Cybersecurity insurance companies and news outlets report large data-loss scandals so often it’s easy to imagine the impacts on businesses. For business owners seated at their workstations, an average week might bring an official-looking email purporting to be from Microsoft—but with a curious attachment. Yet, a single curious click could open a backdoor that invites a data breach, leading to unquantifiable costs.
In this blog post, we examine who is leading the charge in proactive compliance measures, and what insurance risks are typically insured. We also look at how specialized cyber-insurance providers are influencing security measures. Our conclusion offers some predictions with suggestions for action.
Why Cybersecurity Insurance Providers are Extending Their Reach Beyond Mere Indemnity
Indemnity is one of the most basic insurance principles. It is the process by which an insurer puts the insured back to the position they were in before they suffered a financial loss, due to falling foul of an identified peril covered under an insurance policy.
But, before insurers can indemnify businesses against risks, they must first identify them, including what remediation activity they expect of their policyholders.
Just over one year ago, Insurance Business Mag and Allianz predicted that, by 2025, the cybersecurity insurance market will reach $20 billion. But, just this month, Skyquest put that figure at almost $80 billion!
Traditionally, insurers have used automated algorithms to quantify risk. This ensures they are able to continue to offer competitive premiums in the face of comparison sites and astute financial directors. If a risk is deemed low, then the corresponding premium is low.
Insurers do not simply rely on AI to identify, define, and calculate the risks and associated premiums. They will also:
- Assess the risks posed by malicious hackers
- List potential perils in your insurance documentation
- Calculate the likelihood, frequency, and cost of customers making a claim
- Underwrite the terms of the cover, including any excess payment
- Include proactive, precise security measures you must take to secure your data
- Provide a proposal for you to consult before agreeing to the terms
- Set the premium accordingly
You can also expect that they will reassess the risk, and adjust the cover and premium year after year. This may depend, partially, on whether you’ve made a claim and on how many other similar claims are negatively affecting their bottom line.
Who Is Leading the Way?
Do legislators, security professionals, or insurers drive the impetus for more secure online services, web applications, and data management?
In a sense, the answer is less important than a straightforward understanding that the requirements are becoming more onerous. Our sense is that security analysts are the ones who know what malicious hackers want and how they operate. Insurers have spotted a business opportunity to provide cover for such eventualities, while government legislators are in a position to enforce the public’s right to data privacy and safety with laws such as the California Consumer Privacy Act of 2018.
Let’s consider the main players.
Standards Led by Seasoned Security-Industry Experts
Vendors of any description must already abide by certain industry standards. Let’s consider just a few.
- First, there is the widely adopted Payment Card Industry Security Standards Council (PCI-DSS). They insist on annual compliance certification and fines for data losses that result from non-compliance.
- ISO/IEC 27001 Information security management systems is a ubiquitous standard that defines how data should be managed.
- The OWASP Automated Threats to Web Applications Project brings together research and analysis of real world automated attacks against web applications, to produce documentation to assist operators defend against these threats.
Cybersecurity Insurance-Led Measures
The CTO of Minneapolis firm, Counterpane Internet Security, Bruce Schneier, made some predictions in his 2001 paper, Insurance and the Computer Industry. Stating some relatable observations, he noted that:
- Many of us install alarms on our business properties because it lowers our insurance premiums, rather than because it secures them
- Similarly, cybersecurity insurance providers might begin to demand precise cybersecurity measures in return for attractive premium discounts, for example:
- Every organization with more than 25 staff may be required to have written or enforced password policies and use password managers that have already long been encouraged by those in the industry
- Web application vendors may be asked to supply documentary evidence of how they integrate the securing coding principles of the established, grassroots industry OWASP Top 10 list into their software development lifecycle (SDLC)
Government Legislation on Cybersecurity
You may be aware of some of these major pieces of government legislation:
- If you’re a Californian citizen, the Data Privacy Laws for California grant you the right to know what information organizations hold on you.
- If you work for, or on behalf of a US federal agency, you’ll be required to operate within the Federal Information Security Act of 2002 (FISMA) and its related, practical National Institute of Standards and Technology (NIST) guidelines and standards.
- If your context is the healthcare industry, then you’ll have encountered HIPAA and HITECH regulations. HIPAA has long operated to protect patient healthcare records. HITECH is newer, stipulates that patients must receive a breach notification, and sets out fines that reach $2m.
- Even the Defense Information Systems Agency (DISA) has published its own Security Technology Implementation Guidelines (STIGs) that are applicable to any connected computer systems.
You can find a longer list of legislation and industry standards in What is Penetration Testing in Cybersecurity? .
While these regulations are welcomed by those of us who work in the data security field, the earliest iterations of cybersecurity government regulation tends to stipulate that processes should be established, written, and implemented—but they often fall short in the detail of how they are discharged. Legislators may lack the industry expertise to understand the nuances and prescribe precise measures. This is compounded by the frustratingly slow pace of progress of legislation through the House of Representatives and the Senate.
