Cyber Insurance: An Opportunity to Improve Business Resilience

This post was originally published at https://invenioit.com/security/cyber-insurance/

Cyber insurance?may?be the one?segment of the?insurance?industry that doesn’t fit our preconceived notions of the?business.?Ordinarily,?when?describing?insurance,?you?might?use words?such as?steady, sedate,?or?even dull.?Policies?undergo little?change?from?year to year,?predictable?claims?are?submitted, payouts are?promptly?issued, and insurers earn a?good?rate of return.?

There is not much change in the makeup of the?companies?that are?offering insurance,?agents?generally?have limited interaction with their customers?and?infrequently have an impact?on?business-critical?matters, and?seldom do you see?headline news stories coming out of the industry.??

It’s a different ball game with?cyber insurance.?The?constantly evolving?cyber threat?environment,?the?rapidly?increasing?number of claims?filed,?the emergence of new competitors,?and?the fact insurers have?only been?operating?in this segment?for?a couple of?decades?has?created a?dynamic?environment.?

The difficulty of projecting where?cyber?threats will be coming from in the future?along with?limited?historical?data?for use?in?developing?analytical models to project future risk exposure?has?caused?a?constant?reworking of policy?commitments.?On top of this, insurance industry leaders are having?difficulty projecting the?long-term trajectory ?of the market.?

Even?the White House?has?stepped into the fray, generating news?coverage?on the?issue?of?the recent wave of?cyber?attacks?and?highlighting the?contribution?insurance?can play in building?cyber?security.?At its recent?White House summit ?of tech, financial services, insurance,?energy, and education leaders, the administration called on?the?insurance industry to develop ways of incentivizing businesses to deploy and?maintain?good cybersecurity practices.?

Actually,?there?is one aspect of the cyber insurance business that?mirrors more traditional?lines of insurance?and that’s reliable payments on cyber incident claims.?Cyber insurers?have?demonstrated?a?consistent?track record ?on this score and?that’s?important for those considering?adding this coverage?for the first time.?

The?Business Environment?

A prime?cause of the increased?exposure?is driven?by the ongoing?digital?transformation?of business.?As companies?increasingly?deploy?digital technologies?in an effort?to?achieve competitive advantage through faster product development?and rollouts,?operating efficiencies, and customer?experience, their?exposure and vulnerability to cyber threats grows as well.??

The?Covid-19?pandemic has had a dual impact on the increase in?cyber vulnerability. Many?companies have?sped up?their digital transformation?plans?in an effort to?create greater efficiencies in?their product?and service?delivery models.?

According to a?Munich Re survey , 33% of C-level respondents?report that they have accelerated?digitalization?due to Covid-19.?As a result,?companies have struggled to bring their?security practices along as rapidly. On the user side,?more?remote working?has resulted in an increase in phishing attacks?that?often?exploit?workers'?interest in updated information on the pandemic.?

State of?Cyber Insurance?Coverage?

Despite the?worsening?threat environment, most small and medium sized businesses do not carry cyber coverage. According to?a?study by?CyberScout, ?even though 76% of SMBs experienced a?cyber attack,?only 31%?had?cyber insurance.?The report highlights the fact that businesses that are already under financial pressure in responding to the pandemic are?struggling with?prioritizing investments in?cyber security practices and insurance.?

The Evolving Threat Environment?

According to?an analysis of threat reporting ?by Dark Reading, ransomware and phishing will?continue to?be the?main?types?of?cyber?incidents?through 2021.?The?most prevalent attacks can?be categorized?according to?five?classes?of incidents : human factor,?malware, denial of service (DOS),?web application, and password.?These?events have multiple impacts on business operations.?

Cybereason?examined ransomware ?attacks and found that?66%?of companies attacked?experienced a significant loss of revenue,?35% of businesses paid a ransom between $350,000 and $1.4 million, and 53% reported damage to their brand and reputation.?As described below, cyber insurance helps recover the costs of all these?factors.?

Dealing with Uncertainty?

In this uncertain environment,?insurance?companies, including majors such as Zurich, are adding structure to the?cyber risk engineering processes ?by using frameworks such as the?Cybersecurity Framework ?(CSF) developed by the U.S. National Institute for Standards and Technology (NIST).?

This?framework?is a voluntary?initiative?created through the collaborative efforts of industry and government. The framework consists of standards, guidelines, and practices for organizations to better manage?risks. Companies such as Axios have developed?standalone risk management platforms ?based upon the NIST framework. These platforms include an insurance stress testing function to help companies?figure out?which coverages are most relevant to their unique risk profile.??

