This article appeared in a CISO MAG’s edition.
Addressing the gathering of CISOs at the 3rd Annual CISO Summit held in Mumbai, India, in July 2017, Sunil Varkey, CISO of Wipro Technologies, pointed out, “The role of CISOs is way more complex because they handle a domain called cybersecurity. CISOs pester the management to increase the cybersecurity spending. When asked by the management if higher spending would mean the organization would not be compromised, the CISOs often respond by saying, ‘I don’t know.’”
However, complexity often derives new solutions and one of them is cyber insurance. Cyber insurance is not a hot topic and has been around for over a decade and a half. It was designed to alleviate losses incurred from cyber attacks and is a key tool that plays crucial roles. According to the United States Department of Homeland Security, “A robust cybersecurity insurance market could help reduce the number of successful cyber attacks by: (1) promoting the adoption of preventative measures in return for more coverage; and (2) encouraging the implementation of best practices by basing premiums on an insured’s level of self-protection.”
Timetric, in its recent ‘Insight Report: Developments in Cyber insurance,’ concluded that the growing number of attacks have turned cyber insurance into a key mitigation tool.
“Although cyber insurance does not replace the need for cybersecurity technology, it has the ability to complement cybersecurity standards through mitigating cyber risk.”
According to Allianz SE, organizations are paying roughly $3.25 billion each year in annual premiums for cyber insurance. But that number is small considering the cyber insurance market is expected to reach $20 billion by 2025.
Who needs Cyber Insurance?
Everyone! Cybercriminals are not Robin Hood, they do not differentiate between a large company and a small company, and they will do what they do best– steal. While big corporations fortify themselves with several layers of protection, small businesses often underestimate the potential impact of cyber attacks. Many small business owners believe that hackers only attack high-profile organizations when the reality is just the opposite. In fact, nearly 90 percent of breaches occur in small businesses. A bigger concern is that nearly 60 percent of small businesses who face cyber attacks shut down within six months of the attack.
Because news coverage of attacks primarily focuses on big corporations, small businesses are unaware of the threat they face. “For small businesses, nothing is more important than protecting their livelihood. Cyber liability insurance is another tool they can use to prevent financial disaster in the event of a malicious attack,” stated Natalie Cooper, editor of BankingSense.com, in a report from Cyber Insurance Guide.
While cyber threats have drastically evolved from the time cyber insurance was first offered, the cyber insurance market hasn’t. One of the reasons is that the cyber insurance market is largely based on old-fashioned ideas about information security and what kind of coverage a breached company will actually need.
A study by Marsh and the UK Government in 2015 concluded that cyber insurance premiums are almost three times higher than commercial general liability policies. But even here, there has been a huge gap between the damage incurred and the breadth of policy coverage.
For example, in 2014, when PF Chang’s, a U.S.-based dining restaurant chain, was hacked and credit card information of nearly 60,000 customers were leaked, Chubb cyber-insurance, the insurer, only covered the cost incurred for investigation of the data breach, legal advice, and the expenses for notifying authorities and customers.
PF Chang’s policy with Chubb stated that it would “address the full breadth of risks associated with doing business in today’s technology-dependent world,” but, PF Chang’s argued, much of the cost of having been breached was not, in fact, covered. Due to this discrepancy, PF Chang’s sued Chubb to recover an additional $2 million the company was required to repay credit card companies whose details were stolen in the hack and subsequently used tomake fraudulent transactions. The suit was rejected by the court upon hearing the argument from Chubb that the policy signed by PF Chang’s did not cover any external contract or agreement the company held.
Perhaps if more companies find themselves in situations like PF Chang’s did, cyber insurance policies will be forced to evolve in accordance to the needs of the market. As it stands now, high premiums keep cyber insurance out of reach for most medium and small businesses, but as insurance companies strive to beat their competition with better, more comprehensive policies, prices will fall too.
Solution for the present perils
The PF Chang’s case is an example of a company not fully understanding its insurance policy, or at least, not fully understanding how that policy could be defended in court and leave them vulnerable. According to a report by JLT Re and JLT Specialty Limited, “Traditional P&C (property and casualty) products were not designed to protect against today’s fast-moving cyber risk landscape.
And there are now growing fears that future losses may bring unanticipated accumulations due to potential ‘silent’ exposures.” Silent cyber risks are things like “(re)insurers’ potential exposure to cyber losses within P&C products where no explicit exclusions are included. And even where exclusions are included, gaps can emerge in the event of unforeseen causes of loss. As exposures evolve, the lack of understanding around silent cyber risks could pose a material threat to (re)insurers’ future solvency.”
While there is an increased number of takers for cyber insurance, the underwriters are concerned over the unquantified cyber coverage (like the incident of PF Chang’s). The report points out the need for, “greater certainty, expertise, capacity and stability from the (re)insurance market in a complex and growing risk area.” It also notes that the “standalone insurance market holds the promise of unlocking the potential for meaningful coverage for both insurers and buyers.” This means that traditional insurance companies’ longstanding history in the insurance business could actually be holding them back from offering the solutions that an industry as dynamic as information security really needs. The structures they have in place may not apply to cybersecurity because threats are often unforeseeable, the impacts of known threats aren’t easy to predict, and there is so much ongoing change that long-term policies can be out of date long before they expire.