Should the Enterprise Buy Cybersecurity Insurance?

Should the Enterprise Buy Cybersecurity Insurance?

Executive Summary

Cyber attacks on businesses and governments are more common than ever before, and are likely to increase. The precipitous rise in breaches over the last decade has created a market for specialized liability policies aimed at mitigating the effects of a breach. Nemertes’ 2016 Security and Risk Management Benchmark study shows that everyone knows such policies exist. A majority (85.7%) has considered purchasing it, and 57% have done so.

Premiums are especially high for large and very large companies, but the decision whether to purchase a policy depends on many factors. Some very large companies choose to “self-insure” just as some do with health insurance. Others fear the cybersecurity insurance market is too young, and are adopting a “wait and see” mentality toward these products. Beside the monetary risks there are intangible considerations such as reputation (regarding a company’s fiduciary duties, or customers’ trust levels) and comfort (board-level appetite for insurance).

Not all cybersecurity insurance policies are equal. What is covered and what isn’t vary company to company and from policy to policy. Custom “standalone” policies are more popular than umbrella or “form” policies.

Cybersecurity insurance is evolving rapidly, and trending toward more customization. Deciding whether a company should purchase a policy or require third-party vendors to carry it will require the due diligence and input of every segment of your business team, especially the legal department.

When purchasing a cyber insurance policy, consider the risk of underinsuring.
When not, at least require cybersecurity insurance coverage from providers:

  • Tighten up contract clauses
  • Include a cybersecurity insurance clause in the first draft of any and all provider contracts
  • Require professional services contractors with access to PII to carry cybersecurity insurance
  • Always involve legal counsel when evaluating policies.

The Issue: Should You Purchase Cybersecurity Insurance?

In the age of digital transformation, the threat of cyber attack has raised the stakes to unprecedented heights. Successful companies generally take security seriously but, to many, upgrading outdated systems is a risk-based decision.

In 2007, Sony Pictures’ former Executive Director of Information Security Jason Spaltro offered CIO Magazine a hypothetical example of a company using legacy systems to store customer credit card data. To harden their systems against intrusion, they would need to invest $10 million, but they estimate the cost of notifying customers of a breach at a mere $1 million. Based on his scenario, Spaltro concluded, “It’s a valid business decision to accept the risk [of a data breach]…I will not invest $10 million to avoid a possible $1 million loss.”

Then came the 2014 cyber attack on Sony Pictures Entertainment. Hackers stole highly confidential company information, including 47,000 employee and celebrity Social Security numbers. They disabled the studio’s computers and wiped their servers. The attack soon prompted legal actions. Sony Pictures ended up spending an estimated $35 million rebuilding their data systems, and another $22.5 million settling class action settlements with its employees. It isn’t likely the IT Security folks at Sony Pictures could have foreseen the path that lead to the 2014 breach. But they clearly would have been justified in spending the $10 million Spaltro wouldn’t risk back in 2007.

When businesses need to hedge against risks whose magnitude they can’t entirely predict or whose cause they can’t affordably mitigate, they often buy insurance. Hundreds of insurance companies are now offering increasingly sophisticated cybersecurity insurance policies to offset the costs of a breach, begging the question: Do the risks justify the high premiums?

Cyberinsurance, like all insurance products, is complex, and IT and business leaders will need to consider the following:

  • What is covered and how
  • How much to get, and on what
  • How to approach suppliers’ and partners’ coverage
  • How to satisfy their board and auditors that they have the right mix of technology and insurance to protect the company.

What is Cyberinsurance?

Cyberinsurance, cybersecurity insurance, or “Cyber Liability Insurance” is an emerging insurance product category specifically aimed at protecting companies in the event of a cyber incident such as an attack or a catastrophic loss.

Just as with any insurance product, companies offering cybersecurity insurance products will vet applicants to assess the risk of a payout. Companies experiencing losses covered in these policies will receive payouts up to the face amount of the policy. But having a policy is no guarantee of a payout. The insurer may withhold payment if it determines the loss was due to policy holder negligence.

