The Cyber Insurance Landscape Has Grown More Complicated

When considering adding a cyber insurance policy, organizations, both public and private, must weigh the pros and cons of having insurance to cover against harm caused by a cybersecurity incident.

Let's break it down to the pros and cons.

Pros of cyber insurance

• Financial protection:
  Cyber insurance can help protect an organization from significant financial losses resulting from a cyberattack or data breach. The policy may cover expenses such as forensic investigations, legal fees, and credit monitoring services, which can be costly without insurance coverage.
• Risk management:
  Cyber insurance policies often require a risk assessment, which can help an organization identify and address vulnerabilities and improve its cybersecurity posture.
• Customer confidence:
  Having cyber insurance can signal to customers and partners that an organization takes cybersecurity seriously and has measures in place to protect its data.
• Compliance:
  Certain industries and jurisdictions require  organizations to have cyber insurance or to meet certain cybersecurity standards. Having cyber insurance can help ensure compliance with these requirements.

Cons of cyber insurance

• Cost:
  Cyber insurance can be expensive, particularly for organizations that are considered high-risk. The cost of the policy may outweigh the potential financial benefit in the event of a cyber incident.
• Coverage limitations:
  Cyber insurance policies may have limitations and exclusions, which can leave an organization vulnerable to certain types of cyberattacks or data breaches.
• False sense of security:
  Having cyber insurance should not be a substitute for investing in strong cybersecurity measures and practices. An organization that solely relies on insurance may not have the necessary safeguards in place to prevent a cyberattack or data breach in the first place.
• Claims process:
  The claims process for cyber insurance can be complicated, and it may take time to receive the funds necessary to cover expenses related to a cyberattack or data breach.

We asked some friendly experts how they would respond to common questions that come up regarding evaluating cyber insurance.

By the way, Sean Scranton will be presenting on "Covering Your Cyber Assets" at the SecureWorld Philadelphia conference on April 19-20.

Can companies live without cyber insurance? Is it required?

Sean Scranton, Consultant, Cyber Risk Solutions Team, WTW:

"Cyber insurance should be considered by organizations as part of their overall cyber risk management strategy. After assessing core risks and controls that are in place to mitigate these risks, insurance may mitigate financial risks due to cyber incidents (in accordance with the cyber insurance coverage terms) and provide expertise for organizations during a cyber incident (i.e. legal advice, forensic investigators, etc.) that may be included as part of the cyber insurance coverage terms. Assessing adequate coverage limits, deductibles, and terms of coverage is a strategic risk assessment decision between the organization and their cyber insurance broker that should include a range of factors specific to the organization including core risks, current controls, organizational risk appetite, and other factors.

Cyber insurance may be contractually required by third parties and vendors/clients. Additionally, if in a regulated industry, regulators may mandate or 'strongly encourage' obtaining cyber insurance."

Theresa Le, Chief Claims Officer, Cowbell:

"Cyber insurance is highly recommended. Even with the best cybersecurity efforts, businesses still face residual cyber risks due to system misconfigurations, employee errors, or other unintentional security gaps. It is increasingly common for cyber coverage to be required in contractual agreements."

Bud Broomhead, CEO, Viakoo:

"They can live without it—many organizations self-insure and have for a long time—but they can't live without doing at least some of what cyber insurance requires of an organization. Whether insured or self-insured, organizations need to do their own risk assessment, establish cybersecurity policies and practices that can be audited, and have metrics to measure their effectiveness with."

[Related Podcast: The Link Between Cyber Insurance and Incident Response]

What's the best way to assess how much coverage is enough coverage? How does it vary by industry?

Scranton:

"A great place to start is with your cyber broker or agent, going through the risk assessment process as previously mentioned. They can help guide you to determine coverage."

Le:

"Businesses should opt for insurers that include a risk assessment of the organization with the goal to remediate identified security weaknesses prior to quoting. A thorough process should include industry-specific evaluations such as the use and protection of an OT network in manufacturing or the volume of regulated records (PII, PHI or other) processed by the organizations in sectors such as healthcare or financial services.

Advanced cyber insurance solutions like Cowbell will suggest coverages that map to identified insurable risks, including for specific industries."

Broomhead:

"It varies dramatically between organizations and how they operate, even within an industry. For example, delivering similar products via the cloud versus on-premises can have a major impact on how the cyber risks would be viewed. The best way is to understand the overall attack surface within an organization (datacenter, cloud, use of IoT/OT devices, physical locations, etc.) and make a risk assessment based on how each of those attack surfaces will impact the organization. The goal should be business continuity and resiliency, as the likelihood of an organization facing a cyber attack is 100%. If the organization is dependent on IoT/OT devices for generating profits, having cybersecurity strategies specific to that attack surface and plans for those systems being resilient to attack."

What about the new exclusions that prevent policies from paying due to acts of war?

