While the concept of cyber insurance being the need of the hour isn’t lost on businesses, small or large, the moot question is whether insurance policies are in sync with the threat landscape and if companies know exactly what they’re insuring.
Cyber insurance adoption requires the active participation of CISOs and should be focussed on preventing cyber incidents rather than funding burials.
Earlier this year, speaking at the Cyber Symposium, Inga Beale, CEO of Lloyd’s, dealt with the issue of cyber insurance perfectly when she said that there is a major gulf between the real cyber threat that businesses face today and their overall preparedness.
‘It’s [cyber breaches] one of the most high-profile risks businesses are facing at the moment and yet CEOs seem to be in denial about its impacts and their ability to deal with it. Businesses are either not looking for solutions, or if they are, they don’t know where to find them or understand the value of them. Insurers need to explain the benefits cyber insurance can bring,’ she said.
According to a UK Cyber Security report by Marsh and the UK government, ‘the cost of cyber insurance relative to the limit purchased is typically three times the cost of cover for more established general liability risks, reflecting the possible exposure that insurers are taking on with cyber.’
Considering that cyber insurance costs a lot more than other kinds of insurance, say for example accident insurance, those buying up such insurance policies would surely expect better coverage, pinpointing of risks, advise on steps to be taken to ensure minimal damage and reimbursement in proportion to the actual loss incurred.
However, that may not be the case. A number of experts believe that cyber insurers aren’t well-versed with the threat scenarios and aren’t able to price their policies as per their clients’ needs.
‘What’s challenging operationally for the entire ecosystem is that the primary buyer of business insurance is the CFO and the risk department that doesn’t know enough about cybersecurity. And it’s being sold to them by an insurance broker who certainly doesn’t know cyber insurance,’ said Jeremiah Grossman, chief of security strategy at endpoint security software developer SentinelOne to SearchSecurity.
‘Every policy that you’ll read – and I’ve read probably a hundred of them now — is different. There are no standards. It’s a Wild West out there. In many cases, it looks like they took a property or fire insurance policy and substituted fire with computer, and it doesn’t really map that way,’ he added.
Grossman also bemoaned the fact that the role of CISOs in cyber insurance adoption is minimal at best.
‘When it’s a large policy – let’s say it’s over $100 million – there will be a survey that gets funneled down to the CISO that says: ‘Tell me about your IT environment,’ which will not move the premium one way or the other. And that’s the last time a CISO ever touches a cyber insurance policy, predominantly,’ he added.
According to a leading cyber security consultant who spoke to Computing Research, today’s firms are more focussed on ‘recovering from a ransomware attack rather than preventing it’.
‘When it comes to insurance you’ve been able to insure against that for a long time, and so insurance against modern ransomware is also quite possible. But I think we’re still not quite there in terms of knowing what it is that we’re insuring, because I think lots of people think about cyber insurance as insuring a thing rather than a disaster,’ he said.
The consultant added that cyber insurers are essentially offering to reimburse businesses against data loss which is already covered by existing insurers. Cyber insurance must be focussed towards preventing a breach itself rather than helping a business that has been utterly destroyed by a cyber attack.
‘So I think we’re still not quite there in terms of really understanding what it is we want. And equally the market hasn’t quite worked out what to give us in terms of insurance either,’ he added.
Would you spend three times as much on buying a cyber insurance policy for your organisation without knowing exactly what to cover, whether the cover is sufficient, or if your insurance broker knows how your organisation operates and what are the risk zones?
In such a scenario, taking a few educated steps would go a long way in helping business leaders choose the right cyber insurance policy for their organisations:
1. Allow the CISO, who can effectively map out an organisation’s digital infrastructure, to identify high-risk areas and to choose a cyber insurance policy that is sufficient to cover the organisation’s losses following a cyber incident.
2. Review your insurers track record of reimbursing or helping other organisations that are in the same line of business and have suffered cyber incidents in the past.
3. Check your insurers understanding of your specific needs and compare insurance products offered by different brokers to avoid spending too much on policies.