[BreachExchange] Making decisions about cyber insurance

Audrey McNeil audrey at riskbasedsecurity.com
Mon Aug 21 19:16:37 EDT 2017


https://www.lexology.com/library/detail.aspx?g=eb30fafc-462f-44a5-b981-
c71051f1a7da

Now is a good time to be considering, or reconsidering, cyber insurance.

The Australian cyber insurance market is in its infancy, compared with the
United States. A significant driver of the market in the United States has
been data breach notification laws, first enacted in California in 2002,
with the other States following California’s lead.

Come February, Australia’s data breach notification laws will come into
force so it is likely, if the US is any guide, that the cyber insurance
market will begin to soar in Australia next year.

So now is the time to consider whether cyber insurance could be a useful
and cost-effective risk transfer mechanism for your organisation.

Your existing cover probably won’t cut it

You may have existing cover – for example directors and officers insurance
– but it is likely that any such insurance – without specific endorsements
– will not cover losses arising out of cyber security issues. Indeed, some
general policies contain specific exclusions for cyber-related losses.

‘Bolt-on’ or bespoke?

As noted above, it is possible to seek cyber endorsements or extensions to
existing cover.

Depending on the level of risk your organisation faces – as to which, see
further below – and on the size of your organisation (and your budget),
cyber ‘bolt-on’ endorsements might be appropriate.

However, for larger organisations, or organisations facing more complex or
uncertain risk environments, bespoke cover is preferable.

Start at the beginning

Ask any lawyer about cyber insurance and their first response is likely to
be, look at the policy wording.

That is valid, but in fact there is much work to be done before you are
ready even to call your insurance broker, let alone to evaluate specific
policies and policy wording.

First of all, make sure you understand what cyber insurance is – and what
it isn’t.

Cyber insurance is not – not yet anyway – comprehensive cover against cyber
risk. In fact, some commentators go so far as to say that most cyber risks
are not insurable.

So then what is cyber insurance? Cyber insurance offers coverage for, or
mitigation of, certain specified, limited cyber risks.

By far the best way to reduce cyber risk is to prepare your organisation
and invest in cyber protection measures. This is your first and best line
of defence – a role that you should not be asking cyber insurance to fulfil.

Before approaching the cyber insurance market you therefore need to know
what cyber risks you are faced with and which ones you want to cover.

Your organisation’s decision to procure cyber insurance must be made from a
position of a full understanding of:

the cyber risks facing it
which risks can be satisfactorily addressed, mitigated or managed
what are the remaining or residual risks?

Then your organisation is prepared to ask the threshold question – in
respect of any or all of the identified residual risks, is your
organisation prepared to pay an insurer to transfer some of the risk away
from your organisation to the insurer?

Framed in this way, decisions about cyber insurance can be made as a
trade-off between the potential exposures arising from uninsured residual
risk and the cost of premiums to cover, or at least partially cover,
certain aspects of those risks.

Your potential insurer will want to see that your organisation has a
thorough understanding of, and is prepared for, the cyber risks it faces.

Your organisation’s cyber sophistication or maturity will feed into the
cover insurers are prepared to offer and into the premiums you will pay.

So before you pick up the phone to your broker make sure your own house is
in order. What has your business done to assess and address cyber and
information security?

Ensure that your organisation has undertaken a robust risk assessment. You
might choose to apply one or more of the well known risk assessment
frameworks such as the NIST Cybersecurity Framework, as recommended by
ASIC.[1] You may choose to follow guidance from the Australian Signals
Directorate, for example, its Essential Eight Mitigation Strategies.

There are many other resources available to guide cyber risk assessments.

The first step must be an audit of your organisation’s information holdings
and data assets. An information audit will enable you to understand:

what information your organisation holds
what types of information your organisation holds; by which I mean,
understand whether you have certain types of data that are more sensitive
and therefore require more attention from a risk perspective.

Undertaking an effective risk assessment establishes the foundations for
your organisation’s decisions about cyber insurance.

Towards policy wording

Ask your broker for a commercial conversation about what risks and risk
scenarios are and are not covered.

These should fall out of your risk assessment exercise, as described above.
At this stage, the discussion should be about how the proposed policy
addresses the particular residual risks your organisation has identified
for risk transfer by means of cyber insurance.

Will your putative cyber insurance cover the risks you need to have covered?

If you are satisfied at this level, sanity check the proposed policy
wording against those representations.

