If there’s an inconvenient truth in today’s world, it’s that risky business is the new normal. According to the Ponemon Institute, the average cost of a data breach now stands at $3.62 million. Attempted intrusions are up 27 percent annually, and the overall costs associated with cybersecurity are rising 23 percent a year.
Quite logically, many organizations have turned to cyber insurance to mitigate risk exposure. Such insurance offers clear benefits—including offsetting costs associated with a breach and tapping expertise and resources that otherwise wouldn’t be available. As Tim Riley, senior director of business development at Palo Alto Networks, put it: “Cyber insurance providers are continuing to launch service offerings that assist their customers. This includes financial risk mitigation, but also pre-breach prevention capabilities and post-breach response planning.”
However, there’s no simple way to approach cyber insurance coverage. “Increasingly complex cyber security risks require a more nuanced approach,” observed Jason Krauss, Cyber/E&O thought and product leader for consulting firm Willis Towers Watson.
How can your organization adopt a best-practice approach? How can an executive team fashion cyber insurance to fit specific needs? While there are no simple answers, experts say that there are ways to navigate the space and avoid pitfalls, problems, and gaps. Tom Ricketts, senior vice president and executive director at professional services and reinsurance firm Aon Plc., said that businesses must be careful about how they approach and structure policies. The goal isn’t to obtain the lowest possible premium; it’s to maximize protection.
Here are five ways to ensure that your insurance is hitting the mark:
- Understand the terms and mind the gaps. Not all policies are created equal—even when they seemingly address the same issues, threats, and risks. For example, it’s essential to recognize terms such as “directly” and “solely” in a policy. These might allow an insurance company to deny coverage under certain circumstances. Courts are also defining terms more precisely. In November, for instance, a Canadian court ruled that social engineering attacks were not covered by a cyber policy because the employee wiring funds was acting directly on the company’s behalf rather than as a third-party. In addition, different states and countries can have different data-management requirements, liability laws, and notification processes. This means that an insurer might not cover costs in places where specific actions aren’t legally required. Finally, some policies don’t allow a choice of counsel or vendors. This means that data, information, and intellectual property could be visible to unwanted eyeballs.
- Approach the task realistically. It’s important to address cyber insurance requirements in a truthful, holistic, and comprehensive way. Unfortunately, many organizations make things more difficult—and sometimes more expensive, in the long-run—by presenting their security framework in an artificially positive light, Rickets points out. This isn’t a good idea, because the application becomes part of the policy. So, if any part of the application misrepresents the company or isn’t true, the insurer will likely balk on paying out a claim, he noted. In addition to being truthful, it’s smart to attach whatever supporting documentation management believes underwriters will need to assess the company’s risk. Yes and no answers typically aren’t adequate, Rickets pointed out.
- Recognize the limitations. Insurance providers offer vastly different policies and protections. Consequently, fashioning seamless protection is easier said than done. Walter Andrews, a partner at the law firm of Hunton & Williams, explained that some policies don’t cover cyber espionage by nation states (though coverage in this area is expanding). Others don’t address rogue employees. Still other policies don’t cover personal devices—even though employees often use personally owned computers, tablets, and smartphones at home or in coffee shops to do their work. As a result, it’s important to review policies and understand how and when to address niche coverage—or enact strong security. Overall, experts say that a wise approach is to involve legal, cyber, and insurance experts in the review and selection process.
- Appreciate how cyber attacks are changing. The nature and scale of cyber attacks are different than in times past. Not only have online gangs and criminals become far more sophisticated—in some cases their abilities exceed corporate IT departments—a growing tangle of nation-state players and shadow brokers have entered the picture. “No matter how high you build the wall, they find a way to build a higher ladder,” Cyber/E&O’s Krauss said. This translates into the need to build strong protections, of course. However, it’s also critical to make sure that all security systems and processes mesh with cyber insurance coverage, he said. “More markets are looking to address gaps in property, general liability (GL), and special crime coverage to include cyber exposure—and many organizations are looking to expand cyber coverage in general,” he noted.
- Acknowledge that cyber insurance requirements evolve and change. Digital technologies constantly disrupt cyber security and cyber insurance, Krauss said. For example, the Internet of Things (IoT) ratchets up the risk by broadening the attack surface. IoT devices, including cameras, add to convenience and capabilities, yet it’s important to recognize that “ease of use equals ease of abuse,” he noted. This includes commandeering devices for spying and stealing data as well as unleashing Distributed Denial of Service (DDoS) attacks and other digital threats. According to Krauss: “It changes first-party and third-party exposure. It requires an organization to identify risks and protections in different ways.” Other emerging issues include: biometrics, artificial intelligence, autonomous systems, and data storage in the cloud.
Palo Alto Networks’ Riley concluded that the industry is trending toward “better coverage, less exclusions, better rates, and other benefits that occur as the market matures.” Krauss said that a well-defined cyber insurance strategy pays dividends. Auditing and reviewing security can lead to better protection, diminished losses if a breach occurs, and lower premiums for organizations that display increased levels of security. Said he: “Every company must identify the best course of action. The goal is to have the broadest possible coverage and the best possible protections.”
The bottom line: cyber insurance isn’t a one-and-done proposition. As technology evolves, an organization’s coverage must change to keep up.