violetkaipa - Fotolia

Cybersecurity insurance policies gain popularity as threats persist

Companies are increasingly turning to liability coverage to protect data assets, but questions remain for the nascent cybersecurity insurance industry.

John Sapp tackled the usual cybersecurity tasks when he started as chief information security officer at Orthofix, a multinational medical devices firm, in mid-2015.

But atypical of the cybersecurity strategy processes, Sapp's attention quickly turned to the company's insurance coverage. More specifically, he looked at the company's cybersecurity insurance policies and helped with the renewal process.

"It's part of our strategic approach to managing strategy," Sapp said.

Typically the purview of risk officers, insurance is getting more attention from CISOs like Sapp, as well as other executives and board members. The increased focus on cyber insurance coverage comes as the number and costs of cybersecurity incidents continue to rise nearly unabated.

Figures confirm the trend: According to a release from New York City-based global insurance broker Marsh LLC, increased cyber risk awareness drove a 27% increase in cyber insurance purchases by its U.S.-based clients in 2015.

Julian Waits Sr., president and CEO, PivotPoint Risk AnalyticsJulian Waits Sr., president and CEO,
PivotPoint Risk Analytics

Meanwhile, the cost of cyber incidents is climbing too. The "2015 Cost of Data Breach Study: Global Analysis" from the Ponemon Institute and IBM put the average cost of a breach across various U.S. industry sectors at $217 per exposed personally identifiable record -- up from $201 the prior year. Among the costs are bills for investigation, remediation, customer notification, credit monitoring and legal fees.

"In the past [traditional insurance coverage] may have picked up cyber-type incidents under the coverage which was never contemplating cyber exposures in the first place. Now insurers are excluding cyber out of those general policies, partly because of the emergence of cyber insurance," said David Bradford, co-founder and chief strategy officer at Advisen Ltd., which provides insight into underwriting, marketing, and purchasing commercial insurance.

Cyber coverage ambiguity persists

Like individual companies' cybersecurity strategies, however, cyber insurance coverage is not straightforward.

Cyber insurance is a nice catchall that's general and broad, but it's not just one thing. It's not a one-size-fits-all commodity.
Walter Andrewshead of the insurance litigation and recovery practice, Hunton & Williams LLP

"Cyber insurance is a nice catchall that's general and broad, but it's not just one thing. It's not a one-size-fits-all commodity," said Walter Andrews, head of the insurance litigation and recovery practice at Hunton & Williams LLP.

Cyber insurance coverage typically picks up where conventional policies leave off, according to insurance experts. Cybersecurity insurance policies generally cover data breaches, ransomware attacks and expenses related to the fallout from such Internet-enabled incidents.

Like all insurance products, the scope of coverage varies so organizations need to be thoughtful and thorough in their needs assessment.

"These are complex policies, and there's a breadth of coverage. Even people who are in the business but not doing cyber on a day-to-day basis are surprised at the nuances of coverage," Bradford said. "It's not like auto coverage or homeowner coverage that has a lot of similarities and standards. There's not a common language and there's not a lot of commonality."

Bradford said the vast majority of cyber policies cover costs related to data breach and privacy violations, such as paying for forensics teams and notifying individuals affected by the breach. Many also pick up liability costs when there are lawsuits stemming from the incident.

Some policies also cover losses due to business interruption, Bradford added, and still others cover ransomware and the costs related to those types of attacks.

Although experts say the cyber insurance market defines a broad scope of incidents that they cover, Bradford and others said gray areas still exist. This problem will only get worse as systems become more complex and the Internet of Things (IoT) extends computers' reach into the physical world.

Moreover, there are some damages that cyber policies ignore, insurance experts say. Policies generally won't cover the value of lost intellectual property if a hacker gets in and steals your company's IP. They also don't typically cover cash lost when a phishing scheme successfully dupes an employee into transferring funds into fraudulent accounts.

Cybersecurity insurance market expands

Still, cybersecurity insurance policies are covering more losses. According to the report "Quantifying Risk: Closing the Chasm Between Cybersecurity and Cyber Insurance" from the SANS Institute in conjunction with Advisen, there's more than $2 billion in cyber coverage worldwide today. The report also cites a Moody's prediction that the market will triple by 2020.

Julian Waits Sr., president and CEO at PivotPoint Risk Analytics, said that growth isn't surprising given that cyber breaches are inevitable.

"The question isn't can you keep the bad guys out," he said, "it's can you detect them before they do much damage?"

He added that organizations have to consider the places where they "have to double down on their investments in cybersecurity with cyber insurance."

On the other hand, Waits suspects many companies ignore that advice and think that they can weather the costs of an incident or that they're too small to be attacked. But cybersecurity leaders say while large companies may be able to withstand the hit to their bottom line, others would struggle as costs for cyber incidents easily can run in the tens of millions of dollars (if not more).

Companies should be prepared and investigate insurance needs and cybersecurity regulatory requirements before a breach occurs, Andrews said. The advanced preparation will help determine what departments will handle breach fallout for the company, from meeting numerous breach notification laws to alleviating a potential PR crisis.

Doing so will also help a company react quickly after a breach occurs.

"You won't have time after the breach to satisfy all the federal and state and maybe even foreign requirements," Andrews said. "You need to not just have the insurance in place but all these other pieces. It all goes together."

Sapp, the CISO at Orthofix, said security executives often have to provide insurers with details about their organizations' cybersecurity initiatives as part of the underwriting process. Security leaders should be working with other executives to help company leadership understand the risks and costs of cyber-related incidents, he added.

"We always talk about defense in depth, and cyber insurance is part of that defense," Sapp adds. "I think everyone needs to include cyber coverage as part of their approach to building a robust cybersecurity program."

Next Steps

Learn why the rising popularity of cybersecurity insurance policies could drive better data protection practices, and why some experts warn against relying on such policies to keep data secure. Then, read an introduction to cyber liability insurance.  

Dig Deeper on Risk management and compliance