Recently, management consulting firm Deloitte identified that cybersecurity insurance, while currently only a small fraction of the overall market of insurance underwriting, is poised to dramatically increase over the next few years, potentially even tripling by 2020. This is backed up by insurance giant Allianz, which has predicted that cybersecurity insurance will increase from its current $1.5-$3 billion in annual premiums to over $20 billion just a few years after that, in 2025.
For many organizations, the thought of cybersecurity insurance can seem like a panacea. Regulatory audits and their potential resulting fines and sanctions, ransomware and other data-as-a-hostage schemes and the hard and soft costs of addressing a data breach are all substantial impacts to an organization, not to mention the potential reputational damage. Cybersecurity insurance is often viewed as a hedge against these risks, but the fact is that many organizations don’t fully understand the purpose of cybersecurity insurance or its potential ramifications.
The fact is, cybersecurity insurance is a relatively new discipline in the world of insurance, which is an industry that has been refined into tight actuarial tables over many decades. For this reason, both insurers and consumers of cybersecurity insurance are often in a delicate dance that pits insurers’ concerns over potential catastrophic loss and new cyber threats that seem to accumulate every single day, with consumers’ concerns over premium payments versus coverage levels and the associated cost justification these policies.
Regardless of whether your organization is considering cybersecurity insurance – or whether it has already acquired it – there are some critical aspects of this burgeoning market that consumers need to understand in order to effectively gauge the value of their policies:
- Understand What Cybersecurity Insurance is For. Cybersecurity insurance is a risk management strategy, and nothing more. It transfers fiscal risk of bad things happening to your environment to a third-party insurer. What cybersecurity insurance doesn’t do is provide an opportunity for the buyer to completely abdicate risk management; underwriters generally require organizations that purchase policies to have robust information security programs, often aligning with industry best practice frameworks such as ISO 27001/27002 or NIST guidance. What that means for organizations is that the cost of acquiring and maintaining cybersecurity insurance may go beyond the price of just the premiums.
- Know What Type of Policy You Need. Cybersecurity insurance policies can cover both the organization itself (known as “first party insurance”), or service providers such as business partners that hold or process your data, or cloud service providers (known as “third party insurance”). Each covers losses caused by different things, and it’s important to know which of these your policy will cover. Examples of first party incidents that can be covered by a policy include damaged or lost assets (either physical systems or data), extortion (think ransomware), fraud and lost business opportunities due to lack of availability of systems. Examples of third party incidents include customer notification in the event of a data breach, intellectual property violations and breaches in confidentiality agreements.
- Know What Is, and Is Not, Covered In Your Policy. Knowing not just what type of insurance to purchase, but also what is covered under the policy, is critical to alleviating risk. For most organizations, the premiums associated with a blanket policy for all assets of the organization and all potential risks would be incredibly expensive. Focusing on the core assets – intellectual property, customer data, transactional systems, etc. – is a much more effective way of balancing the hard costs of insurance premiums with the most significant potential loss in the event of an incident. It’s also important to understand that most cybersecurity insurance doesn’t cover reputational damage well, nor are state-sponsored cyber attacks covered under many policies.
While cybersecurity insurance isn’t a tool for completely abdicating risk, it can provide organizations with an effective solution to co-managing that risk with an insurer.