Scranton:

"Each cyber insurance policy has different terms of coverage that change regularly. Coverage terms (and relevant exclusions) should be discussed and considered by the organization and their cyber insurance broker and/or legal counsel. "

Broomhead:

"Cybercriminals are most often behind attacks on commercial organizations, not nation-states or as an act of war. Trying to redefine cyber attacks based on whether a nation-state was involved or created the attack vector initially seems like it will create legal chaos on those determinations."

Scranton:

"See above. It is important to ensure that cyber insurance terms specifically address organizational risks, and coverage needs should be discussed and considered by the organization and its cyber insurance broker and/or legal counsel."

Broomhead:

"Yes, especially as within the supply chain, buyers are putting more conditions on their suppliers to have cyber insurance. As long as it is backed by the organization having a clear sense of their risks and financial exposure, having low cost/limited coverage options could be a good way to augment self-insurance. "

What else should CISOs and their organizations know about cyber insurance that they may not be thinking about?

Scranton:

"Cyber insurance is part of the overall cyber risk management strategy and can provide significant value to an organization as part of an organization wide approach. The CISO, Risk Management, and additional functions should collaborate—or for smaller companies, the person that approves the insurance purchase—to determine their insurance needs and cyber insurance coverage, and terms should be developed in conjunction with advice from a qualified cyber insurance broker."

Le:

"Businesses and CISOs should consider the additional benefits of getting a modern standalone cyber insurance policy, where the insurer contributes to the strengthening of the organization's cyber resilience. For example, Cowbell bundles with its policies a set of services that go beyond cyber claim handling to include comprehensive cybersecurity audits from expert risk engineers, cyber awareness training for employees, and on-going support to improve their risk profile."

Broomhead:

"Cyber insurance over the last 10 years has been a substitute for more governmental and industry-level regulations. In that way, it plays a critical role, and CISOs and their organizations should ask themselves if they prefer the alternative of more mandates, regulations, and compliance requirements."

Dan Lohrmann, Field CISO for Public Sector & Client Advisor, Presidio, wrote in a recent blog post, titled "Major Cyber Insurance Overhaul Begins Now" about how Lloyd's of London, a major player in the global insurance market, is calling for dramatic changes in the cyber insurance market—including exemptions that would prevent policies paying out if a major attack related to "acts of war." Lohrmann writes:

"This Forbes article (contributed by Forrester) does a nice job of summarizing the many strategic objectives in the strategy at a high level and is worth reading. Here is what they say about objective 3.6 under cyber insurance:

'Cyber insurance is one component of a multilayered cybersecurity and risk management strategy. Today's environment of systemic risks stemming from global events, geopolitical threats and third-party risk events has a cascading impact on and across organizations—and the cyber insurance market. The call for a federal response to support the existing cyber insurance market is welcomed. This kind of subsidization, however, could be costly to the government, much like individual flood insurance. If exploration moves to enactment, reforms will likely be needed in the future. Meanwhile, organizations must address the current reality of cyber insurance market dynamics and increasingly stringent requirements for obtaining cyber insurance policies.'

Another blog post from Dark Reading, titled 'Skinny Cyber-Insurance Policies Create Compliance Path,' says cyber insurance has grown more complicated, noting:

'Having cyber insurance used to be as simple as purchasing a prepackaged cyber insurance policy, similar to the process of buying a home or car insurance policy. But with the explosion of ransomware attacks, the industry has been in disorder as insurance carriers and brokers process claims for damages caused by ransomware.'"

Stan Black, CISO at Delinea, approached the questions a bit differently:

• Why is cyber insurance necessary?
  "Cyber insurance isn't really an option anymore, no matter if you are a public or privately owned company. The increase in cybercrime such as ransomware and data breaches has shown that most organizations and their employees are still not doing enough to protect themselves and reduce risk. It's not a matter of if they'll have a cybersecurity incident, it's a matter of when. Cyber insurance provides additional peace of mind and protection from that risk."
• What should the policy cover?
  "Not all cyber insurance policies are equal. For example, how 'incidents' are defined can vary greatly, and breaches versus incidents have very specific criteria. Clarity on language and definitions is very important. A recent survey by Delinea found that there are many things that are not covered in a majority of cyber insurance policies that you would think would be obvious. For example, only 36% covered incident response, 29% covered legal costs, and 28% covered ransomware payments. It's important to make sure to have a clear understanding of how things are defined and truly covered by the policy."
• What's the biggest mistake organizations make when shopping for cyber insurance?
  "Aside from not clearly understanding what the policy truly covers, many organizations do not know about the preparation that needs to go into the application process. Be prepared to disclose policies, testing results, past security incidents and breaches, cybersecurity training, compliance, and solutions in place. While some insurers might have less strict requirements, many will want to have a clear picture of what they are insuring."
• Is there anything else you would like to add?
  "Many insurers have crisis communications firms on retainer, and incident response teams available, as well. These should be a part of the selection process, as most insurance providers who don't offer this may not be ready to provide the assistance required when events occur."