Year on year the information security industry is experiencing a myriad of new challenges and considerations to keep organisations safe. Over the last two years I’ve noticed a significant uptake in discussions about cyber insurance. This comes as no surprise, as risks to organisations have risen well beyond manageable levels, with a single cyber attack bringing down several major sites including Spotify and Twitter last year. The costs associated with such breaches can greatly impact bottom lines. While GDPR (coming into effect in 2018) will see possible fines of up to €20m, or 4 per cent of a company’s annual worldwide turnover, this will make matters worse and likely see the demise of many unprepared businesses.
Investments in skilled personnel and technologies that include everything from firewalls to anti-virus to threat intelligence platforms will continue to provide the best returns when it comes to reducing risk. However, cyber insurance is also being debated as a valuable tool to help address some risk. Many insurers are already beginning to tap into this market to limit liabilities and others will likely jump on board. But it is essential to know exactly what policies they are offering and how they are valuing and risk rating your business.
There are numerous indicators showing that demand for cyber insurance will rise significantly in a short period. PwC, for one, estimates that annual gross written premiums will triple to $7.5 billion by 2020 from $2.5 billion in 2014. The London insurance market, the largest in the world, is predicting a surge in companies and individuals taking out policies against cyber attacks in 2017 after a 50 per cent rise last year. While Allianz forecasts the total written premium around the world to increase from the current $2.5bn to $20bn by 2025.This estimate indicates that the collective thought among enterprise security and risk professionals is that cyber insurance may a good idea, but it is important to remember that cyber insurance and security aren’t the same things. Understanding available options and your organisation’s overall risk exposure are keys to knowing which cyber insurance path to follow and there are two key considerations you must scrutinise first.
- Know what’s covered
There are currently no standard cyber insurance policies available. For example, Lloyd’s reported that they were seeing huge cyber insurance uptake, and last year introduced 15 different types of cover. Specific policy options available will likely vary between carriers and be dependent on what industry a company seeking insurance is in, potentially adding confusion.
Typical policies focus on covering first-party risk, in this case, the organisations at risk of suffering losses caused by attacks or breaches. Costs can come in many forms, including losses driven by business disruption, regulatory fines and other parties who seek to recover related damages.
Before investing your organisation’s money in a policy, it is critical to understand specific things. You’ll want to know what exclusions exist, what time period the policy covers, and the types of damages your carrier would provide compensation for after an incident has occurred.
Insurers typically won’t cover damages inflicted by foreign enemies or caused by acts of terrorism. Exclusions such as these could make it extremely difficult to receive compensation. Attribution is difficult at best, with many attackers deliberately leaving breadcrumbs that point investigators in a different direction and thus insulating themselves from being discovered. Therefore, you should make sure you understand how the insurance company you are considering doing business with determines if an attack was an act of terrorism or carried out by a foreign enemy.
As for the time period that a policy covers, details around retroactive dates are extremely important to understand. If an attacker is in your network prior to the effective date of a policy but is not yet discovered, it may be difficult to collect compensation for damages caused by the adversary. Most policies will not cover incidents that took place prior to effective dates. Whether or not your organisation could offset the cost of an attack that took place in the past is extremely important, especially when you consider the normally high “dwell time” the bad guys remain inside of systems before being discovered.
You must also consider that the impact to reputation and future business losses that might occur as a result of an incident will not be covered and, there are limits to compensation amounts available. Depending on the risk being offset, even going through multiple policy carriers may not yield enough coverage to mitigate losses.
- Understand risk
The market for cyber insurance is still far from mature. Underwriters are new to the cyber risk field and are likely suffering from the same level of threat information overload that many organisations are experiencing today. Is risk being accurately assessed? Arguably there is a need for industry standardisation here too.
Insurance companies use a variety of tools, questionnaires and other techniques to assess risk levels prior to approving policies. However, you should not allow your organisation’s premiums to be established based solely on a carriers’ assessments. Before you engage you should know what your organisation’s risk levels are, how mature its security programs are, and what tools you have in place to defend against attacks.
To be in good stead you need solid programs in place providing things like vulnerability management, threat intelligence and perimeter defence. Periodic third-party assessments will also assist in identifying any gaps in your organisation’s network and what can be done to close them.
Without understanding your current security posture and your attack history and lines of defence, you are likely placing your organisation at the mercy of underwriters’ assessments, which could lead to over-priced premiums or outright rejection.
When it comes to security, your organisation’s highest priorities should continue to be centred on employing the right talent, ensuring effective communication, and developing an educated and security conscious workforce and culture.
Most importantly though, is to always place security first. Risk ratings are meaningless unless you have relevant, valuable threat intelligence to understand how vulnerable and where the weaknesses in your business lie. All of the cyber insurance in the world can’t actually defend you from advanced cyber threats, attackers, malicious insiders and heavily-backed nation state actors.
By Travis Farral, Director of Security Strategy at Anomali