What constitutes “negligence?” It varies from insurer to insurer, and even from policy to policy. Negligence can be ascribed generally, i.e. to the company holding the policy, or specifically to individual leaders or end-users within the organization. Nailing down exactly what constitutes negligence specific to each policy requires due diligence. IT departments should always involve their company’s legal counsel in evaluating policies. Insurance brokers and international insurance consultants can help a company compare policies and interpret contractual language.

Types of Cyberinsurance

All cyberinsurance policies are written as either standalone or package policies. A standalone policy is a custom insurance product that provides excess coverage (very high face amounts) according to its own terms and conditions. Standalone policies are tailored to cover specific risks and costs. Most cyberinsurance policies in force in the U.S. are standalone policies.

“Package policies,” or Commercial Package Policies (CPP) are general “umbrella” liability policies under which separate coverage parts can be purchased. Package policies have lower premiums because the insurer predetermines the risks covered, and the ready-to-sign forms are less labor intensive (hence CPP policies are often called “standard form” or simply “form” policies.) Some property/casualty insurers will offer a company a “data breach rider” to the company’s existing policy.

Generally, network security is the main focus of cybersecurity coverage. However, coverage for privacy liability, media liability, and combined network security/privacy liability are all readily available:

  • Network security policies cover breach or failure of a company’s network, theft of intellectual property, loss of consumer data, destruction of data and equipment, and sometimes cyber extortion.
  • Privacy liability policies cover breaches not involving network security failures, such as the wrongful collection of information, loss or theft of physical records through lost equipment, and wrongful disclosure of data through human error.
  • Network security/privacy policy combines the first two types, covering first-party and third-party liabilities (see below); organizations are trending toward this type of policy.
  • Media liability policies cover advertising injury claims, infringement of intellectual property, copyright/trademark infringement and libel; normally this kind of coverage falls under an umbrella policy, but some insurers now add media liability clauses into standalone policies.

Coverage: What’s In, What’s Out

Any policy is going to contain one or both of two types of coverage: “First-Party” and “Third-Party.” First-party coverage applies only to the policyholder, and covers their expenses in case of a loss (just like valuables protection in homeowners’ policies). Third-party coverage applies to others, and may cover legal defense costs, and damages and liabilities to third-parties (e.g., customers, business partners, and regulatory agencies) resulting from a security event.

Common first-party costs covered include:

  • Forensic investigation of the breach
  • Legal advice to determine your notification and regulatory obligations
  • Notification costs of communicating the breach
  • Offering credit monitoring to customers as a result
  • Public relations expenses
  • Loss of profits and extra expense during the time that your network is down (business interruption)

Common third-party covered costs include:

  • Legal defense
  • Settlements, damages and judgments related to the breach
  • Liability to banks for re-issuing credit cards
  • Cost of responding to regulatory inquiries
  • Regulatory fines and penalties (including payment card industry fines)

What’s Not Covered?

Cyberinsurance policy exclusions vary widely. Many policies exclude major attacks from ransomware or state-sponsored espionage. Some exclude legal fees. Risks typically not covered in current network security and privacy liability policies include:

  • Reputational harm
  • Loss of future revenue (for example, in the case of retailer Target, if sales were down because of customers staying away after data breach)
  • Costs to improve internal technology systems
  • Lost value of an individual’s own intellectual property

Sony’s 2011 breach exposed the personal information of tens of millions of Sony’s customers. Their insurance provider, Zurich of America, denied Sony’s claim for defense costs and indemnification because the commercial general liability (CGL) policy was narrowly focused on first-party liability. The policy specifically covered the first-party risk of Sony’s “oral or written publication in any manner . . . that violates a person’s right of privacy” and Zurich determined that the third-party hackers stealing data did not constitute “oral or written publication” by Sony. Consequently, Sony ate the related costs, estimated at nearly $2 billion.

Who Offers Cyberinsurance?

According to the National Association of Commissioners (NAIC), more than 500 U.S. insurers provided businesses and individuals with cyber insurance in 2015, with annual premiums a reported $1.4 billion. Nearly $1 billion of the total premiums went to standalone policies, the more expensive, customized type. Early-adopting companies have clearly been willing to absorb higher premiums to cover exactly the risks they want covered.

