Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyber Insurance

Smoke and Mirrors: Cyber Security Insurance

Data breaches have become a daily occurrence. However, their cost to organizations goes far beyond reputational damage in the media. Boards and businesses are subject to regulatory mandates that carry fines and capital holds, and increasingly face litigation from class-action suits. Cyber security insurance has emerged as a stop-gap to protect stakeholders from the shortcomings of siloed risk management processes.

Data breaches have become a daily occurrence. However, their cost to organizations goes far beyond reputational damage in the media. Boards and businesses are subject to regulatory mandates that carry fines and capital holds, and increasingly face litigation from class-action suits. Cyber security insurance has emerged as a stop-gap to protect stakeholders from the shortcomings of siloed risk management processes. However, insurance policies are not a replacement for improving a company’s cyber security posture. So what do you need to know when it comes to the effectiveness of cyber security insurance?

Smoke and MirrorsMore and more companies are buying cyber security insurance to protect themselves from the financial disaster caused by data breaches like the one Target suffered.

Not surprisingly, the U.S. cyber security insurance market is growing approximately 30 percent per year. Some surveys even suggest that 30 percent of large enterprises in the U.S. have some type of cyber security insurance coverage. These numbers include both first-party and third-party cyber security insurance policies. First-party policies typically cover losses incurred from business interruption, destruction of data and property, and reputational harm. Third-party policies, in contrast, cover losses incurred by a company’s customers and others, such as damages resulting from the exposure of personally identifiable information (PII) through a data breach.

Despite these impressive growth numbers, the cyber security insurance market is still nascent. Particularly when it comes to coverage for cyber-related critical infrastructure loss, an area where carriers provide limited offerings. This was the conclusion of the Department of Homeland Security’s (DHS) National Protection and Programs Directorate (NPPD), which conducted multiple workshops and roundtables focused on improving cyber security insurance. The NPPD identified three areas that contribute to lack of progress:

1. Insurers don’t have enough actuarial data to adjust premiums based on what security controls and security tools are most effective.

2. In absence of more cyber risk actuarial data, insurers struggle to conduct proper incident consequence analysis in order to better determine coverage scope and pricing.

3. Lack of broader adoption of Enterprise Risk Management practices in end user organizations, which should also include cyber risk assessments, to translate IT-based losses into terms of potential harm to investment, market cap, and reputation.

The third point reflects the cultural divide between CISOs on the one hand and business stakeholders (e.g., CFO, legal counsel, and risk managers) on the other. Research has shown that organizations which have bridged the gap and applied a holistic view of risk across business, IT, and security, typically are more effective at mitigating threats than those that haven’t.

Advertisement. Scroll to continue reading.

For less mature organizations, cyber security insurance has become a “stop-gap” measure or substitute for improving their cyber security posture. However, some insurers are citing litigation and poor operations as reasons not to payout on losses. A recent federal appeals court ruling involving retailer Neiman Marcus that will allow consumer data breach victims to file class action suits is likely to force insurers to further tighten their compensation policies for claims by companies. Furthermore, the industry is debating whether state-sponsored cyber-attacks, to the extent they can be identified as such, should be covered by cyber security insurance policies.

Ultimately, an organization’s primary concern should be to protect the data that they store – be it their own intellectual property, or their customers’ and employees’ data. While cyber insurance policies can protect against some of the financial losses associated with a breach, they do not protect the data itself. In many ways, cyber security insurance should be viewed much like health insurance. Individuals do not abandon their healthy habits once they are insured. In the same way, organizations should continue to improve their security posture even if they choose to invest in cyber security insurance.

Written By

Torsten George is a cybersecurity evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.

Register

Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cyber Insurance

Cyberinsurance and protection firm Boxx Insurance raises $14.4 million in a Series B funding round led by Zurich Insurance.

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.