Special Note: This article was published in the ISACA Volume 5, 2016 magazine. Summary reprinted by permission.

The rapid advancement in technology is driving tremendous change in many industries. As a result, vast amounts of data are generated which can be harnessed into information to facilitate and make sense of a world in constant motion. For that reason, data are now considered a wealth generator for the 21st century. Consequently, the financial costs from data loss through cyberevents can be quite staggering. For instance, the highly publicized attack on Target cost the retailer and financial institutions an astronomical US $348 million. The cyberattack on the hotel chain Wyndham not only released credit card data of more than 619,000 customers leading to US $10.6 million in losses, but also subjected the company to a US government lawsuit for deceptive business practices because the chain got hacked on three separate occasions.

The focus on cybersecurity has, perhaps, never been sharper, as cybercriminals continue to push the bar higher with evermore sophisticated attacks. This includes making full use of the Dark Web by conducting lucrative e-commerce behind hidden identities through encrypted networks, such as Tor. Although the short-term impact from a cyberattack can be overwhelming, the long-term implications can be simply burdensome. Some of those long-term implications include:

  • Business continuity/supply chain disruptions
  • Finding and fixing vulnerabilities
  • Forensic accounting for lost data and record management
  • Data restoration
  • Notification cost to those affected by breach
  • Payment of ransom in cyberextortions
  • Identity theft protection and credit monitoring
  • Reissuing compromised cards
  • Regulatory and Civil sanctions
  • Shareholders’ suit against board and management
  • Legal fees during investigations and trials
  • Loss in competitive advantage and markets
  • Brand damage
  • Loss of customers, profits, and jobs

Interestingly, a 2016 survey found 66% of US (and 75% of UK) respondents were likely to stop doing business with a hacked organization. In real terms, though larger companies may be better equipped to weather a cyberstorm and its aftermath, according to Experian, 60 percent of small businesses close their doors within six months after an attack, making cybercrime an equal opportunity with unequal consequences. Hence, with data breaches and hacks seemingly inevitable and their detrimental impact presumably inescapable, enterprises are beginning to consider cyberinsurance as a component of their risk transfer strategy. In other words, organizations seek to contractually obligate an insurer to accept part or all of their risk in the event of a cyberattack and/or breach.

Types of Policies

A traditional general liability policy only covers property damage, making it inadequate to address cyber because data is defined as intangible property. To address this shortcoming, there are approximately 50 global insurers offering cybercoverage, 35 of whom are in the United States. Carriers offer some combination of the following four components:

  1. Errors and Omissions
  2. Multimedia Liability
  3. Network Security and Extortion Liability
  4. Privacy Management

What cyberinsurance does not cover though is prior knowledge of issues, pending litigation, reputational harm, loss of future revenue, cost to improve internal technology systems, lost value of intellectual property, bodily injury or property damage, and effects from malicious cyberattacks. Some cyberattacks are nebulous in nature, thus making them difficult to cover as well. For example, Verizon reported a tripling of nation-/state-sponsored attacks between 2012 and 2013, yet this attack source remains uncovered due to the difficulty in attributing an attack to a single adversary.

The Fine Print

Although there are a variety of policies available, each is designed differently by individual insurers. Without careful due diligence, the insured may acquire a policy that excludes most real-world threats, overcovers less likely scenarios and places unreasonable limits on others. For the latter, a simple failure to timely notify the insurer can be a common reason for denying coverage. For instance, a policy may require reporting a breach prior to or within 60 days of the policy’s expiration. However, a 2015 Ponemon Institute study found that cyberattacks go undetected for an average of eight months, which is more than enough time for purveyors of data to erase audit logs to impede forensic analysis and wipe out legal evidence. As a consequence, a company unaware that it has been breached until months later or until notified by a third party, e.g., its credit card processor or law enforcement, will have missed the date to file a claim.

By the same token, some policies may exclude upgrades and improvements even if a company is determined eligible for reimbursement. A payout for recovery objectives that do not include restoring the system(s) to a more resilient state than prior to the attack will only place the network back in the same predicament of being exposed to similar attack types, depending on the nature of the attack. The following case study highlights the real-world complex nature of cyberattacks and their impact on cyberliability insurance reimbursement. In 2015, Ubiquiti Networks, Inc. was subjected to an increasingly popular chief executive officer (CEO) scam. Cybercriminals spoofed (or impersonated) the CEO’s email account, then sent an employee at a subsidiary company in Hong Kong instructions to transfer US $39 million to overseas accounts controlled by hackers. Since the payment was “voluntarily” wired by an employee, “the company may not be successful in obtaining any insurance coverage,” explained the company in a released statement.

