[BreachExchange] What To Know About Cyber Insurance

Destry Winant destry at riskbasedsecurity.com
Mon Dec 2 10:07:32 EST 2019


As more companies are experiencing an increase in cyberthreats, both
internally and externally, they are taking cyber risks and prevention
more seriously. C-level executives list security as a top concern. In
fact, one recent EY study (via CNBC) found that CEOs see cybersecurity
as the No. 1 threat to the global economy in the next 5 to 10 years.
Rightly so.

One study from Risk Based Security (via TechRepublic) found that there
had been 3,800 breaches as of August 2019. According to the
IBM-Ponemon Institute 2019 data breach report (via DarkReading), it
took on average over nine months to discover and remediate a data
breach. As a result, the number of attacks is likely higher, and many
companies may still be unaware of existing threats.

Daniel Schwartz also points to the growing attention on internal
attacks in a 2019 Forbes Technology Council post, stating that
employees (or users) are a large risk. Their access from within
enables them to easily exploit systems. It also makes it possible for
costly mishaps and unintentional errors (like clicking on a phishing
link) to occur.

Along with the rise of all kinds of cyberattacks, cyber insurance is
becoming more prominent as a measure to cover the loss and damages of
cyber intrusions. According to Statista, the U.S. personal cyber
insurance market (paywall) is projected to grow from $500 million in
2018 to $3 billion annually by 2025. When companies can be hit from
all directions, I believe security solutions are a must -- but if
there is a breach, cyber insurance is a safety net that can help
recover the costs.

Based on my experience in leading technology teams and developing
security strategies, I’ve learned firsthand that regardless of the
defenses you put in place, crafty hackers with innovative schemes are
always presenting new security challenges that you can’t always be
prepared for. It’s better to be safe than sorry if there’s an
unpreventable breach. That’s the value of cybersecurity insurance as a
second line of defense.

How do you determine the cyber insurance you need?

The fact is, if you rely on technology to do business and if you
manage and store company data, financial or transactional information,
customer details or any proprietary business information on computers
or servers or in the cloud, I believe you need some level of coverage.
How much depends on a number of factors, but the following are several
considerations to keep in mind when it comes to cyber insurance.

Does company size matter when you're considering insurance coverage?

I advise companies of all sizes to have cyber insurance. Middle-market
companies may wrongly assume that enterprise businesses are at greater
risk, and therefore, they don’t need insurance. That’s not true. A
midmarket business may not spend as much on cybersecurity as larger
companies, which could make them even more vulnerable to threats.

One reason middle-market companies may be at risk is that
cybercriminals don’t necessarily target a company based on size or
name. Instead, they may use bots to scan the internet and search for
companies with security gaps. If midmarket companies generally spend
less on cybersecurity tools, they could be at greater risk of being

Do you need less coverage if you have security solutions in place?

Having security systems in place is not a replacement for cyber
insurance. Systems can fail; humans err, and hackers are always
finding inventive ways to breach not only business technology but also
security solutions. New viruses, attacks and schemes emerge
constantly. Realistically, you can benefit from both security
solutions and insurance.

While security solutions are almost a prerequisite for coverage,
having a security strategy and leveraging security systems could shave
costs off of insurance premiums.

Will cyber insurance cover all types of breaches?

Cyber insurance is the new kid on the block when it comes to
insurance. Policies and coverage vary from one insurance carrier to
the next. Some companies offer cyber liability coverage as a secondary
arm of their liability and casualty business, but with the growing
number of cyber risks, there's also a niche for specialized cyber
insurance providers.

Cyber insurance coverage can be as varied as health, life and car
insurance. A company needs to know its vulnerabilities and make sure
its coverage is matched to its potential exposure. You can get insight
into those vulnerabilities in various ways. For example, your company
can conduct simulated hacks to uncover weaknesses. It is something we
do in my organization, in addition to performing audits on our systems
and developing a threat intelligence framework for exactly what we
need to protect and possible sources of threats. If the company
doesn’t have a policy that matches its risks and the types of attacks
and breaches it might experience, no matter how good a carrier is, it
won’t have a good policy.

For example, some cyber insurance may not protect against insider
threats, such as fraud or employee theft, in which case a secondary
commercial crime policy may be required.

I've also heard debate over breaches, such as nation-state threats,
that may be considered acts of war, which might make them covered
under the federal Terrorism Risk Insurance Program and exclude them
from general cyber insurance coverage. Buyers need to clarify whether
such attacks are covered in their policies to prevent claim denials
due to a war exclusion if they feel this is a risk to their business.

Double layer of protection

The combination of your security solutions and cyber insurance offers
a twofold approach to protection against attacks. The cyber insurance
market has shown rapid growth in the more recent past; in fact, 76% of
firms surveyed (via Marketwatch) said they had some form of cyber
insurance in 2018, which is up from 50% in 2017. To me, this signals
that businesses are adding dedicated cyber insurance to their risk
mitigation strategies.

Know all of your risks, and understand the full coverage you need.
Frequently review your risk landscape to revise your cyber insurance
policy as needed.

More information about the BreachExchange mailing list