Risk

3/26/2014
04:00 PM
Sara Peters
Sara Peters
Commentary
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Don't Put Too Much Faith in Cyberinsurance

Cyberinsurance is great for covering discrete costs like breach notifications and legal fees, but don't rely heavily on it for much else.

When contemplating threats to your organization (perhaps counting them instead of sheep while you shiver in a cold sweat on another sleepless night), you might be comforted by the thought of transferring risk to someone else -- like, for instance, a cyberinsurance provider. The trouble is that not all risks can be transferred, no matter how much you pay for a policy.

The insurance company may absorb the immediate costs associated with a data breach -- sending out notifications and the like -- but no matter how much you pay for your policy, it cannot completely absorb the damage to your company's reputation. Just because you're insured doesn't mean you won't go out of business.

The other trouble, of course, is that cyberinsurance doesn't cover all security incidents. Big data breaches get the most attention, but what about the denials of service that bring your online store down for 48 critical hours during the holiday season? What about the insider who secretly obtains broader access credentials and uses that access to embezzle money or commit corporate espionage? What about the attacks that compromise the control systems for critical physical infrastructure? Some insurers will cover those incidents, but the policies are rife with exceptions and restrictions.

According to a recent Ponemon Institute survey of security and risk professionals, most policies will pony up cash for breach notifications, legal fees, and forensic investigations. About half will pay for regulatory fines and equipment replacements. However, only 34% cover revenue loss. Only 8% cover brand damages, and only 11% cover employee productivity losses.

As for the types of incidents the insurers will cover, you're probably protected against human errors and bad guys on the outside. However, only about half the survey respondents' policies cover attacks by malicious insiders. Only 11% cover attacks against "business partners, vendors or other third parties that have access to their company's information assets." (Sorry, Target.)

Despite the limitations, companies are still buying cyberinsurance. According to the Ponemon report, 31% of security and risk pros said their company has a cybersecurity insurance policy. Another 39% said they are planning to purchase insurance, and 41% said that, from a business perspective, cybersecurity risks are greater than other insurable business risks such as natural disasters, business interruption, and fires.

The most common reasons respondents gave for not purchasing insurance was that it was too expensive or didn't cover enough. However, 26% said their risk profile was too high, so insurers wouldn't sell them policies.

How do you alter your organization's risk profile to make it more palatable to insurers? Anyone who's ever had to improve a FICO credit score quickly to convince lenders that the borrower is not a high-risk scoundrel knows that it requires some fiscal acrobatics, a bit of sorcery, and a lot of incessant, obsessive monitoring. The cyberinsurance industry now has its own version of a FICO score to delight underwriters and frighten hopeful policy holders.

The startup BitSight Technologies recently launched an information security risk rating system. This system "provides objective and up-to-date ratings on the information security health of a company's partner ecosystem so it can better protect sensitive business and customer data shared with third-party vendors," BitSight said in a press release. "The information security ratings, which range from 250 to 900, are similar to consumer credit scores, with higher ratings indicating better security postures."

Liberty Insurance Underwriters (LIU) just partnered with Bitsight to provide the BitSight Security Rating Service to holders of LIU Data Insure policies. Liberty said in a release that the service will generate and deliver "timely, data-driven analysis of a company's security performance" on a daily basis. Policy holders won't need to provide any information or undergo any testing.

Though there are signs that the cyberinsurance industry is maturing, there remains a healthy amount of skepticism about its effectiveness. Thirty percent of the respondents to the Ponemon survey said they have no interest in purchasing a policy now. During an event at Fordham University this month, White House director for cybersecurity critical infrastructure protection Samara Moore said flat out that cyberinsurance is "not very well developed" and "not a very viable option."

What do you think? Has your organization bought a cyberinsurance policy? Do you think it's worth the money? Were you involved in the decision to purchase the insurance? Have you ever had to file a claim? How did that go? Do you think the cyberinsurance industry would ever consider offsetting risks through catastrophe bonds? Let us know in the comments below.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
kjhiggins
50%
50%
kjhiggins,
User Rank: Strategist
3/26/2014 | 9:17:16 PM
cyber insurers
Really interesting insight, Sara. Who are the main players in cyber insurance today?
Want Your Daughter to Succeed in Cyber? Call Her John
John De Santis, CEO, HyTrust,  5/16/2018
Don't Roll the Dice When Prioritizing Vulnerability Fixes
Ericka Chickowski, Contributing Writer, Dark Reading,  5/15/2018
Why Enterprises Can't Ignore Third-Party IoT-Related Risks
Charlie Miller, Senior Vice President, The Santa Fe Group,  5/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Security through obscurity"
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-11232
PUBLISHED: 2018-05-18
The etm_setup_aux function in drivers/hwtracing/coresight/coresight-etm-perf.c in the Linux kernel before 4.10.2 allows attackers to cause a denial of service (panic) because a parameter is incorrectly used as a local variable.
CVE-2017-15855
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, the camera application triggers "user-memory-access" issue as the Camera CPP module Linux driver directly accesses the application provided buffer, which resides in u...
CVE-2018-3567
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, a buffer overflow vulnerability exists in WLAN while processing the HTT_T2H_MSG_TYPE_PEER_MAP or HTT_T2H_MSG_TYPE_PEER_UNMAP messages.
CVE-2018-3568
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, in __wlan_hdd_cfg80211_vendor_scan(), a buffer overwrite can potentially occur.
CVE-2018-5827
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, a buffer overflow vulnerability exists in WLAN while processing an extscan hotlist event.