As awareness of the long-lasting consequences of data breaches grows, alongside the apparent inevitability of such events, more companies are seeking cybersecurity insurance, known also as corporate insurance. To learn more about what cybersecurity insurance can and can’t do to mitigate the damages to a breached organization, and what modifications to these products we can expect to see in the short term and long term, I spoke with MetricStream VP of GRC Solutions Yo Delmar.
First, a little history. And there actually is history here, which might surprise those new to the cybersecurity insurance concept. This type of insurance coverage has existed since the 1990s, explains Delmar. Only a few insurance companies provided it at first, but it has experienced rapid growth, and is now actually the fastest growing niche in the insurance industry. Thirty major carriers now offer a cybersecurity product.
“Cyber insurance, or network risk insurance, as it’s sometimes called, really took off about two years ago, when it became apparent that the cost of breaches was increasing. The growth rate is between 20 and 30 percent, depending on who you’re talking to; Marsh and McLennan says 21 percent and AIG says 30 percent. It’s at $1.3 billion for 2014, up from $1 billion in 2012, and Marsh and McLennan’s expectation is $2 billion in 2015.”
Another key event in the growth of cybersecurity insurance products, says Delmar, was the 2011 case in which a New York court ruled in favor of an insurer’s refusal to pay for data breach damages following a major breach of Sony’s gaming consoles. The insurer argued that Sony’s general liability policy didn’t cover the damages, and awareness of the need for a set of policies specifically for network security exploded.
More recently, says Delmar, guidance from the Department of Homeland Security on cyber insurance has gotten the message out to more businesses that a data breach equals business interruption and network damage. The direct result is key to both the growth and the efficacy of these insurance products:
“More insurance is taken out, and it is more clearly around preventative measures. The best practices that are put in place at the same time create better outcomes. They lower premiums, and will cause businesses to change behaviors.”
Who Is Insured
As far as who is taking out policies and what they’re paying, Delmar says companies of all sizes purchase cybersecurity insurance, but of the premiums paid last year, the bulk were from small and midsize businesses. Expect more large companies, she advises, to do so in the near future, especially after the Target breach:
“The maximum coverage is $300 million, which is much lower than that available for property insurance (that’s often in the billions). Target had $100 million in coverage and probably saw $3 billion in cost. But there’s murkiness here, a lack of data for the actuarials. As we get more historical data, more research models will be better clarified, and insurance will expand, not only in monetary value, but in inclusion of physical property coverage in extended policies, as well.”
Part of the reason that there isn’t a lot of historical data – and what is there isn’t relevant – is because the threat continues evolving, says Delmar.
“But the board-level awareness of breaches and their costs is a security professional’s dream, because they need the business involved. This type of insurance offering gets eyes on the problem. As the damage and harm increase, and companies are brought to their knees, we’ll be seeing more thought around this in order to predict risk. It’s a complex puzzle, but we have to solve it.”
Legal, Consulting Firms Jumping on Insurance Demand
Also pushing growth in these insurance products is attention from the legal and consulting communities, Delmar notes.
“We see practice areas organized around it, and that is a leading indicator. That’s one way you know the demand is there. Specialized practice areas in law firms can advise on a range of policies, help minimize the cost of disputes, help draft policy language, and throw light on exclusions to allocate risk. They can develop guidelines, negotiate policies, reach social media. They’re developing best practices for social media use in claims investigation, for example.
And the large consulting companies are able to advise on regulatory requirements and admissibility challenges, and offer discovery case experience. The development of these specialties is a natural response to market demand.”
In the mid term, beginning in 2015, Delmar expects to see much more benchmarking and 360-degree risk assessments – all with cybersecurity included.
“We should see more effort in root cause analysis, finding the components of attacks, and whether there was negligence. If 70 percent of breaches are traceable to human error, and they are, where does the liability lie?
If Microsoft or Apple stop supporting a product, for example, or a product is obsolete and has vulnerabilities, and a company has not taken steps to deal with that, and as a result a breach occurs, that’s an example of due care, of the lack of a level of protection from the business and its coverage.
Less than half of companies right now have risk management programs. How can an insurance agency measure risk without evidence? We’ll see more baseline demands, more objective third-party assessments, and more testing for coverage, controls and certifications.”
A New Role Emerges: Cyber Actuarial
With more intense sharing of analysis and clarity of rules, says Delmar, will come the rise of cyber actuarials as a new role in the business. “They’ll be very aware of the cyber threat world and actuarial analysis. Specialists will be brought in to lower rates, before insurance is taken out.”
With its existing experience, the insurance industry has a lot to offer clients and potential clients, says Delmar, and will act as an accelerator, injecting expertise into processes and showing companies what level of protection they have to have.
“I see them as cross-industry collaborators, forcing functional improvements, raising the bar in companies’ ability to respond. In the free market, once risk gets to the tipping point, these vehicles come into play. And I welcome them. We underestimate breaches and where they are going, we underestimate the distribution models and the underweb. We have to build muscle against every part of the kill chain; it’s now about continuous monitoring of threat vectors to data, not a top-down approach.”
Kachina Shaw is managing editor for IT Business Edge and has been writing and editing about IT and the business for 15 years. She writes about IT careers, management, technology trends and managing risk. Follow Kachina on Twitter @Kachina and on Google+