LAS VEGAS -- Cyber insurance can pay out millions of dollars to cover the cost of data breach liability, but buying the policies can be a nightmare for info security pros, and premiums for similar coverage can vary wildly, an Interop audience was told.
On the flip side, the insurance companies lack underwriters with IT knowledge, a good model for assessing risk, a common vocabulary to discuss policies clearly, and face a looming threat that a single successful attack of just the wrong kind could mean a major financial hit, says Dave Bradford, co-founder and chief strategy officer at Advisens.
Regardless, cyber insurance is such a good idea that security vendors recommend it and the market is expected to boom over the next five years, he told an infosec audience at the Dark Reading Cyber Security Summit at Interop.
The market for cyber insurance in 2015 was $2.5 billion. For 2020 it’s estimated anywhere between $5 billion and $10 billion. By comparison, workers’ compensation insurance is a $55 billion market.
Companies not buying cyber insurance are the ones being hit most, he says. More is being bought by larger companies, but 60% of the attacks that result in harm are directed at small companies, most of which don’t have the insurance, he says.
The exact coverage they are passing up varies depending on which insurance company is selling the policy, but common coverage includes forensics, restoration of the network, public relations, attorney fees, notification of victims, call centers to field inquiries, litigation, extortion payments, fines and penalties and business interruption.
+More on Network World: Interop: 12 killer (and free) tools for network engineers+
They cover data breach and privacy claims, incident response costs, liability for damages, defense costs, civil fines and penalties, industry fines and penalties (such as payment card industry), business interruption costs, and media liability. The latter is for Web site content that is libelous.
They also cover pre-incident services such as certain network security costs, employee training, and incident planning, all of which come before a breach occurs but that can help mitigate the ultimate cost.
Generally not covered are reputation damages to the company because they are hard to quantify. Cyber-related bodily harm and property damage, and stolen intellectual property are also generally not covered, again because it’s difficult to put a price tag on them, he says. Funds-transfer fraud – think of whale phishing – is also not covered. (That’s when the CFO carries out the CEO’s order to cut a big check to a third party only the email was spoofed and an attacker gets the money.)
Bradford separates companies that buy cyber insurance into two groups. Those with less than $500 million in revenue pay $2,000 to $5,000 per year for payout limits from $1 million to $5 million. Those with more than $500 million in revenue pay $100,000 to $500,000 per year for $5 million to $20 million in payout limits.
It’s difficult to say how much any given customer needs, but “I’m not sure $1 million gets you very far nowadays,” he says.
The biggest financial issue for insurers is that a single security incident affecting a large chunk of companies means they have to make payouts to most of their customers all at once. A breach of a major cloud provider, for example, could trigger such an outcome, he says.
More than 60 insurers offer cyber coverage, with just seven of them landing 65% of the business.
Some existing types of insurance (general, product and professional liability as well as insurance covering directors and company officers) cover some aspects of cyber damage, depending on the policy. The trend, though, is that this coverage is being cut back and separated out into stand-alone cyber-insurance policies.
Buying cyber insurance is a mammoth undertaking, he says. It’s hard to understand exactly what is covered and it’s even harder to explain it.
Talking about cyber insurance is complicated by the lack of a common vocabulary for insurers and their customers to use. For insurance companies the term risk means how much should they charge for premiums. But for a customer, risk means how likely is it that the network will be breached resulting in harm. Definitions of other terms might vary even between insurance companies, further muddying the process of comparing policies, Bradford says.
The policy language is so dense that many insurers recommend that agents – who sell directly to customers but represent many insurers – refer potential clients to the companies themselves for explanations. Trying to compare and contrast different policies from different insurers is even more difficult.
Writing the policies is no picnic either. Underwriters are feeling their way because there are no established risk models to help them decide whether a particular customer meets criteria to be insured. The underwriters, in general, don’t have infosec experience or education to help them discern whether customers have sufficient defenses in place. As a result they rely on consultants or use internal infosec staff at the insurance company to help out. Some insurers use risk-rating platforms such as BitSite so they have a number to help sort it out, he says.
Because cyber insurance is a new frontier without good risk models, it’s hard to figure what premiums to charge, Bradford says. Similar coverage from competing insurers can vary from $10,000 to $50,000.
The complexity of the applications that insurance buyers have to fill out also varies widely depending on how big their companies are. A small company might fill out a form with four or five questions as basic as, “Do you use anti-virus and other basic security measures?”, “Do you encrypt sensitive data?”, “Do you encrypt all data at rest?”, “Have you suffered breaches before?”, and “Are there complaints against you about data protection and security?”
Larger companies might get five-page questionnaires.
The attitudes of corporate executives have a lot to do with how easy it is to buy cyber insurance, he says. Many companies are making the decision at board level, and if the board is opposed it’s hard to get the purchase approved.
Some audience members who are infosec pros say they have trouble convincing CEOs that the insurance is worth it. Others say that since the insurance doesn’t cover loss of business or future business based on damaged reputation from a breach, perhaps executives would approve hiring more security analysts to stave off such damage.
Insurers in some cases are going to court to argue that their policies don’t cover what the customer think they do. “There’s not much litigation yet,” he says, “so the interpretation of policies is fluid now.”