them in the course of his team’s data breach work, revealed some truths to the assembled group of forensic investigators and data security executives in attendance:
- Cyberinsurance is in its infancy, having been around for only about five years.
- Many policies are written on the basis of answers to a 10-question form, some of them vague, and most filled out by someone in a company’s financial or risk management office.
- Acquisition of cyberinsurance typically comes with little or no involvement from the CIO, CISO, or other technology leaders.
- Often, the CISO, CIO, and forensics staff are unaware their company has purchased cyberinsurance.
- Carriers see cyberinsurance as an upsell to existing insurance packages, and a “greenfield” market with only about 20 percent of companies purchasing it in 2016; their customers see it as an add-on to existing coverage.
- The U.S. leads the world in companies insured – and it’s clear that wherever there’s mandatory breach reporting, cyberinsurance is gaining popularity; where it isn’t mandatory, few companies purchase it.
With all this background information as a backdrop, Novak advised CISOs and CIOs to interact with their C-suite peers to find out if, and what, cyberinsurance coverage their company has taken out. How much coverage, what it covers (i.e. response, mitigation, regulatory fines, insider threats, call centers for customers affected, and internal and external communications) and also how to better understand the carrier’s prerequisites for coverage, such as regular risk assessments, required security controls, and adherence to particular industry standards.
Novak also recommended they find out about benefits that may come with cyberinsurance, as many carriers have found certain programs can greatly reduce breach mitigation costs, such as breach coaching, tabletop exercise sessions with outside experts walking through hypothetical breaches and responses, and even striking deals with preferred vendors for discounted breach services and security controls that help CISOs and CIOs stretch their budgets. Such programs may be included in the premium.
Moreover, as the carrier probably has negotiated service level agreements with vendors, such as breach-response services, it can speed response and mitigation when a breach occurs because the CISO isn’t left hammering out contract specifics between a vendor and his finance department – they’ve already been negotiated by the carrier.
All this being said, Novak stressed that right now, there’s still a little wild-west feel to cyberinsurance. Each breach is unique, and it’s difficult to predict costs that can rapidly spiral out of control and can last for years to finish mitigation efforts. Carriers are in the business of limiting liabilities and denying claims – so it behooves companies to know their policy’s rules, understand the limits of the coverage, and understand that the insurer’s rules probably are based on standard practices that will make your network more secure. Even if it isn’t exactly the way they might have done it themselves.
As an emerging product, Novak concluded, cyberinsurance will probably remain unchanged for the next five years as carriers and their customers work through more breaches and claims. A decade from now, he predicts, 80 percent of companies will purchase it, and cyberinsurance processes will be much better understood and more predictable than they are now.
“Cyberinsurance will become a driver of security,” Novak said. “Right now, people are buying insurance as kind of, ‘If I have a security problem the insurance will be there,’ but 10 to 15 years from now people will be buying cyberinsurance, and insurers will say, ‘If you want this, you will have to do X.’ And whoever doesn’t have it, their customers, vendors and suppliers will expect you to have it and get it – and that bar will be gradually move up.”