The NIST Cybersecurity Framework?provides?a common vocabulary for risks and controls, allowing for more productive discussions among underwriters, brokers, and companies looking to obtain insurance. The framework?facilitates conversations between insurance risk specialists and C-suite and board members by minimizing IT jargon.?

Of note is the fact that nearly three-quarters of the security controls are non-technical in nature. A great emphasis?is placed?on roles and responsibilities, training, security procedures, incident response and communication.?

Working with the NIST Cybersecurity Framework involves five functions. The purpose of the Framework is to?provide?a comprehensive view of the lifecycle for managing cybersecurity. The five functions consist of:?

• Identify?– Develop an organizational understanding to manage cybersecurity risks: systems, data, assets and capabilities.?
• Protect – Develop and implement?appropriate safeguards?to ensure delivery of services.?
• Detect – Develop and implement the?appropriate activities?to?identify?the occurrence of a cybersecurity event.?
• Respond – Develop and implement the?appropriate activities?to?take action?regarding?a detected cybersecurity event.?
• Recover – Develop and implement?appropriate activities?to?maintain?plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.?

Cyber Insurance and Business Resilience?

Cyber insurance companies and their?agents are?also?responding?to the demands of this market environment by playing a?proactive?role?in preparing their clients to defend against and respond to?cyber?attacks.?

For example,?Coalition, a cyber insurer and one of the?participants?in the White House summit, announced that it will make its?cybersecurity risk assessment & continuous monitoring platform ?available for free?to any organization.?Others are?deploying more?technology than is ordinary?for?the insurance industry.?Corvus, for example,?is applying a?combination of?AI,?IoT,?business intelligence and data analytics to?better gauge cyber risk.?

These developments?present an opportunity for companies to augment the cyber?security?component?of their business continuity planning process?and?further?refine?ongoing?investment?activities in?things like?network infrastructure ,?multi-factor authentication, and data backup?to avoid?and prepare for the aftermath of?data breaches?and losses.??

Cyber insurance?provides?companies with the?financial resilience?to complement?its?investments in?operational?resilience.?Cyber?coverage?enables?companies?to recover?revenue losses?experienced?and?pay for the?expenses?related?to recovering?from a data breach?so that these costs?will not materially affect ongoing operations?or?lessen?a company’s?competitive positioning.?

Defining Cyber Insurance?

Cyber insurance pays a range of costs associated with a?cyber incident?such as?ransomware,?social engineering?and denial of service.?As you’d expect in a market that is changing so rapidly, there is no standard cyber insurance policy.?This variety puts the onus on the buyer of insurance to compare policy provisions?carefully.?

Most cyber insurers offer two types of coverage: first-party and third-party.?First-party?policies?cover the claims you make?for?breaches?of?your?company’s network?and?will pay for the costs?to:?

• Restore and recreate?the?compromised data?
• Hire?experts to help you fix a problem and gain control of the issue?
• Repair your hardware?systems?and?software?
• Recover?income lost?due to?the breach?
• Pay?extortion costs?
• Notify vendors, customers or regulatory entities about the loss?
• Restore the personal identities of affected customers?
• Supply?credit monitoring services and identity theft protection for customers?affected?
• Hire a specialist to conduct a forensic investigation?to?find?the source of the attack?
• Pay?public relations expenses?

Under your first-party provisions, your cyber insurer will also step in and take on some of the?administrative?burdens of recovering from a breach. These services include:?

• Informing your customers of the breach and?about how you are?responding?
• Notifying the proper authorities of the attack to start an investigation?and ensure?compliance with data breach laws,?which vary by state ?and?global region ?
• Supplying?a negotiator to communicate with those making?the ransom demands?

Third-party coverage is for companies that handle other people’s sensitive data, such as tech companies, health care companies,?financial services,?and retailers.?If?your?company?handles?sensitive?data?for a?client and it?is compromised?in?a?cyber?incident,?your company?could?be held?legally liable.?To absorb costs associated with these legal proceedings, third-party coverage will pay?the legal?costs necessary to?litigate?a variety of issues including:?

• Privacy lawsuits brought by customers or employees who allege that you?were responsible for?the data loss?
• Allegations of libel, slander or copyright infringement that arise because of the data breach?
• Allegations of?breach of contract on your part?
• Settlement costs?
• Court-ordered damages?

In addition to these legal?costs, third-party insurance will?cover?the?expenses?associated with responding to regulatory inquiries and any resulting regulatory fines and penalties.?

Technology Errors and Omissions?Insurance?(Tech E&O)?