The top-three cybersecurity insurers in 2015 were American International Group (AIG), Chubb, and XL Group. AIG carried about 22 percent of the cyberinsurance market, followed by Chubb at 12 percent, and XL Group (XL Catlin) at 11 percent. Other major insurance providers offering cyber policies include Berkshire Hathaway, Liberty Mutual, Travelers, Nationwide, and Hartford.

Cyberinsurance State of Deployment

In the Nemertes Security and Risk Management Benchmark 2016, all participants said they had heard of cybersecurity insurance, and most (85.7%) said their organization had considered purchasing coverage. (Please see Figure 1.) More than half of the participants (57.1%) said their company had active cyberinsurance policies, and nearly a third (28.6%) required third-party vendors to carry a policy.

We used the Nemertes Security Maturity Model to identify and rate four tiers of security maturity: Unprepared, Reactive, Proactive, and Anticipatory. (Please see Appendix A). The fully mature Anticipatory-level organization uses risk-based budgeting generally, and weighs the costs and benefits of available policies to justify its decision to buy or not to buy.


Top Reasons for Using Cyberinsurance

The most obvious reason to purchase any insurance product is to protect against risk. Businesses have long purchased other, traditional policies such as business interruption insurance to offset other aspects of business risk. “We bought cybersecurity insurance in 2014. The drive came from Legal and Risk Management…just ahead of the breach announcements for retailers in 2014,” says the Director of IT at a very large utility company.

More security organizations are beginning to include some form of cybersecurity insurance as part of a multi-layered risk management strategy. Another benchmark participant says his organization purchased a cybersecurity policy within the last 12 months. “There was a perceived concern there might not be a sufficient level of security, [that the plan] might not mitigate risk quickly,” says the InfoSec manager at a midsized manufacturer.

Some companies with deep pockets believed their own policies served merely to give board members added peace of mind. “I think it’s more a check-the-box exercise than a real value to company,” says the director of Info Systems Security at a very large auto manufacturer.”

Top Reasons for Not Using Cyberinsurance

One reason many participants don’t currently use cybersecurity is that same lack of perceived value. “I think it’s a scam,” says the director of Network and Computer Security at a large university that “self-insures for almost everything.”

Others see the value but find the price too high to justify the purchase. “The cost is rather high. You’d have to have some huge event to make it pay for itself,” says the director of Information Systems Security and Compliance at a large manufacturer. “The economic effectiveness doesn’t make sense,” says the CSO of a very large healthcare company.

Beside these perceived problems, there is the actual problem of insufficient data upon which to base a judgment of value. “The actuarial models are so immature because these products have only been around for 12 years,” says the CSO at very large healthcare company.

Because of the lack of data and precedent, some companies are waiting for the cyberinsurance market to mature. “We’ve repeatedly decided not to buy in at the time,” says the executive director of IT Security at large university. “Partly it’s the university’s exposure overall, part of it is the lack of maturity of the cyberinsurance model.” The director of IT at another large university says, “There really haven’t been a lot of cases setting precedent for companies paying out. Until there’s case law on it, we don’t want to be the guinea pigs.”

The Cost Question: Is Cyberinsurance Affordable?

Costs depend not only on the type and scope of the coverage a company is considering, but on other factors such as the company’s industry, the services it provides, the data risks and exposures it is subject to, and its annual gross revenue.

Compare the reported premiums of two companies of equal revenue and coverage, but operating in different industries (please see Table 1):


The education organization pays lower premiums than the healthcare company. Recent ransomware attacks on hospitals’ sensitive medical records have demonstrated vulnerability, and their willingness to pay the ransoms encourages wider attacks.

For midsize to large companies, $1 million of coverage typically costs between $12,500 and $15,000 annually . Many small companies find the cost of cyberinsurance to be a significant barrier to adoption, particularly in light of the policy exclusions noted earlier.

The Cost of Underinsuring

Once a company decides to purchase cybersecurity insurance, the next issue is how much coverage to purchase. This is where “underinsuring” becomes an additional risk category. Consider the Target Corporation holiday breach of 2013. Prior to the event, the retail giant had what they considered a reasonable cybersecurity insurance policy. However, according to their latest S.E.C. filing, Target has incurred $291 million of cumulative expenses as a result of the breach, offset by “expected insurance recoveries of $90 million.” Target execs underestimated their need for coverage by a margin of more than three-to-one.