The trick, as with all government-led measures that are subject to multiple layers of oversight, is keeping up to date with a host of advances in technology and behavior:
- The cybersecurity industry, its tools, and experts
- The savvy cybersecurity insurance companies that follow it
- The malicious hackers snapping on all our heels—who may find new, shiny attack surfaces exposed by both the same tools we use to scan for vulnerabilities in our networks’ security and the technical possibilities offered by newer technologies such as ML or AI
What Perils Are Covered by Cybersecurity Insurance?
The risks you’re covered for are referred to as “perils.”
So, what perils are insured under cyber insurance policies?
Typically, a cybersecurity insurance provider will cover the following:
- Malicious hacks that attack your workplace’s endpoints, network, and other components
- Data breaches
- Some legal claims
- Some defamation claims
What many businesses may not know is that cyber insurance policies often leave policyholders to cover some of the considerable costs and shoulder other consequences that are not within the purview of “indemnity.” Many of these costs are simply unquantifiable in advance. They include:
- The time it takes to conduct an investigation into how the data breach occurred, figure out how to fix it, and prevent its recurrence
- The cost of recovering your company’s data
- The time and costs to comply with the relevant regulations and industry standards on actions you need to take following a data breach (for example, if some of your customers are in the EU, the GDPR requires that you notify the supervisory authority within 72 hours and quickly communicate a data breach to your data subject)
- Malicious hackers’ financial demands—in the US this represents 47% of all malicious hacks
- Preventative software or services
- Training for your C-suite, senior management, and staff
- Specialized upskilling for your security team
- The impact of a loss of reputation and income
- Purchase of new hardware, software, or security researcher or pentester services
- Additional legal costs
How Companies with Laissez Faire Security Policies and Measures Will Be Treated by Cyber Insurers
Authors Daniel W. Woods from the University of Edinburgh in Scotland and Tyler Moore from the School of Cyber Studies at the University of Tulsa posed this question in their 2019 paper Does Insurance Have a Future in Governing Cybersecurity? The paper was published in IEEE Security and Privacy Magazine, an initiative of the Institute of Electrical and Electronics Engineers, which is headquartered in New York.
Their research suggested that limited, tiered, and weighted premiums may become de rigueur. Lax business owners may find:
- Fewer insurers to choose from on insurance comparison sites or with leading insurance brokers
- Reduced insurance coverage
- Increased premiums
Businesses who have endured the pain of contacting their insurance broker following an incident in order to make a claim and follow it through to its tortuous conclusion will understand the importance of getting this right:
- The specific incident may represent a peril that is not covered after all
- Claims may not be paid if the insurance coverage is deemed to be completely invalid due to:
- Incorrect details recorded on the proposal and subsequent insurance certificate
- Insurance conditions not being fully met by the insured—even where they bear no relation to the circumstances surrounding the incident
Our Cybersecurity Insurance Predictions
Although no one can say with certainty what the future will bring, here are some cyber insurance predictions to prepare you for what’s possible.
- The insurance market will offer more standalone cyber insurance policies and customizable options such an integration with other risk assessment and management packages. Premiums may depend on preventative activities such as employee training.
- There will be an increasing demand from insurers for businesses to be more proactive.
- Although this might start out as a piecemeal effort, frustrated by the rapid pace of developments, we expect to see further and more specific requirements.
- Companies will start investing more in preventative actions such as the use of external experts to conduct cybersecurity audits.
- The upside is that proactive companies will enjoy premium discounts.
Are You Complying with the Letter of the Law as Laid Down by Your Insurers?
We appreciate that insurance jargon can be impenetrable. There have been moves within the industry to tackle its deserved reputation for obfuscating with legalese, not least former attorney and underwriter Kenneth S. Wollner’s book on How to Draft and Understand Insurance Policies.
However, there are some practical steps you can take to determine whether you are compliant with all the conditions of your cyber insurance policy:
- Read your policy booklet and note down two lists: what is already in place and what still needs tackled.
- Consult your schedule, proposal, and certificate documentation. Use this information to supplement your lists, paying close attention to any special conditions.
- For anything you do not understand, contact your insurer and ask for a plain-language breakdown. They are obligated by some states, such as California, to go through every aspect of the cover, processes, and claims when you purchase and renew your policy, to ensure that you understand what you’re signing.
- Assign your team to take responsibility for scheduling, prioritizing, and documenting each task.
- Establish the basics such as network security, firewalls, and antivirus.
- Consider booking a security audit that will delve into everything; including passwords and multi-factor authentication, data backups, and even vulnerabilities arising from your computer hardware (see Endpoint Detection and Response).
- Establish a regular schedule to revisit everything, including after you renew your policy when terms may have changed.
We’re Obsessed with Your Security
At this point, you may want to hire us to conduct a certified security assessment, vulnerability audit, or compliance audit to determine how your company rates against industry standards and the requirements of your cyber insurance company. We can also advise you about software or training to help you comply with your insurance underwriter’s standards, proposal, terms, and conditions.
If you need additional support, contact us today.