In response to the rash of high-profile data breaches in the past several years, companies are increasingly looking to procure cyber liability insurance to help offset some of the potential risk. Interestingly, since to retain coverage under most cyber liability coverage policies, a company will have to comply with a fairly strict cybersecurity regimen, simply signing up for such coverage and maintaining eligibility can go a long way toward protecting a business from a potential breach.
However, as with any new(ish) product, a number of caveats apply. Recently, SecurityCurrent.com asked 10 chief information security officers for their thoughts on cyber liability insurance and what the future may hold. Here are their insights:
Roota Almeida
Delta Dental of New Jersey Head of Information Security
Due to recent high-profile breaches wreaking havoc on many enterprises, cyber insurance will be gaining velocity and popularity. The Board and the C-Suite will have an appetite for reducing risk, in part, by off-loading it to insurance providers. Government agencies and insurance companies are already at work establishing guidelines to support the growth of the cyber insurance market.
Meg Anderson
Principal Financial Group VP and CISO
All parties should be sure there are clear guideposts for handling changes related to technology infrastructure—on premises, in the cloud or provided in other ways outside of your organization.
We all buy insurance for things we hope will never occur. In the case of a breach, the worst-case scenario would be to find out your insurance was voided due to a contractual issue, related to a control change or not following the proper process to file the claim. If you buy insurance, be sure all stakeholders have a clear understanding of internal impacts.
Paul Calatayud
Surescripts CISO
[W]here is the market going in 2016 and beyond? I feel that it is evolving and maturing. One could say it has had a challenging start, with many unknowns, confusion and lack of expertise on both sides of transactions.
But I anticipate that will change drastically in 2016 as underwriters gain experience, security organizations work to retain cyber talent and improve the cyber insurance review process, and customers start to ask and require insurance policies from their suppliers and partners. The market is beginning to stabilize, as policies within post-breach organizations get exercised and tested.
Jonathan Chow
Live Nation Entertainment CISO
I think it’s necessary and smart for every company to have a policy with a reputable carrier; but the challenge the industry faces is that the actuarial model that insurance companies rely on is not capable of predicting who or what is at risk. Big company? Small company? Health care? Retail? Government? Yes, yes and yes. And—no, no and no.
As a result, it mostly turns into a big guessing game for both the carriers and the companies who wish to purchase policies. With the hard costs of cyber intrusions on the rise, shopping around for the right deal with the right partner is absolutely necessary for any company looking to buy a policy.
Darren Death
ASRC Federal CISO
Traditional insurance policies are beginning to specifically exclude cyber breaches. If an organization is not paying close attention for these changes, they could find themselves without adequate coverage in the event of a breach.
It is important to note that cyber insurance does not remove an organization’s responsibility to adequately protect the data and IT systems within the organization commensurate with their value. If a breach occurs and an organization has not done its due diligence, they may find themselves without any protection.
Michael Dent
Fairfax County CISO
Cyber insurance, if procured correctly, can truly help offset [the monetary costs of a breach]. What cyber insurance cannot do is repair the reputation of an entity once it is publicly announced a breach or successful hack occurred and records were exposed.
Kim Green
Zephyr Health CISO
The cyber insurance market is hot and here to stay, so be wary of anyone who says cyber insurance offerings are too expensive for insurance companies to maintain. However, I do foresee the insurance companies evolving to the point they specify or require types of security and risk frameworks a company must have in place in order for the company to become insured.
Requiring adherence to a framework, in my mind, is a sound business principle for the insurer, but I do not think it is appropriate for insurers to specify which frameworks are required—a decision best made by the insured.
Michael Molinaro
BioReference Labs CISO
It is imperative that insurers and insurance buyers understand which risks are explicitly covered, which may not be covered and which may be specifically excluded.
Many insurance buyers may believe that existing insurance policies will work for cyber risks, but there are generally gaps in that coverage. The policy must include cyber-specific language as an effective way of covering gaps that conventional policies do not cover. It is important for CISOs to understand their organization’s existing policy and be an active influencer in the buying process.
Farhaad Nero
Bank of Tokyo-Mitsubishi UFJ Ltd. Vice President of Enterprise Security
We all need cyber insurance. As they say, it’s not if, but when, you will be breached. Will your policy provide the kind of coverage you need when this happens? That is the real question.
Cyber insurance just can’t keep up with the threat landscape—at least at the present time—with how complex the policies are.
We need to understand, collectively, how breaches happen and why. Do we need to share information on data breaches? There is a call in the industry for this to happen. Should the government step in?
Don’t you want to know what you are getting for what you are paying for? Cyber insurance needs to grow up—and soon!
Larry Wilson
University of Massachusetts CISO
Cyber insurance is evolving to cover damages to corporations who have been breached, such as liabilities. However, in order to receive this type of insurance coverage, corporations will be required to implement and maintain a strong cybersecurity program that complies with requirements established by the insurance companies.
By implementing a strong set of security controls, the risk of a security incident will be minimized, reducing the likelihood of a data breach. So, in order to get insurance, companies will need to prove that they comply with requirements established by the insurance companies.