Data breaches have become a daily occurrence. However, their cost to organizations goes far beyond reputational damage in the media. Boards and businesses are subject to regulatory mandates that carry fines and capital holds, and increasingly face litigation from class-action suits. Cyber security insurance has emerged as a stop-gap to protect stakeholders from the shortcomings of siloed risk management processes. However, insurance policies are not a replacement for improving a company’s cyber security posture. So what do you need to know when it comes to the effectiveness of cyber security insurance?
Not surprisingly, the U.S. cyber security insurance market is growing approximately 30 percent per year. Some surveys even suggest that 30 percent of large enterprises in the U.S. have some type of cyber security insurance coverage. These numbers include both first-party and third-party cyber security insurance policies. First-party policies typically cover losses incurred from business interruption, destruction of data and property, and reputational harm. Third-party policies, in contrast, cover losses incurred by a company’s customers and others, such as damages resulting from the exposure of personally identifiable information (PII) through a data breach.
Despite these impressive growth numbers, the cyber security insurance market is still nascent. Particularly when it comes to coverage for cyber-related critical infrastructure loss, an area where carriers provide limited offerings. This was the conclusion of the Department of Homeland Security’s (DHS) National Protection and Programs Directorate (NPPD), which conducted multiple workshops and roundtables focused on improving cyber security insurance. The NPPD identified three areas that contribute to lack of progress:
1. Insurers don’t have enough actuarial data to adjust premiums based on what security controls and security tools are most effective.
2. In absence of more cyber risk actuarial data, insurers struggle to conduct proper incident consequence analysis in order to better determine coverage scope and pricing.
3. Lack of broader adoption of Enterprise Risk Management practices in end user organizations, which should also include cyber risk assessments, to translate IT-based losses into terms of potential harm to investment, market cap, and reputation.
The third point reflects the cultural divide between CISOs on the one hand and business stakeholders (e.g., CFO, legal counsel, and risk managers) on the other. Research has shown that organizations which have bridged the gap and applied a holistic view of risk across business, IT, and security, typically are more effective at mitigating threats than those that haven’t.
For less mature organizations, cyber security insurance has become a “stop-gap” measure or substitute for improving their cyber security posture. However, some insurers are citing litigation and poor operations as reasons not to payout on losses. A recent federal appeals court ruling involving retailer Neiman Marcus that will allow consumer data breach victims to file class action suits is likely to force insurers to further tighten their compensation policies for claims by companies. Furthermore, the industry is debating whether state-sponsored cyber-attacks, to the extent they can be identified as such, should be covered by cyber security insurance policies.
Ultimately, an organization’s primary concern should be to protect the data that they store – be it their own intellectual property, or their customers’ and employees’ data. While cyber insurance policies can protect against some of the financial losses associated with a breach, they do not protect the data itself. In many ways, cyber security insurance should be viewed much like health insurance. Individuals do not abandon their healthy habits once they are insured. In the same way, organizations should continue to improve their security posture even if they choose to invest in cyber security insurance.