Should I get cyber insurance for my business?
In recent years, cyber insurance has become a bona fide market and managed to attract interest from a wide range of enterprises, and produce many billions of dollars in revenue. However, when it comes to developing policies and assessing risks, the market has become a lot more complex. One of the main reasons for this, as the popular Target breach has confirmed, is that there are a lot more things that businesses need to worry about.
Since the Target breach was carried out with the help of a third party vendor, as an organization, it’s no longer feasible to only check your own risk. As a business, you also need to assess the risk of third party supply chains. “Cyber insurance is slowly becoming a baseline requirement for businesses that want to do business with other companies”, said Stroz Friedberg’s vice president, Mr. William Dixon. “Before we decide to collaborate with a company, the first question we ask is whether they have a cyber insurance policy and the coverage the policy offers them”.
Even though the majority of larger organizations do have cyber insurance, there are many other factors to consider. “If you want to start doing business with a big company or a company that has classifications other than public, then it’s very important for you to have cyber insurance,” said Dixon.
For instance, a ten person post production shop that operates from a garage working for a popular movie studio will certainly find it really expensive to run a formal cyber security program or hire a CISO. Even so, this doesn’t mean they’re excluded from the probability of becoming a target. As a 3rd party vendor, working through a cyber insurance assessment may very well help offset the financial risk for the business they’re currently working for. At the least, it would prove that they have some mechanisms in place to mitigate risk.
“Taking out a cyber insurance policy isn’t something that’s solely related to size”, added Dixon. “In fact, this generally depends on the sensitivity and classification of the data, but also the 3rd party business process that surrounds it”.
When getting coverage, this is usually determined by the company’s risk for loss of both revenue and data. The bad news though is that there is actually very little historical data that the market can rely upon. Many insurance agencies offering cyber insurance are looking for new ways to value risk. In order to ensure that the values they pick are correct, a dialogue between companies and insurers is necessary.
The process of defining and eventually generating these values needs to be a lot more complex and involve more than just some calculations performed by the corporation’s internal IT security team. It should actually be a collaborative assessment that is performed by both parties involved: the insurer and the organization.
A talk about this balance was actually initiated at the RSA Conference in 2016 by Melissa Ventrone. As a chair of Wilson Elser Moskowitz Edelman & Dicker LLP’s Security Practice Group and Data Privacy Group, she said that verifying a company’s records, including the types of data they hold, what’s being done with that data, whether they rely on help from third parties for offering certain services and more is a great way to assess risk.
A great way for effectively calculating the losses associated with data breaches involves using the approximated cost of a lost record due to a breach. For instance, in a study that was performed recently by the Ponemon Institute, it was discovered that exposed data costs companies about two hundred and one dollars per capita in the United States. This can be used as a great way for setting a baseline, correct? According to the experts, that’s not entirely true.
“It’s true that this record analysis is an excellent starting point to calculate how much money companies may lose following a breach, yet the risk value will certainly increase if the company lacks a document retention policy or has a high turnover in its staff or systems”, added Ventrone. In the same way, having a large infrastructure could add a lot more risk to those records and compared to a single server environment, make it more expensive to insure.
However, if you take a look at the size of the market, you’ll realize that this uncertainty and ambiguity don’t prevent insurance companies from writing policies. The truth is that even though policies are being written, the majority of insurers don’t really want to put up much cover. For instance, if you’re a small business, then the amount of coverage you can get will be capped at ten million dollars. As a large corporation, you’ll require a lot more than that.
Optiv’s vice president of security training, Blake Huebner, expressed his view on the matter, saying that policies may reach limits of up to one hundred million dollars. He also said that some insurers can offer coverage of up to five hundred million dollars. “Corporations need to be aware of the fact that the majority of cyber insurance policies cover certain remediation efforts for a specific incident”, added Dixon. “While we do have a pretty accurate idea of how much a compromised record would cost, we cannot express how the ever changing nature of ongoing costs will be when it comes to applying more resources, being more proactive and for better monitoring.”
No matter the amount of coverage a company may secure, be it ten, twenty or even one hundred million dollars, a breach that costs more than 100 million dollars means the company will have to pay for that extra amount out of pocket. Keep in mind that those costs are prior to potential data breach lawsuits. Target had to pay more than one hundred million dollars to settle claims with MasterCard and Visa, while the class action lawsuit filed against them was settled for ten million dollars.
“For instance, target spent more than two hundred and fifty million dollars following the breach, while it has less than thirty million dollars in cyber insurance to mitigate losses” said Chief Executive Office and President of PivotPoint Risk Analytics, Julian Waits. “A few of the biggest brokers out there are excellent at educating about limitations and risk. The majority though, are not and thus put their insured at risk as the policies they sell cannot possibly cover the real risk”.