Cyber Insurance and its impact on the way we view risk
Have you ever wondered what would happen if your company was hit by a cyber attack? Have you ever thought about the losses you can afford taking? Do you actually do something in order to manage your risks? Also, did you ever think about buying cyber insurance?
If you remember 5 years ago, Sony’s PlayStation network was breached in an attack that compromised more than seventy seven million personal accounts. As a result, Sony lost about one hundred and seventy million dollars. They thought that having a general liability insurance policy protects them from cyber attacks, but it didn’t. While the electronics giant did sue their insurers, the court confirmed their policy cannot cover cyber attacks.
For Sony, this was a hard loss to swallow, but they did do the needful and eventually purchased cyber insurance. After that, they predicted the policy would cover all or most of their one hundred million dollars in losses.
Lessons Sony taught us
After a painful lesson, Sony did take the right steps to lower the impact a potential cyber attack would have on the company. You may have a small company and think no one would ever launch a cyber attack on it, but you never know, so that’s why you need to be prepared.
According to information from the DBIR from Verizon, it seems that regardless of industry, geography and size, companies are all at risk of falling victims to cyber attacks. In total, about sixty two percent of cyber attacks are launched against small and mid-sized businesses. As for the losses each attack causes, they average at three point seventy nine million dollars.
Are companies doing something to protect themselves?
Companies around the world are doing everything they can in order to lower the risk of cyber attacks. On top of improving managed security services and hiring IT specialists to patch security holes, companies should also consider getting cyber insurance. In a survey conducted this year, it seems that approximately fifty nine percent of organizations have already purchased cyber insurance in order to protect themselves against cyber attacks.
What is cyber insurance?
Cyber insurance is basically a policy that offers services and products designed for protecting companies from online related risks. Even though insurers did offer certain types of cyber insurance policies for more than a decade, it’s only recently that companies have become aware of their importance and started to buy them.
On top of that, it seems that the government has also had a great impact on the demand for cyber insurance and they’re emphasizing the importance of carrying it as a company. There are many countries today where data breach notification laws are mandatory so much so that companies are buying faster than ever before.
In just a few years, the United States cyber insurance market grew from ten insurers to fifty that offer separate CLI policies. Based on information from a recent PwC study, it seems that by 2020 this number is going to triple to seven point five billion dollars.
Understanding CLI policies
The majority of CLI policies you can currently buy provide a mixture of 2 kinds of insurance coverage. They include first party coverage (which covers a company’s direct losses) and third party coverage (which protects the company against claims from partners and clients).
On top of offering financial coverage, it seems that insurers also provide post breach and management services, such as remediation tools, and loss prevention measures.
Assessing risk and the difficulties involved in it
While other policies may be available in a standard form, that is not the case with CLI policies and that’s because they are adapted to each company’s needs. In fact, before an insurer is going to offer a company its services, it needs to first of all understand the potential buyer’s risk profile. In order to set a premium, the insurer will analyze the scale of the business, its overall security posture, the number of stores it has, and the sensitive nature of the information it handles.
Quantifying a company’s risks and posture though is a tad difficult. The historical data concerning a client’s losses may be lacking and there is also very little visibility into a potential customer’s ability of handling future and past cyber breaches. Because of that, many insurance companies offering cyber insurance need to be cautious about whom they decide to insure. In some cases, in order to protect themselves, they may even refuse clients that don’t meet their standards. In terms of premiums, they’re can be high.
Even if the buyer does take all the precautions required by the insurer, that doesn’t mean that they’re one hundred percent protect from such attacks. We just have to remember the Anthem attack, which is the 2nd biggest health insurer in the United States. The cyber attack launched on it could cost the company upwards of one billion dollars, but their policy only covers about two hundred million dollars in losses.
This is a clear example of why it’s so difficult for insurance companies to determine the premium amount they should charge to companies looking to buy cyber insurance.
Since there is a lot of uncertainty when it comes to establishing a company’s risk, the market would certainly need to consider using risk assessment tools which can help insured organizations and insurance companies to better determine a buyer’s risk posture. Risk assessment and scoring can be easily performed with a wide range of automatic tools and what’s great about this is that it can make the insurance market a bit more transparent. To include some examples of companies in this space, they are PivotPoint Risk Analytics, Security Scorecard, but also BitSight Technologies.
The market is still going to welcome many more vendors according to experts. For instance, QuadMetrics has started operating in the field already, even if they’re just a small startup based in the United States. They help underwriters in the process of setting premiums for companies that want to buy a CLI policy based on a prediction-based cyber security risk analysis.
There’s also a good chance that we are going to see many insurers open cyber security departments and both post breach and pre breach services, including forensics, incident response, but also monitoring and security architectural analysis. When this will happen, a lot of insurers are going to hire cyber security experts.
This can have a very positive impact on the entire cyber security ecosystem. Especially when it comes to organizations offering services and products that can be easily incorporated into the strategies of cyber insurance providers.
For now, one thing is for sure: The way cyber risk is perceived is always changing and if a company wants to reduce its exposure to cyber breaches, they need to get a CLI policy as soon as possible.