Should You Require Providers To Carry CyberInsurance?

Companies that decide they can’t afford or don’t need cybersecurity insurance can still tighten up contract clauses to require it of service providers. “We are working to put more teeth into contracts,” says the director of Info Systems Security at a very large auto manufacturer. “We want cloud providers to have verbiage.”

InfoSec practitioners with the most mature security practices routinely request and receive cybersecurity insurance coverage from service providers such as AT&T and Verizon. Though this is not yet common practice among the majority of companies, nor with respect to cloud service providers such as Amazon and Google, it is an emerging best practice.
Risk Mitigation
When drafting an agreement, consider the two types of risk that need to be covered

  1. General “Hypothetical” Risk
  2. Specified Contractual Risk

Hypothetical Risks

These arise from the inherent nature of the service and how the provider delivers it. It is hypothetically and technically possible for confidential client data to be tapped during transport across a carrier network, for example. Carriers routinely perform deep packet inspection for legitimate reasons (such as preventing distributed denial of service attacks), and at several points across the network. A bad actor within the carrier’s organization could therefore obtain access to any unencrypted data, and possibly to encrypted data (depending where in the network encryption is applied). The provider should carry insurance covering the enterprise client against such risks.

Specified (Contractual) Risk

These are risks specifically referred to in a contract clause and possibly specific to the enterprise’s use of the service. For example, if the service provider is going to manage online payments by the enterprise’s customers, the clause should specifically cover the costs of a breach of that data, including potential legal costs, damages, and regulatory fines.

A Sample Clause

Companies drawing up new carrier contracts are increasingly likely to include a requirement for cybersecurity insurance modeled after typical professional liability/Errors and Omissions (E&O) policies. Such contracts might also include privacy and security insurance to cover legal damages involving the loss or theft of either the company’s or its clients’ information. For example, an enterprise’s legal department might require new contracts to include the following:

Professional Liability/Errors & Omissions with limits of $5,000,000 per claim and aggregate. Such policy shall include but not be limited to coverage for liability arising out of wrongful acts and for contractual liability while providing the professional services under this contract. If Vendor will have or use Personally Identifiable Information or proprietary or confidential information of Agency or Client or if Vendor will have access to or provide services or software for Agency or Client computer systems, websites applications or any other information technology services, such policy shall also include Privacy and Security insurance to cover civil, regulatory and statutory damages including notification expenses as a result of actual or alleged breach, violation or infringement of right to privacy, consumer data protection law, confidentiality or other legal protection for personal information.

An important consideration for those signing an MSA (Master Services Agreement): the cyberinsurance clause needs to be amended to stay in sync with needs as new services are added under the MSA, which will complicate adding services.

The Future of Cyberinsurance

As more companies embrace a security model which includes cybersecurity insurance, increased awareness and market demand will likely encourage more mainstream insurance companies to enter the cybersecurity space.

It will also improve enterprise security. Insurance companies tie their premium rates to the insured’s risk profile, and reward better risk management practices with lower rates. According to a report by the Department of Homeland Security, “A robust cybersecurity insurance market could help reduce the number of successful cyber attacks by: (1) promoting the adoption of preventative measures in return for more coverage; and (2) encouraging the implementation of best practices by basing premiums on an insured’s level of self-protection.”

It should also improve service provider security, and make more kinds of provider willing to write insurance into their service agreements. Some Nemertes benchmark participants already reject providers who are unwilling to assume liability, including such well-known players as Amazon Web Services. Others include the cybersecurity insurance provision as an explicit selection criterion in any and all RFPs, making it clear that while failure to comply does not disqualify a bidder, it weighs against them heavily.

Conclusion and Recommendations

Although a few very large companies choose to “self-insure” against exposure, this approach is out of step with the practices of mature security organizations participating in our research.

When purchasing a cyber insurance policy, consider the risk of underinsuring.

If you decide not to purchase a policy, you can still require cybersecurity insurance coverage from providers:

  • Tighten up contract clauses
  • Include a cybersecurity insurance clause in the first draft of any and all provider contracts
  • Require professional services contractors with access to PII to carry cybersecurity insurance
  • Always involve legal counsel when evaluating policies.

