Cyber Insurance 101 for Today's CXOs

Bibhuti Kar, Sr Director- Engineering (Security Technologies), Cisco | Saturday, 16 December 2017, 06:06 IST

Cyber insurance is an emerging insurance product category de­signed to protect en­terprises in any unfor­tunate event of cyber-attacks on its assets. As more and more en­terprises go ‘online’ and ‘digitize’, complete awareness of this topic is a must-have requirement, whether one believes in this instrument or not.

What is the Cost of a Cyber-Attack?

Let’s accept it. Cyber attackers/hackers are real, organized, busi­ness savvy, driven and tech­nically progressive. And in some cases, even state sponsored. Let’s consider the top data breach and DOS inci­dents of past decade, starting Sony, Ashley Madison, Wannacry, Petya etc., the true damage to the or­ganizations under attack for in to one (or more) of the following quadrant.

‘Tangible and direct’ impact of a cyber attack / data breach / DoS to an enterprise is as good as any business loss that can be quantified and insured against. It pretty much can be included in the ‘General Liability Insurance’ for any enterprise. And as in personal health insurance, a simple medical test can determine the premium and coverage, a “security maturity of the IT infrastructure” can be used for finding the right coverage and premium in this case. And this would be ‘First-party’ insurance.

Who is Selling and Who is Buying ‘Cyberinsurance’ Today?

As per a ‘Nemertes’ research published in 2017, among all the participants at “Nemertes Security and Risk Management Benchmark 2016”,

- 87.5 percent said they considered purchasing cyberinsurance

- 57.1 percent have active cyberinsurance policies
- 28.6 percent required third-party vendor to carry a policy

According to a 2015 report of National Association of Commissioners, over 500 US insurers provided “cyberinsurance” to businesses and select individuals, with annual premium of 1.4B USD.

It’s been years since general liability insurance or ‘packaged / umbrella’ liability insurance has been adopted by enterprises worldwide. As more and more enterprises digitize, their IT infrastructure, intellectual property and on-line reputation needs a separate category of insurance protection. While many umbrella insurances provide ‘data breach rider’ add-ons to their policies, the adoption of ‘standalone’ Cyberinsurance policies is on the rise. Nearly 1B USD of the 1.4B premium went to ‘Standalone’ policies in 2015.

Some common types of cyberinsurance being sold now are –

1. Network Security Policy: Covers breaches to enterprise IT infrastructure

2. Privacy liability Policy: Covers wrongful collection. Loss or theft of information

3. Media Liability Policy: Covers IP/Copyright infringement, legal claims etc.

The coverage can be ‘self-insurance / first-party’ or ‘3rd party’ just like personal health or motor vehicle insurance. The first-party insurance covers all costs involving investigation of the breach, cost of notification to customers, public relation etc. While the 3rd party insurance can help in legal defense to any class action law suits, settlements, regulatory penalties.

Current exclusions

Most policies still do not cover state sponsored espionage and major ransomwares till now. It’s highly unlikely any instrument to include intangibles like:

- Loss of reputation

- Opportunity cost

- Cost of technology upgrade for better cyber defense

Future of Cyberinsurance

This segment of insurance product is caught between believers and non-believers like any other insurance segment, but with a twist – Pace. Pace of change in information technology outpaces that of change in insurance policies. While converging on such a template, using currently popular security certifications such as ISO27001, is not yet scientific.

While boardrooms are debating the cost vs. benefit of insuring themselves from data-breaches, one trend is getting clearer. Almost all enterprises are asking their service providers to be insured. Be it telecom providers like ATT, Airtel, Verizon, or cloud providers like Amazon or Azure or Google. It is becoming mandatory for the service providers.

Also, large enterprises, who have multitude of disparate partners who have several degree of access to their IT infrastructure and data, are demanding their vendors / partners to be insured.

Eventually, every enterprise is another enterprise’s vendor/ partner. This covers the 360 degrees of enterprise ecosystem. The security technology vendors are not sitting idle. They are forging unique partnerships with insurance companies to bundle Cyberinsurance to their Products and services.

The Silver Lining

The real positive in all this, is heightened awareness of ‘cybersecurity’ among the enterprises. There is a price for the unlimited productivity growth that IT is providing to business. Either build a super strong infrastructure and a cyberaware workforce, or insure your business. The real solution is doing both, in different degrees, where it fits the budget and hits the purpose. No one needs insurance until they do.