Cyberinsurance can be a valuable tool and risk management capability in any small, medium or large organization’s tool box if properly understood and leveraged. It is even more crucial today when many organizations are faced with the reality that cybersecurity incidents are a “when they occur” more than an “if they occur” risk. Cyberinsurance can assist organizations in reducing the financial impacts of cyberincidents by helping organizations recover or reduce the significant financial costs that are often associated with cybersecurity incident response and recovery efforts. At the same time, it is important for organizations to understand that the cyberinsurance industry and its products are still in their relative infancy and are changing regularly. The insurance industry is constantly developing and maturing its actuary tables, financial models, conditions of coverage, and adjuster and payout concepts and capabilities to ensure that it is able to properly manage risk within its own business operations to ensure profitability. This uncertainty means that organizations that are evaluating or adopting cyberinsurance also need to be conscious of these changes and understand how they impact the effectiveness and intended benefits of the policies they purchase.
Information security professionals should understand the benefits, challenges and costs associated with the purchase and use of cyberinsurance policies so they can incorporate policies into their information risk management and security strategies and programs. In some organizations, business leaders have become fatigued with cybersecurity and feel as though cyberinsurance allow them to reduce their focus and investments in cybersecurity. This is a disconcerting situation that security professionals need to proactively address to ensure that they can clearly articulate the use cases, benefits and limitations of cyberinsurance to business leaders. There are 5 key areas an organization should consider when evaluating the adoption of a cyberinsurance policy:
- Identify objectives and expected benefits of cyberinsurance—The objective and benefit most often cited by organizations when they acquire cyberinsurance is to mitigate the significant costs that are typically associated with incident response activities associated with material cybersecurity-related incidents (e.g., data breach, ransomware, insider threat). While this benefit is obvious, there are others that may also be strategically beneficial to the acquiring organization as well. For instance, the adoption of cyberinsurance as part of an overall risk management strategy can demonstrate a commitment to and understanding of cybersecurity threats, vulnerabilities and risk and the need to effectively manage them to customers, auditors, regulators and/or partners.
- Evaluate the conditions of coverage—Cyberinsurance premiums are often established based on what types and the amount of data an organization handles (e.g., personal identifiable information [PII], personal health information [PHI], intellectual property) and the industries, geographies and environments in which they acquire, process, transmit and store this information, along with financial considerations of the organizations they are servicing. Cyberinsurance providers have developed their own risk assessment methods and practices that establish control requirements to obtain reasonable premiums for coverage and, in some cases, will not provide any coverage without significant controls being in place. Some organizations believe that they can reduce their investments in security capabilities and controls and are often surprised when insurance carriers for cyberinsurance require more investment to obtain coverage.
It is important for organizations to negotiate the conditions for coverage prior to purchasing a policy, or at least have a clear understanding of the conditions that must exist to be eligible to have a claim paid. For instance, many cyberinsurance policies require that sensitive information that an organization is a custodian of be encrypted at rest and in transit. Policies may also require an extensive set of cybersecurity controls to be implemented and operating at the time of the incident that is associated with a claim. In some cases, the costs to implement and operate the required controls may outweigh the risk management benefits of the policy itself. - Ensure key coverage areas are considered in policy—To manage their risk, insurers will often work in their best interests when offering cyberinsurance policies. Unfortunately, this can be detrimental to the organization purchasing the policy. When reviewing and negotiating policy terms, the following should be carefully considered:
- Full prior acts coverage, which ensures coverage is not limited to the policy effective date. In many cases, security vulnerabilities and associated exploitations and incidents may have existed before the policy was implemented.
- Remove any language that tries to warrant that security is maintained to the same level as represented in the underwriting submission for the establishment of the initial policy.
- Ensure legal counsel is agreed upon in the policy and can be changed by the insured organization without restriction during the term of the policy.
- Ensure that the organization is not restricted in its selection or use of incident response, forensics or advisory consulting vendors as part of the policy.
- Eliminate any war or terrorism clauses. Many insurance policies exclude coverage for acts of war such as invasion, insurrection, revolution, military coup and terrorism. With the emergence and growth of nation-state adversaries and international terrorism, this clause should be eliminated from any insurance contract.
- Ensure coverage areas and amounts are properly sized—There are numerous coverage areas that can be included in a cyberinsurance policy, and they often provide different levels of individual claim and in-aggregate claim during the life of the policy. In the case of data disclosure situations, the full costs of incident response, disclosure, consumer data monitoring and litigation can vary greatly (i.e., it has been suggested a minimum of US $2 per record up to US $150 per record in many cases). It is important for an organization to understand the total number of records that it feels would be at risk for disclosure and the potential costs for the type of data affected. The organization then can calculate the amount of coverage that it will require for this type of situation relative to its risk appetite.
- Ensure an understanding of covered losses—In most cyberinsurance policies, there are 2 categories of coverage that are identified: first-party losses and third-party losses. First-party losses refer to the direct losses that the organization incurred due to a cyberrelated security incident. Third-party losses refer to the costs imposed on related third parties such as partners, vendors or customers as a result of the security incident.
In recent times, many organizations have been impacted by third party-originated cybersecurity-related incidents that were out of their direct control to manage or remediate. These incidents still caused material damage to their business operations and activities, which required them to incur significant costs. Many cybersecurity insurance policies offer comprehensive first-party coverage, but limited third-party coverage. Organizations that rely heavily on and whose systems and data regularly interact with third-party partners and vendors should consider this as they apply for and maintain coverage levels for their cyberinsurance policies.
Cyberinsurance can be a beneficial and useful risk management tool for organizations of any size and industry if properly understood and leveraged. Like any other tool, cyberinsurance has strengths, weaknesses and limitations. It is important for organizations to be informed and understand all of these as they consider adopting cyberinsurance to ensure that policies meets their expectations and requirements. Organizations need to remember and embrace the fact that having comprehensive cyberinsurance does not replace their need to invest in and maintain comprehensive information risk management and security programs and capabilities. Instead, cyberinsurance should be considered complementary and supportive of these programs.
John P. Pironti, CISA, CRISC, CISM, CGEIT, CISSP, ISSAP, ISSMP, is the president of IP Architects LLC.