Cyber Liability Insurance’s Data Problems

 
Cyber liability insurance is becoming an increasing necessity for businesses

Cyber liability insurance is becoming an increasing necessity for businesses and could easily become a requirement similar to E&O insurance not just for large corporations, but also small- to medium-sized businesses. The challenge is to properly understand how much coverage, as well as the scope of the coverage, organizations need to properly offset cyber risk.

KPMG recently conducted a survey where they discovered 74 percent of businesses do not have any sort of cyber liability insurance. Of those that did have cyber liability insurance, only 48 percent believed their coverage would cover the actual cost of a breach. The sentiment amongst those surveyed is that the market for cyber liability insurance is not mature, and lacks the comprehensive packages to provide adequate coverage.

I asked one insurance agent at a dinner how much coverage should businesses buy, his answer was simple: “As much as they are willing to buy.” Although the insurance agent’s answer was tongue-in-cheek, there is an element of truth to it.
Much like deployment of security infrastructure, cyber liability insurance follows the law of diminishing returns. You can pay for 100 percent coverage for every possible instance, but the costs of your policy can easily scale beyond what the actual cost of a breach may be – still, there is no guarantee every possible aspect will be covered.

One of the reasons that the costs of cyber liability insurance can skyrocket is the insurance industry’s own ambivalence and the unknown risks associated with cyber security. The insurance industry is one of the most data-driven industries there is, and cyber security is still relatively new, volatile and unpredictable, with very limited data to understand impact and frequency.

When it comes to more traditional forms of insurance, there is a wealth of data that can be mined to understand risks and they are easily quantifiable – home-owners insurance is limited to the cost of the house and its contents, for example.
When it comes to cyber liability the risks are much more diverse and widespread, depending on multiple factors, such as the data your organization stores from customer data to intellectual property and the cascading effect that can have on the costs of a claim.

A good way to look at the challenges cyber liability insurance is to compare it to car insurance. The cost of an insurance policy incorporates two key factors: the vehicle and the driver. Simple enough right? Actually, not so much.
When it comes to your car insurance premiums the insurance industry uses ISO Symbols, which are metrics used by Insurance Services Office, Inc. (ISO) to match premiums to particular types of cars and associated losses. The ISO Symbol is a dynamic metric that changes based on what the insurance industry experiences in actual claims with regards to these losses.

The ratings incorporate a number of factors, including the cost of repairs, damage to other vehicles, injuries, frequency of theft, among others. The ISO offers two symbols in their rankings – the first is Personal Auto Physical Damage and the other is Liability and PIP/Medical Payments – one ranking for damage to the vehicle itself, and another for the damage the vehicle causes to other vehicles, as well as passengers.

The liability and comprehensive coverage is the tricky part when it comes to cyber liability coverage, as you are dealing with the collateral damage of customer data and other elements. The liability costs associated with a breach can be unpredictable once you factor in things like breach clean up, external forensic teams, identity theft monitoring, lawsuits and fines, as well as other factors like dips in share price, damage to brand reputation and consumer confidence.
Most of these elements are trickier to quantify and are often not elements covered by cyber liability insurance.
The other factor in car insurance is the driver, their driving record and general trust that they can safely operate a vehicle. Insurance companies make similar appraisal’s of businesses, identifying the likelihood they will be victims of a breach, as well as the scope.

Over the past several years the Department of Homeland Security’s (DHS) National Protection and Programs Directorate (NPPD), brought several insurance carriers, risk managers and security experts to examine the current state of the cyber liability insurance market and how to best advance its capacity to incentivize better cyber risk management.
The group identified four “pillars” of an effective cyber risk culture that carriers had identified as particularly attractive from an underwriting perspective:
The first two elements are about establishing “safe drivers” of cyber security, starting with leadership who are engaged in the security of their infrastructure, followed by a culture of security through educating employees. The third factor with regards to “cost-effective technology investments” is like safety features in your vehicle, ensuring that organization have proper security controls, processes and frameworks in place.

The fourth pillar from the NPPD is about sharing of information both amongst organizations as well as with insurance companies so they can better understand risk. The insurance industry is seeking to enhance their ability to quantify cyber risk through anonymized cyber incident data repository, as well as through enhanced cyber incident consequence analytics, which requires access to more data on cyber incidents. This process will take time and a high level of collaboration between insurers and industries they are seeking to cover.

Although cyber liability insurance is still maturing, the need for it has never been greater. It is critical for businesses to understand how it can help curb risk, as well as its limits and restrictions. Security leaders need to understand their role in helping the insurance industry either through sharing of information, or providing greater transparency with regards to practices and metrics.

Tripwire

 

« Cyber Peace? The U.S and China Reach an ‘Understanding’
8 Ways to Fend Off Spyware »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Bsquare

Bsquare

Bsquare DataV software and engineering services help enterprises implement business-focused Internet of Things systems.

Egress Software Technologies

Egress Software Technologies

Egress Software Technologies is a leading provider of data security services designed to protect shared information throughout its lifecycle.

Ambersail

Ambersail

Ambersail provide Penetration Testing and Cyber Security Compliance services.

Flexera

Flexera

Flexera is reimagining the way software is bought, sold, managed and secured.

Silverfort

Silverfort

Silverfort introduces the first security platform enabling adaptive authentication and identity theft prevention for sensitive user, device and resource throughout the entire organization.

TCN

TCN

TCN is an advanced System Integrator and Infrastructure Company in Albania.

Spanish Network of Excellence on Cybersecurity Research (RENIC)

Spanish Network of Excellence on Cybersecurity Research (RENIC)

RENIC is a membership based sectoral association that includes research centers and other agents of the research cybersecurity ecosystem in Spain.

Salt Security

Salt Security

Salt Security protects the APIs that are the core of every SaaS, web, mobile, microservices and IoT application.

Data Terminator

Data Terminator

Data Terminator provide a comprehensive range of secure data destruction equipment and services are in compliance to US Department of Defense (DoD) and National Security Agency (NSA) standards.

The Security Company (TSC)

The Security Company (TSC)

The Security Company is a leading provider of creative employee security awareness programmes.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Selectron Systems

Selectron Systems

Selectron offers system solutions for automation in rail vehicles and support in dealing with your railway cyber security challenges.

NexGenT

NexGenT

NexGenT have combined military-style training with decades of network engineering and cyber security experience into an immersive program to get people into cyber security fast and effectively.

SubCom

SubCom

How Much Do You Trust Your Endpoint? With our ‘Habituation Neural Fabric’ based endpoint security platform, you can observe and manage the Trust Score of your endpoints in real-time.

Box

Box

Box is the Cloud Content Management company that empowers enterprises to revolutionize how they work by securely connecting their people, information and applications.

PRE Security

PRE Security

PRE Security is leading the transition into the next era of AI cybersecurity with a new model: Predict & Prevent.