Getting all these factors right for your company requires serious due diligence. But, just as with traditional forms of property and casualty insurance, there is no “buyer’s remorse” when risk becomes reality.

Appendix A: Nemertes Security Maturity Model

As with all Nemertes’ Maturity Models, our Security Maturity Model comprises four tiers of maturity: Unprepared, Reactive, Proactive, and Anticipatory. (Please see Table 2).


Level 0: Unprepared

An unprepared organization is one that lacks the tools, processes, people, and most importantly, the knowledge to respond effectively to challenges (let alone deal with them proactively). We deliberately rate this as a “zero” (rather than using more positive terminology) because an organization performing at this level is quite literally failing its most basic charter.

Level 1: Reactive

A reactive organization is performing better, but not by much. As implied by the name, it can respond and react to business requirements, but it’s effectively in “order-taker” mode: the responsibility for defining requirements rests entirely with the business.

Level 2: Proactive

Most organizations aspire to move beyond reactive to proactive. Proactive organizations are able not only respond to requests, they can guide the business in making those requests. That is, they’re solving the “problem behind the problem”—the real business issue that’s motivating the request.

Level 3: Anticipatory

But proactive isn’t the highest level of maturity. Ideally, an organization will operate in “anticipatory” mode, meaning that it has the tools, processes, and insight to address not just present but future issues. An anticipatory information security organization might, for instance, have in place a full strategy for protecting Internet of Things (IoT) infrastructure—even before the infrastructure is deployed, or the business need for it is determined.

In a nutshell, an unprepared organization can have minimal positive impact on the enterprise it serves (please see Figure 2). In fact, the impact is largely negative (equipment failures, outages, and breaches). A proactive or anticipatory organization, in contrast, can have a strongly positive impact on the enterprise. An anticipatory technology organization is actually a critical foundation for digital transformation.


Maturity Model Elements

To assess a cybersecurity organization’s maturity, we looked at several organizational and operational elements (please see Figure 3).

Bellwether Technologies: Definition

Bellwether technologies are technologies that successful organizations adopt earlier than other organizations. They serve as “markers” for mature organizations, for two main reasons.

First, companies that deploy them early have a strategic advantage over those who wait, because these technologies typically deliver unprecedented capabilities. They may deliver previously impossible capabilities (such as protecting endpoint applications from launching attacks by running them in micro containers) or dramatically reduce manual effort and operational costs by automating previously manual capabilities (such as leveraging machine learning to weed out the 3-5 true security events from hundreds of false positives).

Second, these technologies generally require a high degree of maturity from which to deploy and gain benefits. That is, behavioral threat analytics (one type of bellwether technology) requires the “table stakes” of solid firewalling, logging, and monitoring. That said, not all technologies are right for all organizations or vertical industries. Some companies are too small or homogeneous to benefit from each bellwether technology.

Overall, these bellwether technologies correlate with maturity in the following way: unprepared (level 0) security organizations are considerably less likely to be using, assessing, or even considering them; reactive (level 1) security organizations are more likely to be assessing them or considering deployment in 2018 or beyond; proactive (level 2) security organizations are more likely to be planning deployment in 2017; and anticipatory (level 3) organizations are more likely to have them implemented already.

Cybersecurity Bellwether Technologies

The cybersecurity bellwether technologies we tracked included the following:

  • Cloud security and Cloud Access Security Brokers (CASB): Premise or cloud based software that automatically detects cloud usage by employees, assesses business and technical risk, and enforces policies.
  • Endpoint security: Software that protects endpoints from malware, using a variety of mechanisms (e.g. microsegmentation).
  • Behavioral Threat Analytics (BTA): Software that integrates multiple sources of data (logs, analytics platforms such as Splunk, SIEM) to capture and display anomalous behavior of users, devices, and systems.
  • Application security: Automated application security testing, including Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Interactive Application Security Testing (IAST), and Runtime Application Security Testing (RAST).
  • Risk management platforms/suites: Automated technology that translates InfoSec vulnerabilities into business risk.
  • Threat, Risk, Compliance (TRC) networks: Also known as threat intelligence networks, these are subscription-based services that provide users with real-time insight into emergence of threats.
  • Managed and professional services: Third-party services reviewing logs, managing security equipment (e.g. firewalls) and conducting assessments and testing (e.g. penetration testing).
  • Automation: Use of tools and technologies (both third-party and homegrown) to automate security processes.