Challenges

The aforementioned case study raises the question: How does one go about evaluating the myriad of policies and selecting coverage that ensures timely and adequate reimbursement after an attack? Though companies are able to discuss their cyberinsurance needs with insurers, there are important issues both parties must separately overcome. For starters, with cybersecurity dynamically evolving, if management, lawyers or brokers lack the requisite background to evaluate questions and safeguards at their disposal, then they may miss an opportunity to negotiate more favorable policy language to maximize liability protections. On the other hand, the coverage portfolio they do sign up for may not provide a complete measure of protection for the actual state of their organization’s security posture. Furthermore, a completed insurance application detailing the controls in place may not be vetted by the insurer until after an incident occurs, henceforth the entire policy may be rendered useless if it is found the information submitted by the business overstates the actual security measures in place.

In the same fashion, traditional insurers, brokers and underwriters versed solely in business and financial risk will lack the requisite skills to adequately assess technology safeguards and risks. IT requires a specialized understanding, but IT security necessitates even more focused expertise because the impact of cyber transcends well beyond the information technology department. Best practice in cybersecurity continues to evolve, reinforcing the notion that the solutions that work well today may become obsolete tomorrow. A point-in-time evaluation of a company’s security posture in a constantly evolving threat landscape only increases the complexity in determining the appropriate scope and cost of coverage. The interconnected nature of IT means the more networks with which a single business interacts, the more risk it is subjected to. In order to get a clear picture of the material risk, each third-party network must also be assessed, which is no easy task for an insurer. And the emerging threats from increased adoption in end points, social media and the Internet of Things (IoT) should not be overlooked. For example, it can be difficult to conclusively tie a case of identity theft to a single attack vector because a breach could occur from a lost phone, logging onto an infected web site, data stolen in transit real-time or an IoT device connected to public Wi-Fi. In a nutshell, insurers must overcome the wide knowledge gap as they try to figure out the type, frequency and severity of cyberthreats facing an organization.

The early days of this hopeful industry present additional challenges worthy of consideration. For instance, government pressures to release breach details without a guaranty of immunity disincentives firms from sharing attack analysis data. In the same way, the negative market perception that surrounds a breach restrains companies from talking about their cyberincidents unless they absolutely must. This paradox restricts historical data and trends released into the market that insurance companies could otherwise rely on to make comparisons within and across industries. From a legal perspective, cyberinsurance language in contracts is still relatively new and not well litigated. For that reason the lack of robust precedence compels courts reluctant to hear cybercases, thereby leading to disputes addressed chiefly through arbitration.

Return on Investment

The market for cyberinsurance is relatively new, unpredictable, and lacking trending data and comprehensive coverage packages. Greater technical intricacies can lead to vague or complicated contract language and increased trepidation regarding cyberinsurance’s actual value. Does cyberinsurance tangibly demonstrate that it increases security, reduces liability, and is a reliable source of relief during and after an attack? Market sentiment is perhaps best captured in a 2015 KPMG survey, which found that 74 percent of businesses reported not having any sort of cyberliability insurance. Of those that did, only 48 percent believed their coverage would cover the actual cost of the breach. And in a separate report by Reuters, of the few businesses that do get hacked, their premiums triple at renewal time. Nevertheless, shareholders expect the board and management to meet their fiduciary requirements to protect company interests. On top of that, not only are regulations beginning to require cyberinsurance but also mergers and acquisitions transactions increasingly view cyberinsurance as a means to limit liability.

Unsurprisingly, companies and boards are forced to spend money when there has been a breach or when they are facing a civil lawsuit after an incident, but proactive measures may actually help reduce the overall burden. The mere process of applying for cyberinsurance can encourage companies to identify best practices and tools, perform advance review, and improve communication among appropriate stakeholders, such as legal, IT, finance and risk management teams, they may not otherwise consider. Residual benefits can include a higher chance of repelling an adversary and lower premiums, the promise of which may encourage organizations to get serious about their defenses beyond the bare minimum. In a sample of 33 companies spanning IT, health care, education, retail and financial services industries, cyberpremiums cost, on average, 1.2 percent of total revenues. Premiums for health care companies cost, on average, 2.8 percent of total revenues, largely due to higher risk and rising breaches involving sensitive patient data. In general, chief information security officers will be able to demonstrate a measurable net profit with their cybersecurity initiatives if the savings achieved from decreased incidents plus cyberinsurance reimbursements can be far less than the cost of safeguards plus countermeasures.

All things considered, as this nascent industry continues to mature it remains to be seen if cyberinsurance can demonstrate sufficient value to warrant widespread adoption as a necessary component of an overall cyberdefense strategy.

[email protected] for a complimentary copy of the full article.