With prominent corporations from across the economy bleeding customer data and paying through the nose for it, "cyber insurance" has become a hot topic in corporate boardrooms and the media. Companies – from the Fortune 10 on down – are looking to hedge their online risks with various kinds of business insurance. That demand, in turn, is fueling a rapid expansion of the cyber insurance industry that was little more than a niche offering five years ago.
But insurance industry experts and corporate security professionals offer words of caution for companies that think they may want to insure their cyber risks. The cyber insurance market, they say, is still new. Companies that want to buy such a product would do well to understand their needs and the limitations of cyber coverage before they put their money on the table.
Insuring 'everything that everyone does'
At AON PLC, the London-based firm that is the world's largest reinsurance broker, Kevin Kalinich, AON's Global Practice Leader for Cyber Risk, says that data from the company's Global Risk Insight Platform (GRIP) – a repository of insurance placement data - shows the cyber insurance market growing at 38% annually. That is about twice the rate, measured by market sales, of the next fastest growing market that AON tracks, according to Kalinich.
Cyber incidents at private sector firms tend to follow a familiar pattern: law enforcement is contacted and will begin criminal investigations. Cyber forensic investigators are hired to piece together what happened and security consultants will analyze and remove the malware from any affected systems. Finally: customers who were affected will be notified and – typically -offered free credit monitoring services to help watch for fraud linked to their stolen identity or account information. All of these services will come at a cost, of course, as does the business disruption that results. Current cyber insurance policies are structured to recover some or most of those costs.
But Kalinich argues that the market is just getting going. "If companies think about a single line of insurance covering data breach and loss of PII (personally identifying information), then that's a narrow scope of the problems that we're solving," said Kalinich. "If you think about companies increasing use of technology and information assets, then you're talking about every activity that everyone does."
In the not distant future, Kalinich believes the cyber insurance market will expand to address cyber risks to supply chains, business up-time and even exotic problems like cyber terrorism.
Lots of demand, little data
But the fact that the cyber insurance market is expanding does not mean that it is "established" – in any sense of the word – or that big risks don't exist for both insurers and the insured. In fact, in an industry that is as data driven as insurance, the lack of reliable, historical data about cyber incidents is downright scary for many who work for or with insurers.
"There's no doubt this is a hot space," said Jake Kouns, the Chief Information Security Officer at Risk Based Security, a consultancy based in Richmond, Virginia.
Kouns advises insurers on cyber risk and said he sees wide recognition, within the industry, that there's money to be made insuring cyber risk. That, even though there's little reliable data about cyber risks and where underwriters might reasonably draw the line.
The result is a kind of schizophrenia within the industry. " You have carriers that are just buying the market – offering a million dollars of coverage for $1,500." Kouns said. "They take the approach that ‘if I have 20,000 policies on the books, I can take a lot of losses and still make money.'"
That may be true, and it may not. With so much of the cyber insurance market terra incognito, the likelihood of clusters of adverse events isn't known. But few in the information security industry discount the idea that the cyber insurance equivalent of back-to-back-to-back Hurricane Sandys could occur – if it hasn't already. In fact, the U.S. Secret Service has already warned that one family of malicious software known as "Backoff" could be linked to compromises at as many as 1,000 firms. Some of them – like International Dairy Queen – are household names. The breach at the box store Target also underscores the point that there are bad bets to be made by insurers, even on wealthy and sophisticated companies. Target reportedly cobbled together coverage totaling $100 million prior to the breach from a variety of insurers.
What is clear is that the kinds of coverage companies need are changing to reflect a changing threat environment. Josh Gold, an insurance coverage attorney in the firm Anderson Kill & Olick, P.C., said that he has seen the focus of insurance shift from coverage for lost, damaged or stolen hardware and data to coverage for cyber crime-related losses. "There's a shift away from accident and negligence to losses from third party actors," said Gold, who represents commercial coverage holders in legal fights with insurers over coverage.
For businesses, two words of advice: caveat emptor
But those changing demands are leading to changes in how insurers underwrite cyber risk, Gold said. And, as in any fast-changing marketplace, the advice to customers from many information security and insurance insiders is caveat emptor – ‘buyer beware.'
An example: coverage for computer-related losses has been a component of standard commercial insurance for years, said Gold. That coverage has included losses due to property crime or so-called "errors and omissions" (aka "malpractice") policies for professional services providers. As the scope of claims related to computer crimes has grown in recent years, however, attorneys have begun pursuing a much broader set of claims against these policies – often successfully.
That has created a lot of space for disagreement. "Property and general liability insurance from 10 years ago said nothing about cyber," notes Kalinich from the broker AON. "There was no specific inclusion or exclusion for coverage."
In some (but not all) cases, breached firms have successfully sued insurers to force them to pay for damages related to cyber incidents under the terms of traditional instruments like "CGL" (commercial general liability) policies, which cover all manner of business risks including protections related to claims of invasion of privacy, Gold notes. Insurers have responded by writing exclusions into CGL and other nuts and bolts commercial policies, like so-called E&O (errors and omissions) and D&O (directors and officers) liability policies. Those exclusions carve out cyber claims and push them into new, specialized insurance products.
"Rather than stay silent, companies have introduced specific exclusions for ‘intangible perils,' Kalinich explains. Those might include denial of service attacks, malicious software ("malware") and other online ills.
Insurers are also taking pains to exclude cyber claims from coverage of ‘tangible property damage,' he said. "They're asking ‘what happens if there's a cyber attack and your ‘loss' is that a building or supply chain or transportation system doesn't work," he said. "The question is: ‘what is tangible?'"
No surprise: affected companies who counted on coverage under their existing business liability policies see things differently. The result is an environment in which "there's lots of tension," says Gold.
Covering your assets
With so much in flux, what's a company to do? The first thing to realize is that cyber insurance isn't right for every organization. In fact, many kinds of online threats to businesses may fall between the cracks of cyber insurance policies, as they're currently written.
"I feel like it makes sense if you are a company that has a lot of consumer records," said Jay Leek, the Chief Information Security Officer at The Blackstone Group, a global investment firm. "If there's the potential that you could have records lost and have a financial impact from that, you can get insured to help you get reimbursed."
But Leek said that firms like Blackstone aren't well served by current cyber insurance products. "It's very difficult for insurance providers today to price out a policy," he said. "There are no actuarial tables and there's no way to determine the effectiveness of a given security program in keeping the bad guys out." The result is for insurers to generalize about the risks based on the industry a company operates in. But Leek said that policy punishes firms like Blackstone that invest heavily in security. "You can make tremendous investments that don't factor into the premium you have to pay," he said.
Companies that are interested in cyber insurance will need to demonstrate and document processes and procedures to manage their cyber risk, industry experts agreed.
"We want to know: do they have a culture that starts at the top and says ‘everything you do has to take cyber risk management into account?'" Kalinich said. That includes an enterprise-wide focus and increased attention to issues like ‘bring your own device' policies and third party risk.
"Companies need to have some level of sophistication," said Stephen Boyer, the Chief Technology Officer at BitSight Technologies in Cambridge, Massachusetts. Insurers have their eyes open about the difficulty of preventing attacks and even breaches of security. They want to know that companies will at least be able to detect the malicious activity "without the FBI having to tell them." Boyer said.
In an environment of near-constant cyber attacks, the ability of companies to respond quickly to incidents and work with insurers, regulators, law enforcement and customers in a timely and orderly fashion will be paramount.
"Everybody has issues," Boyer said. "The highest performing organizations are the ones that have the ability to detect, remediate and recover."