Premiums paid for cyber insurance could triple to more than $7.5 billion by 2020, according to consultancy PwC. Companies are waking up to the fact that cyber risk equals business risk. Ask FedEx’s European arm, shipping giant Maersk or any of the other major organizations knocked out of operation by the NotPetya virus in 2017.
Since typical business insurance policies exclude cyber events, companies are increasingly buying cyber insurance lines of coverage.
The standard enterprise risk management approach to insurance applies the “Four T’s” – treat, transfer, tolerate or terminate. The Four T’s assume that an organization can estimate the likelihood and cost of losses associated with a negative event. They also help color a fact-based discussion on whether to buy or not to buy insurance.
In the context of cybersecurity, those risk conversations usually hit a wall when they reach the information security department. Typical infoSec managers don’t have the tools, the models or the data to answer these questions:
- “How much cyber risk do we have?”
- “What are the top risks we have?”
- “What would our return on investment be for mitigating any of our risks?”
- “How much cyber insurance do we need?”
Instead, cyber security officers have become specialists in changing the topic. “Cyber risk isn’t like other enterprise risks. It is so complex and changes so fast that it is simply not measurable. The best we can do is to spend on cybersecurity controls and assume that reduces risk proportionately,” is a common refrain.
That’s usually followed by benchmarking against what peer companies are spending on cybersecurity or against compliance with a checklist of best control practices such as the NIST Cybersecurity Framework or simply guessing by arranging risks on a color-coded heat map.
None of this is helpful when it comes to purchasing cyber insurance. It also puts a spotlight on the inadequacies around the processes of cyber risk management.
Corporate leaders and practitioners in security and risk have decided that the status quo is no longer acceptable. They’re finding their way to the emerging field of cyber risk quantification. One organization I’m involved with is the FAIR Institute (Factor Analysis of Information Risk). FAIR is a method used to identify the value-at-risk in any cyber asset to arrive at a measure of probable risk in dollar terms.
As a rule of thumb, you buy cyber insurance for low likelihood but high impact events and spend on controls for higher likelihood events with a manageable cost.
The key point here is that cyber insurance has a place as an option in managing cyber risk.
It’s not a replacement for risk management, and certainly not an excuse for avoiding the disciplined research effort of risk quantification or any of the key tactics for maintaining tight security, such as up-to-date patching.
Anyway, insurance companies require as a condition of coverage that companies maintain at least the same level of security as existed at the time when the policy was issued. Some industries are legally required to patch, such as healthcare companies governed by HIPAA, and the clear trend for regulated industries is toward proactive disclosure of cyber risks (see the recent cybersecurity guidance for public companies by the Securities and Exchange Commission).
Cyber insurance coverage also has its limitations. Most policies are geared to mitigation for data breaches, a type of cyber event with well documented direct costs but would likely be inadequate to cover reputational losses from a data breach that seriously impacted on market share or stock value.
As yet, there’s no standard cybersecurity insurance policy. Every insurance company deals with cyber differently. That puts the burden on the insurance buyers to understand the particular threats and estimate the potential losses for their organizations – and to start having those quantified conversations on cyber risk.
(Nick is the CEO of RiskLens. Nick is also President of the nonprofit expert organization, the FAIR Institute, which focuses on helping organizations manage information and operational risk from the business perspective.)