The cyber insurance market has experienced an unsurprising boom in recent years, as there seems to be a weekly story about some high-profile breach or another. The “land rush” into this new market has created fierce competition and price wars.
While that’s advantageous to insurance buyers, it’s also a reason for caution and more careful scrutiny of policies. Some insurers are offering these incredibly low prices by cutting vital coverage, and a number of players in the market are money-chasing opportunists that don’t really understand cybersecurity.
These risks were highlighted recently by a study from mutual insurance giant FM Global, and summit helmed by cyber insurance experts at the annual Black Hat USA security conference in Las Vegas.
The FM Global Cyber Insurance Report
When you sign up for insurance, you expect that it will cover all reasonable risk. That’s the assumption that the FM Global study proceeds from.
FM Global surveyed 105 CFOs at enterprise-scale companies with annual revenue of at least $1 billion. 71% in total felt that they were adequately covered in the event of a cybersecurity incident. 45% expected their cyber insurance provider to cover most of their losses in the result of a breach, and 26% expected the provider to cover their losses in full.
That isn’t the way most cyber insurance policies are drafted, however. FM Global’s research indicates that many of the costs associated with a breach are not commonly covered by typical cyber insurance policies. Most policies usually cover customer notification costs, costs from litigation, the cost of a replacement computer system and possibly ransomware payments.
There are many more cyber breach expenses that they do not tend to cover, however: any associated loss of revenue after normal operations are restored, regulatory compliance costs, drops in share price and market share, damage to the company brand, and loss of investment opportunities.
The Black Hat Conference
Meanwhile, in Vegas, industry experts gave a sobering assessment of the current cyber insurance market in a series of micro summit events at Black Hat 2019.
The market has doubled in just five years, yet only about 30% of all companies in the United States are estimated to currently have some form of cyber insurance.
Experts who spoke at the summits included CEOs and CISOs of cybersecurity companies as well as managers and brokers at cyber insurance specialist carriers. The overall theme of the presentations was that cyber insurance has become a modern business necessity, yet both customers and insurers are not yet fully aware of what policies should contain.
Speaker Jeffrey Smith, one of the managing partners of insurer Cyber Risk Underwriters, estimated that only about 20 of the hundreds of companies that have rushed into the cyber insurance market really understood how to assess cyber risk.
Other speakers noted the disparity in pricing in the industry, with plans at rates as low as $1,000 for $1 million in coverage. While that initially seems like a fantastic deal for customers, and companies are highly unlikely to be denied coverage, presenters warned that many of these cut-rate insurers are simply not underwriting properly. Cut-rate insurers may skip critical parts of the process such as risk profiling, making offers to companies based solely on their revenue and the industry they work in.
Failure to pay claims is not a significant risk in the industry thus far; to the contrary, about 90% of claims are being paid and the majority are for the maximum coverage. Speaker Matt Prevost of insurance carrier Chubb noted that this is a sign of most customers carrying less insurance than they need in spite of the exceptionally low cost of policies.
Presenters did warn about exclusions in cyber insurance agreements that can be overly vague or unreasonable to the customer, however. One presentation highlighted policies that exclude coverage for losses such as “failure to take reasonable steps to maintain security” and “failure to encrypt data on mobile devices.”
One major topic of discussion along these lines was the common “war exclusion” clause. It’s extremely difficult for insurers to tackle this issue when the world’s most powerful nation-states have still not entirely settled on terms of cyber war. Nevertheless, this is a common exclusion. Various countries are known to sponsor hacking groups that target private enterprise for financial gain, including some that the United States is formally at war with (such as North Korea). Do these exclusions give the insurer wiggle room to deny a claim? The industry is still far from clear on this point.
What organizations can do to ensure a fair cyber insurance deal
The experts that presented at the Black Hat 2019 summits had a variety of suggestions for companies looking to mitigate their cyber losses with insurance (which really should be any company connected to the internet at this point).
The first is to get the IT department involved in the insurance application process. IT staff can review technical terms that members of the C-suite may not be familiar with, and will likely have a better handle on risk management and levels of expected exposure. Companies should be wary of insurance companies that insist on crafting the policy themselves without any consultation with the customer’s own cybersecurity professionals.
Once an insurance policy is in place, it’s also very important to review the requirements and work them into the existing response plan for cyber incidents. Ideally, this means testing of the plan and a training update for all involved personnel once the insurance terms and exclusions are in place. Organizations should also craft and walk through various potential data breach scenarios that could lead to the filing of a claim, to gauge the expected coverage should they occur.
It’s also critical for organizations to keep up with changes to state and federal regulations, which may require changes in cyber coverage.
Finally, plan for the weakest data security link in a cyber attack – the inevitable employee that gets phished, has a ludicrously simple password, or attaches an unauthorized device or software to the company network. What do the exclusions say about these highly likely scenarios, and can company security policy be updated to mitigate those risks?