Cybersecurity Insurance: You May Be Doing It Wrong

Cybersecurity Insurance: You May Be Doing It Wrong

As most infosec professionals are aware, insurance companies have begun offering cybersecurity insurance policies to offset the costs of a breach. Yet in our 2016/2017 Security and Risk Management benchmark, just over half (57%) of companies report they have  it, and the vast majority aren’t requiring it of vendors and third-party suppliers. Is it really worth the trouble, not to mention additional cost? 

As with most things, the answer is, “it depends”.

We recommend considering cybersecurity insurance—but only as part of a holistic infosec risk management strategy.

That means avoiding the three biggest mistakes most companies make. The first is viewing cybersecurity insurance as a replacement for, rather than enhancement to, appropriate investments in technology. The second is taking a haphazard “checklist” approach to procuring it, rather than integrating the risk mitigation it provides with that provided by improving technology and processes. And the third is to avoid cybersecurity insurance altogether, on the grounds that “it won’t do any good”.

Source: Nemertes 2016/2017 Security and Risk Management Benchmark

A classic example of the first kind of mistake is Sony.

In 2007, Sony Pictures’ former Executive Director of Information Security Jason Spaltro opted to procure cybersecurity insurance in lieu of hardening Sony’s systems against intrusion. His reasoning? It would have cost $10 million, but the cost of notifying customers of a breach would be just $1 million. Based on his scenario, Spaltro concluded “I will not invest $10 million to avoid a possible $1 million loss.”

We all know how that ended.

In the 2014 breach, attackers stole highly confidential company information, including 47,000 employee and celebrity Social Security numbers, disabled the studio’s computers and wiped its servers, and spawned a flock of legal actions. To date, Sony’s spent around $35 million rebuilding its data systems and another $22.5 million settling class action settlements with its employees.

In the second type of mistake, the board or the CFO procures cybersecurity insurance without engaging, let alone obtaining buy-in from, the infosec professionals. It’s no surprise that in this scenario, the greatest perceived value of cybersecurity insurance lies in helping senior executives sleep at night: “We view it as a checklist item for the board,” says one CISO at a financial services firm. The downside to this approach is that it misaligns insurance coverage with actual risk.

Just ask Target: The company thought it had reasonable coverage before the 2013 breach, but as of its latest SEC filing, the company has incurred $291 million of cumulative direct expenses, offset by expected insurance recoveries of $90 million. In other words, the firm’s direct expenses are $200 million greater than anticipated (and the “direct” expenses don’t even factor in costs such as the increased cost of capital due to lowered credit ratings).

And in the third type of mistake, companies misinterpret the lessons of Sony and Target to decide that cybersecurity insurance isn’t worth the effort. “What if we took that money and put it towards tools?” asks the CISO of a large manufacturing company, which has chosen not to invest in insurance.

I’ve got no issues with enhanced technology investment—but just as investing in insurance in lieu of technology is a bad idea, so is the opposite. Both investments are necessary but insufficient.

To get the best benefit from cybersecurity insurance, infosec professionals should work closely with risk managers to understand what insurance will and won’t cover—and which gaps are best filled with technology vs insurance (and vice versa).

In sum we recommend at least assessing cybersecurity insurance as part of a coherent risk management strategy. Insurance can’t protect against every risk, but it does serve a good purpose, when wisely deployed. And properly used, it augments, rather than replaces, technical risk remediation.

Even if the conclusion of this assessment is that cybersecurity insurance isn’t right for your organization right now, you should revisit that decision on a regular basis as the market matures. How to do that, and what to look for, are the topics of upcoming posts. Stay tuned!

Share this post