With all the talk about cyber threats and newer, more sophisticated attacks making headlines every single day, cyber security is a concern that all companies should be taking very seriously. In response to the dire need, cyber insurance became widely available in 2016. Many companies realized that no matter how robust their cyber security strategy might be, they could still be vulnerable to attacks.
It is now widely accepted that cyber security insurance should be included in a business’s risk management and mitigation strategy. In fact, current cyber security policy premiums are hovering around the $2.75B mark and are expected to balloon to $20B by 2025. It is estimated that one in three companies are currently covered by a cyber security insurance policy of some kind.
Seeing the opportunity in cyber security breaches
The insurance industry is certainly benefitting from the trend. Deductibles are high, policies are capped and there are plenty of exclusions that these policies simply don’t cover. But is it all just a by-product of fearmongering media reports of bigger, smarter and evermore devastating breaches?
This year’s massive Equifax breach affected 143 million people in three countries when hackers were able to access the Equifax system and its user data through a compromised web app. In 2016, the Target breach that affected 88 million people is estimated to have cost $450M. Target carried $100 million in cyber security insurance, but all things considered, that seems like a drop in the bucket. Time Magazine reports that the Equifax breach is projected to top $4 billion, though some analysts estimate that after their insurance, they will still be on the hook for somewhere between $200M and $400M.
Transparency an issue in policy development
One of the barriers to being able to provide adequate coverage is the inability on the part of the insurers to extract sufficient, accurate details with regard to the breach. On the insured side, there appears to be a hesitation to divulge too much about the extent of their breach in order to avoid bad press and a diminished public opinion of the company itself.
Without empirical data to gauge risk and damage, insurance companies are left to imagine what might happen and how much it might cost to repair. This presents a clear barrier to developing and pricing policies appropriately. Companies interested in purchasing the insurance will also have to hedge their bets, weighing the possibility—or probability—of a breach and trying to visualize how that will impact all areas of their operations.
Sleeping with the enemy?
The current cyber security insurance climate represents a guessing game at best, resulting in higher premiums and inadequate payouts.
In order to provide effective coverage, insurance companies need to not only have a good understanding of how companies are being attacked, but they also need to know how some companies are successfully thwarting attacks. A working knowledge of the threat climate would seem essential, but as this is an ever-evolving topic. It seems impossible that insurance companies would be able to stay abreast of new threats unless they were in bed with the criminals themselves.
Emerging trends: cyber security insurance paired with cyber security software
There is an increasing trend toward cyber security software solutions offering a set amount of cyber security insurance packaged with their security solutions. SentinelOne offers up to $1M per company or $1K per endpoint. If the software is unable to remedy the situation, the company gets a payout.
In light of the Equifax and Target breaches, this may not seem like a lot, but keep in mind that most ransomware attacks are looking for a much lower payout. Even the Hollywood Presbyterian Hospital ransomware attack of 2016 only required them to pay out $17K, though the total cost of the breach may have been significantly more.
Another trend we will likely see sooner than later is insurance companies hiring cyber security professionals to advise and consult on the risk and cost aspects of providing such insurance and to have access to post-breach expertise for forensics and incident response among other things.
In the wake of this transformation, we will likely see new regulations introduced in an effort to enforce internal risk assessment for insured parties. The current regulation falls under the terrorism risk insurance program.
Cyber security insurance, however, is poised to become as essential as business liability, flood insurance, or at least as important as malpractice insurance is to a doctor or lawyer. The potential for class action on the part of the individuals and businesses whose information has been breached is high, to say the least, as evidenced by several such cases before the courts in the United States.
Hedging your bets
Many companies may be taking a moment to consider whether the cost of purchasing a cyber security insurance policy is a worthwhile expense, but in light of the potential for a costly breach, it should be only one layer in their cyber security defense.
As all cyber security risk mitigation requires a solid plan for threat detection, threat prevention and disaster recovery, adding an insurance policy into the mix is a sound investment. Being proactive rather than reactive wins the day every time.
If you do business in Arkansas and have any questions or comments about cyber security insurance and how it can help your company, reach out to Business World today or call us at 501-214-5482 to schedule a free consultation.