For most technologies, successful security organizations were 100% to 300% more likely to be deploying these technologies today, or by the end of 2016, as compared to security organizations, overall. The one exception was managed and professional services, which were deployed by roughly two-thirds of all organizations, with no significant distinction between successful and less successful organizations.

Appendix B: Methodology

Our objective in this benchmark study was to uncover the best practices of the most effective security teams. We began constructing our hypotheses in November, 2015, and conducted interviews in January, 2016. Our goal in the interview process was to go deep rather than broad, which we accomplished first by limiting the number of verticals and participants, and secondly by asking open-ended questions in order to capture the narrative. We looked at the following:

  • Organizational structure
  • Budgeting
  • Investments
  • Procurement
  • Security team’s interaction with the business line
  • Technical investments
  • Other

We began analyzing the data and quantifying our findings in February 2016. In March, we characterized the results in a security maturity model addressing the question, “What makes the best the best.” The Nemertes Security Maturity Model provides reliable guidance for security organizations seeking to enhance their security stance.

Company Size: Revenue

Our participants fell into three size categories: “Midsize,” “Large,” and “Very Large” (please see Figure 4). We define Very Large companies as those whose annual revenue is upward of $10 billion; Large companies are those with annual revenue between 1 billion and $10 billion, and Midsize companies are those with revenue between $300.1 million and $1 billion. Annual revenue among the participants averaged $17.8 billion, with median annual revenue of $7.2 billion.

More than 85% of the participants we interviewed for this study worked for Large or Very Large companies. There were no small companies (those under 300 million annual revenue) in our study.


Company Size: Employees

The majority of our participants (76.5%) worked at Very Large companies having more than 10,000 employees (please see Figure 5). The next largest segment, 17.6% worked for Midsize companies having 251 to 2500 employees, followed by 10.5% working for Large companies having between 2,501 and 10,000 employees. Just under 6% worked in Small companies having 250 or fewer staff. Average employee count among all participants was 30,682 employees, with a median employee count of 20,000.


Participants: By Industry

Nemertes conducted interviews with executives and senior IT leaders at 17 companies or organizations to compile its 2016-2017 Benchmark (please see Figure 6). Participants included: Financial Services Firms (29.4%), Educational and Healthcare organizations (23.6%), Manufacturing (17.6%), and “Other” including media, high-tech professional services, utilities, and hospitality (29.4%).

 

Participants: By Title

We received feedback from a wide range of decision makers and influencers (please see Figure 7). The largest percentage, 58.8%, came from Chief Information Security Officers, followed by Directors of Security at 29.4%, and Security Managers, 11.8%.

Participants: By IT Culture

Regarding the mix of IT cultures among our participants, we found 47.1% self identified as Aggressive (please see Figure 8). Participants who self-identified as having a Leading/Bleeding Edge IT culture came in at 23.5%. Another 23.5% embraced a Moderate culture, and only 5.9% embraced a Conservative IT culture. The good news is that a higher percentage of participants in the 2016-2017 Security Benchmark identified with Aggressive and Leading/Bleeding Edge IT cultures than in the previous security benchmark, while significantly fewer identified with the Conservative IT Culture.

  • Leading/Bleeding Edge–“We view technology as a competitive advantage and strategic differentiator and deploy it 12-18 months ahead of our competitors to create and sustain our competitiveness. IT is highly strategic.”
  • Aggressive–“We view technology as a competitive advantage and seek to deploy it ahead of most other organizations. IT is strategic.”
  • Moderate–“We are generally conservative, but make exceptions on a case-by-case basis for specific technologies. IT is somewhat strategic.”
  • Conservative–“We deploy technology only when it has been proven to deliver a benefit (usually financial), and generally after it has been widely across other organizations. IT is not strategic.”

 

Download Report Here

Share this post