If possible, ask your broker to provide alternative products and policy
wordings for your review.

If you are not satisfied, ask to negotiate policy terms.

Cyber insurance policy words and exclusions throw up some unique
considerations.

Maintaing Cyber/ ICT Security

Policies may contain an exclusion that will preclude a payout if your
organisation has not consistently implemented best cyber practice; for
example, applying vendor supplied patches and updates with fixes.

If your cyber policy has this exclusion, as a cyber governance issue (and
not to mention as good cyber hygiene), your organisation will need to
ensure that it is on top of patching and updating and other cyber security
basics – for example, as laid out in the ASD’s ‘Strategies to Mitigate
Cyber Security Incidents’ (aka ASD’s ‘Essential Eight’).

The ‘insider threat’ and social engineering

Is your organisation looking to cover ‘insider threat’ cyber breaches? This
is a significant type of cyber attack, yet such threats are commonly
excluded from cyber insurance policies.

Other potential risk areas that might at first seem like obvious areas of
coverage may not in fact be covered or insurable. For example, it is well
known that ‘social engineering’ attacks such as phishing or whaling are a
key area of risk. But cover for such risks should not be assumed. In fact
such cover is not the norm.

The classic phishing or whaling attack, where an employee is duped into
transferring funds to a third party because of an email that looks like it
comes from the CEO? More than likely, not covered.

Compliance with software licences

Cyber cover may contain an exclusion that operates in circumstances where
the insured may be operating outside of software licence specifications or
contracted licence metrics. This can include such things as permitted user
numbers or transaction volumes.

It is common for licensees to inadvertently exceed or breach such licence
metrics. That is why software licences and SaaS agreements commonly provide
for the licensor or service provider to audit compliance with such metrics.
The usual contractual outcome in cases where licence metrics are exceeded
is to adjust licence fees.

Check such clauses carefully, if your cover can be voided by an inadvertent
breach of licence terms, that is a considerable area of risk.

Disclosure Issues

Check whether your policy requires you to notify insurers of
vulnerabilities identified in IT security audits.

Time based deductibles

We’re all familiar with insurance deductibles or excesses, but cyber
policies may contain ‘time based’ deductibles, which mean that no claim can
be made until a certain period of time has elapsed after a claim event
arises. The impact of such deductibles on the insured’s ability to make a
claim for loss and damage should be considered carefully.

Assessing Loss

A number of cyber policies reviewed by this author require the insured to
certify losses within a specified period, say 90 days, after the claim
event occurs. This type of requirement represents a significant risk to
policy holders as loss and damage caused by a cyber event may continue for
a significant period – months or even years after the event.

In the immediate aftermath of a cyber incident, it is difficult to
calculate future or anticipated losses regarding impacts that may be
identified at the time and it is probably effectively impossible to
exhaustively identify all the future implications of a cyber breach (the
Rumsfeldian ‘unknown unknowns’).

Attribution

Pay very close attention to exclusions regarding cyber losses caused by
certain classes of actors.

We’re familiar with exclusions for acts of war and foreign governments, for
example, so it is somewhat tempting to gloss over these provisions as
common fare for insurance policies.

However, it is well known that identifying the course of cyber attacks is
highly problematic – the problem of ‘attribution’.

This type of exclusion seems, to this author at least, to assume that
attribution is a straight forward exercise. When it comes to cyber, it most
certainly is not. The risk for the policy holder is that this type of
exclusion therefore represents a significant area of uncertainty.

Evolving threats

It is a truism of the cyber threat landscape that threats are continually
evolving. Threats that we do not know about or anticipate today can be a
reality tomorrow.

>From the insured’s perspective, policies need to be sufficiently flexibly
worded so that cover does not fail to respond to threats that are unknown
at the time the policy is entered into.

In this author’s view, there are some critical areas of uncertainty where
the insurance industry has yet to develop fully satisfactory policy
offerings. Accordingly a risk-first approach as outlined above is vital to
ensure that your organisation is purchasing cyber insurance on a sound
basis rather than on the basis or potentially ill-founded assumptions about
what cyber insurance does or will cover.

Finally, given the unique issues posed by cyber insurance policies and
policy wording, we would strongly recommend having any proposed policy
legally reviewed to ensure your organisation fully understands the extent
of any proposed cyber cover and in particular, what is excluded from that
cover.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170821/d32d2609/attachment.html>


More information about the BreachExchange mailing list