Tech?E&O?insurance?differs from cyber insurance in that it?is designed?specifically for providers of technology products and services and covers situations when there is some form of negligence on the part of the technology provider?which causes financial harm to?their?users.??

For example, a company might sue a technology?provider?for harm caused by missed project implementation deadlines or?if?it recommends the?wrong?solutions. In these cases,?a?tech E&O?policy?will cover the legal costs to defend against the accusations including?court costs, attorney’s fees, settlement expenses, and?any?judgements ordered.?

In the case of a cyber event?where there is negligence on the part of the technology provider, the provider would make a claim for recover legal expenses under its tech E&O policy. However,?if there is no negligence, then?the claim?would?be?made?under its cyber insurance policy.?These fine points create a gray area for tech?companies, highlighting the?vital?role an insurance agent can play?in?working out?adequate?coverage?without duplication.?

Business Owners?Policy?(BOP)?

Small business owners can add?a?limited?degree of cyber liability coverage?with?an endorsement?to their BOP?and the payment of?an?added?fee.?These policies will?generally?cover the?third-party legal and notification expenses described above?but none of?the?first-party?costs?you incur.?The payouts on the third-party costs tend to?be limited?to $100,000,?which could?be quickly exhausted?in notification costs alone.?

Commercial Property Policy?

Commercial Property Policies?protect?physical property owned by a business.?These policies will typically include some coverage for computers, often as part of broader coverage for electronics.?While?premises?hardware damage?is?included,?there’s rarely protection for?software and data, and no coverage for data stored in the cloud.?

What Insurers Will Expect??

Before engaging with an insurer or broker, it?pays to ensure that you are following certain basic practices. These practices should include:?

• Maintaining a written cybersecurity policy?
• Providing?security training?for?employees?
• Deploying firewalls and antivirus software?
• Installing software patches regularly??
• Using strong and complex passwords?
• Encrypting mobile devices that interact with sensitive data?
• Reviewing and responding to security monitoring alerts on a constant basis?

Don’t?Get Rejected?

While most cyber claims?are paid, insurers can deny a claim if it could have?been easily prevented?or if a company cannot?provide?evidence that it did everything to?follow?the requirements of the policy. In these cases,?keeping?detailed documentation of company policies and practices is?a necessary procedure.?

The full value of claims can?be denied?because?cyber policies?have?individual limits for specific insuring clauses and subclauses, so a careful review of these terms at the time policies?are negotiated?is important.??In this regard, particular attention should?be paid?to the?ransomware provisions ?of a policy. The ability to?anticipate?your company’s?potential?exposure to extortion demands, lost income, and asset restoration?will enable you to ensure payouts will meet your needs.?

Social engineering claims have?been rejected?if employee negligence can be shown, so as social engineering attacks continue to grow and evolve, it is important to?negotiate?a separate social engineering clause?rather than just having a computer fraud/forgery clause.?

Some insurers have rejected Personal Card Industry, or PCI,?fines?and assessments. These are?fines that?were?created?and?are?assessed?by the Security Standards Council of the credit card industry?when financial services?companies?fail to?provide?adequate protection?to?consumers and businesses?against data theft and fraud.?

Another cause for denied claims?occurs when a company makes a claim against?their?policy when another company is at fault for the breach. These issues?have to?be litigated?rather than covered under insurance.?

Finding Cyber Insurers?

There are a variety of companies competing for the?fast-growing?premiums generated in this market, which have?doubled since 2015 to over?$3 billion.?All of?the large?traditional players, such as AIG, Travelers,?Chubb,?CNA,?and?Liberty Mutual, are?taking part?in?the?cyber insurance market in?a substantial way.?

A new breed of company focused on the cyber insurance segment has?also?emerged?in the last few years.?These new entrants, such as?Coalition,?Resilience,?At-Bay,?Cyberdot,?CyberScout?and Corvus?are?leveraging?technology to deliver their services and?take a?proactive?stance?in helping?customers understand and?anticipate?the changing threat environment?and offer a good match for SMB customers?seeking cyber insurance.??

Facing Up to the Threat?

As the volume of?cyber?attacks?grows and the nature of the incidents continuously evolve, engagement with a cyber insurer offers resources to meet this challenge.?By?delivering?updated threat data, platforms to test cyber incident readiness,?and frameworks for building protection,?cyber insurers can?be?another?component?in?your?business continuity planning.?And?by rationalizing?your?insurance policy coverages, your?insurer?can?make sure you carry?optimal?coverage to?provide?the peace?of mind that your company will have the?financial resources?to?bounce back?from a cyber incident?as?completely as?possible?and limit?damage to your competitive position.?