Cyber insurance: Dare leave home without it

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.washingtonexaminer.com/cyber-insurance-dare-leave-home-without-it/article/2560409?custom_click=rss

When a mid-February report revealed that more than 100 banks were hacked in
what appears to have resulted in over $1 billion stolen from these
financial institutions, it was just another reminder of how ubiquitous
cyberattacks have become.

> From Sony’s systems shutdown to data breaches against Target, Neiman Marcus
and Coca Cola last year, virtually every company has been the target of
cyberattacks, the occurrence as daily as waking up with a stretch. Not all
the illegal intrusions are successful, the combination of firewalls,
encrypted transmissions and stern warnings to employees about phishing
doing their duty. But, with hackers increasingly deft at ferreting out
security weaknesses, no company is Fort Knox.

This is made clear by a January 2015 study by the Ponemon Institute, which
conducts independent research on the incidence and cost of cyberattacks. In
2014, the benchmark sample of 59 U.S. companies surveyed annually by the
institute experienced 138 discernible attacks per week, which translates
into 2.34 successful attacks each week working out to $12.7 million in
average annualized costs. Most companies prefer to keep this information
close to the vest, given the reputational damage its release would cause.

The volume of successful attacks is a sobering jolt, yet most companies
fail to buy insurance to transfer the loss to an insurance company.
According to the Ponemon Institute, roughly one-third of companies buy
cyber insurance. Given the recent bank hackings, security experts and
insurance professionals believe this decision should be carefully
reconsidered.

“As more well-known companies are attacked and the success rate of hackers
increases, this simply reinforces the need for insurance protection,” said
Ken Goldstein, worldwide cybersecurity manager at Chubb Group of Insurance
Companies.

Why Companies Fail to Buy

There are several reasons why many companies pass on buying cyber risk
insurance. Chief among them is the product’s complexity — there is no
one-size-fits-all cyber insurance policy. Different industries and
professionals require different types of insurance coverage, which are
treated in different ways by the few insurers offering the coverage.

“Our study indicates that companies are inhibited from purchasing the
policy because they have concerns about all the confusing exclusions,
restrictions and uninsurable risks that are in them,” said Larry Ponemon,
chairman and founder of the Ponemon Institute.

This is beginning to change. “Several insurers are becoming more explicit
about what is covered and what isn’t covered,” said Robert Parisi, national
practice leader for technology and network risks at insurance broker Marsh
in New York. “We’re also seeing the addition of endorsements to policies
giving buyers the added protections they want.”

Another factor dimming interest in the product is its expense, which is
based on the policy applicant’s previous loss history, industry sector and
the desired financial limits of insurance protection. For $1 million in
insurance, the premium can cost $1,000 annually for a one-person
psychologist’s office, and upwards of $85,000 a year for a $4 billion
pharmacy benefits management company.

In this era where every corporate penny counts, perhaps the premium is
money better spent elsewhere. But, with the recent bank hackings and the
Ponemon Institute figures, companies may want to reappraise the value of
the insurance.

One forceful reason to buy it is that it compels better security risk
management. “The insurers in the market generally require [policy]
applicants to submit to a risk assessment of their security systems and
procedures,” Parisi noted. "If not up to snuff and the company is denied
insurance, it at least now knows where its vulnerabilities reside to
strengthen them.”

If the applicant is given a green light to buy the insurance, the company
also receives free services in the aftermath of a data breach such as
crisis management, victim notification and credit monitoring. Several
insurers also will provide a free forensic analysis of how the cyberattack
occurred.

Interestingly, the companies that buy cyber insurance become more secure
after the fact. Ponemon said that 62 percent of respondents to his
institute’s survey believe the insurance has made their companies “better
prepared to deal with security threats going forward.”

All in This Together

There’s another reason why buying cyber insurance makes sense — the more
companies that purchase it, the better the U.S. government’s insight into
cybercrime.

“A key ally in the fight against cybercrime is the insurance industry,”
Ponemon said. “Insurance companies share intelligence with different
industry groups and with government agencies investigating these crimes.”

He is referring to the National Council of Information Sharing and Analysis
Centers, whose mission is to advance the physical and cybersecurity of the
critical infrastructures of North America. Many cyber insurance companies
and insurance brokerage firms are members of the council.

If companies continue to maintain their dubiety over the need for the
insurance, it is doubtful that the federal or state governments will
require its purchase. “I don’t see a formal mandate,” Goldstein said.

Neither does Parisi. “I think we’ll see a lot of legislation around
security standards, but not insurance buying,” he said. “That said, a
public company that does not have the insurance will have a lot of
explaining to do to its shareholders why it didn’t buy it in the wake of a
severe hacking.”

Legislation governing security standards already exists in the healthcare
sector (the Health Insurance Portability and Accountability Act) as well as
in the financial services industry (the Federal Information Security
Management Act). Nearly all states also require businesses to notify them
immediately in the aftermath of a data breach. Some sectors, like the
payment card industry, mandate their own security standards. “When
industries do this, they become quasi-regulators,” said Nadia Hoyte, senior
vice president of the FINEX division of insurance brokerage firm Willis in
New York.

Other industries are expected to follow suit. Nevertheless, as the bank
hackings demonstrate, neither regulations nor top-notch security guarantees
a company will not be hacked. Insurance is designed to address such
possibilities.

It’s important to note that even with insurance coverage, a company can
still be on the hook for millions of dollars in losses, as no insurer
provides unlimited financial protection. With more than 100 banks
collectively losing more than $1 billion, the insurance industry does not
have the capital to take on many more losses of this size.

To absorb the rest, the U.S. government could to step in much like it did
in 2002 with the Terrorism Risk Insurance Act. The legislation created a
federal backstop for insurance claims related to acts of terrorism, picking
up the brunt of losses beyond those absorbed by commercial insurers. A
couple more hackings like the recent bank debacle, and this is not a
farfetched reality.

All the interviewees believe as time wears on and more hackings open eyes,
companies will reach out to insurance companies to spread their risk of
loss. Both Parisi and Hoyte, for instance, said they would not be surprised
if the purchase of cyber insurance becomes mainstream corporate practice by
2020. Ponemon agrees. As he put it, “Things will only get worse before they
get better.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!