Tip Toeing Through Cyber Insurance

“If you took all the men and women employed in the U.S. insurance industry and laid them head to toe, starting on New York’s William or John Street – the little-talked-about insurance industry equivalents of neighboring Wall Street – they would stretch up the West Side Highway, head to toe, over the George Washington Bridge into NJ, down the NJ Turnpike to the Pa. Turnpike, across Pa. into Ohio, through Ohio along Interstate 80 past Chicago, past Des Moines, past Lincoln, Nebraska – still head to toe, one after another – past Cheyenne, Wyoming to someplace just shy of Salt Lake City.”

With that line, typed in 1982, probably with WordPerfect, Andrew Tobias began the best book ever written on insurance: The Invisible Bankers. If you’ve never read the book, I heartily recommend you grab an old copy. Most references and numbers are dated – a $20K salary, for example, is listed as a decent wage. But the concepts remain super relevant. And for those of us in the cyber security industry, education on insurance is essential.

In the spirit of learning the cyber portion of the modern insurance industry, I sat down over cappuccino on Fulton Street recently with my friend and New York City neighbor, Anthony D’Agostino, from Willis Towers Watson. I wanted to better understand the essentials of the modern cyber insurance business – and the team at Willis Towers Watson knows as much about this as any company in our industry. Here is what I learned from Anthony:

“Business people feel quite a bit of pressure today to purchase a cyber insurance policy to transfer some of their risk,” he explained. “But cyber insurance is a new area, and requires careful consideration by any potential buyers. First, they need to understand the details of cyber insurance in the context of an overall risk program, and second, they need expert assistance to make sure that when they do buy a policy, that it’s the right one.”

This sounded reasonable to me. And it should be no surprise that sound judgment would be involved here: Willis Towers Watson is an enormous global multinational company with 43,000 employees providing support for risk and broking, human capital and benefits, investment and re-insurance, and a platform for benefits delivery. The original Willis Group and the R. Watson and Sons companies were founded in the 1800’s. That’s some legacy.

I won’t attempt a mathematical basis for cyber insurance here – but I can tell you that the following factors come up in discussions – and Anthony confirmed my instincts: Coverage, premiums, deductibles, and diligence. I apologize if this simplistic view insults your intelligence, but cyber dolts like me don’t spent much time with these financial topics. The idea of trying to converse about insurance with an expert gives me hives.

Again, I don’t want to use this column to go through the math of whether $50M of coverage, not including federal fines, with $20M of deductible at $5M annual premium is good or bad. You must decide that. And I also won’t tell you whether handing over reams of sensitive security policy and architecture artifacts and documents to underwriters you’ve never met is good or bad, although I suspect you will decide that it is bad (but often necessary).

What I will tell you, however, is that working with a broker from a company such as Willis Towers Watson to go through the pros and cons of various policies would be a good idea. They are such a large company with so much experience and support for their people that I suspect you will get good advice. And Anthony’s team can also help you perform an overall risk assessment to calibrate your actual need for insurance – or other types of risk controls.

As an analyst, it’s my job to compare different risk transferal methods for cyber security teams, and my practical conclusion regarding cyber insurance is this: If the budget for cyber insurance is coming from somewhere else, perhaps the CFO group, then by all means – get excited and supportive about buying a policy. There is no budget downside to such decision for your team, and you will likely see benefits if a serious cyber incident occurs.

But with the newness of cyber insurance, along with what seems like a deck stacked in favor of the insurance companies, I can't recommend always buying insurance to complement or replace functional controls. My observation – assisted by Andrew Tobias – is that some cyber insurance involves premiums feeding too little payout, with most of your money paying overhead, salaries, and large hallways for those buildings in Connecticut.

I would guess, however, that as our collective experience with cyber insurance builds across our community, and as companies obtain a better understanding of their actual cyber risk, the result will be greatly improved policies and deals. And that is good news for everyone. In the meantime, work with a broker such as from Willis Towers Watson to get an honest view of what is available – and make sure your CFO decrements her budget, not yours.

That said, if you’re in the market for cyber insurance, perhaps because the board has been whining to buy something, then get hold of your CFO partner (and demand that she bring along the checkbook) and call the team at Willis Tower Watson for help. Perhaps better yet – call Anthony and ask his team help you with an overall cyber risk posture assessment to determine your readiness for insurance. He might help you find other options.

And as always, please share what you’ve learned with all of us.