Operations
2/12/2016
06:00 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
100%
0%

Quick Guide To Cyber Insurance Shopping

Experts offer their opinions on important due diligence tasks when procuring cyber insurance.

With analysts projecting the cyber insurance market to heat up in the coming year, it's clear there are a lot of organizations on the hunt for a good policy. With cyber insurance still very much in its earliest stages, there's very little consistency in policy coverage and language. Which means that due diligence is crucial, lest organizations find themselves financially holding the bag after a breach in spite of paying premiums for coverage they thought would help.

Here are some of the most important things to look out for as you start the process of vetting policies:

 

Know the difference between liability and risk policies.

As you start evaluating policies, understand that there are generally two kinds of cyber insurance policies, says Steve Durbin, managing director of the Information Security Forum. There's cyber liability insurance and there's cyber risk insurance.

"Cyber liability insurance provides coverage for liabilities that an organization causes to its customers or to others--insurers call this third-party risk," Durbin says. "Cyber risk insurance is used to cover direct losses to the organization, often known as first-party risk."

Durbin says that cyber risk insurance is less prevalent because these types of policies are more difficult to underwrite due to a lack of actuarial history. They're also less likely to be sought out because of mistaken beliefs, he says.

"Many organizations assume, perhaps incorrectly, that their corporate insurance or general liability policies will cover cyber risk," he says.

 

Carefully consider cyber insurance policy in context of other policies.

This misapprehension is why it helps to start first with existing insurance policies and look for gaps with regard to cyber risks.

"An enterprise first needs to understand how cyber insurance fits into its broader portfolio of insurance policies, such as errors and omissions, general liability, and directors and officers," says Andrew Braunberg, research vice president of NSS Labs. "Knowing what’s already covered in these policies, where holes exist, and how cyber insurance could fill some of those holes is a good start."

When building what insurance lingo calls an insurance "tower," it is also important for an organization's lawyers to comb through all the policies in totality to make sure that layered policies work properly together.

"In building large insurance towers, it is very important that the excess policies are true 'follow form' policies that will drop down over all of the coverage grants of the underlying policy," says Steve Bridges, senior vice president of the brokerage JLT Specialty USA's Cyber/Errors and Omissions team. "In a large loss scenario, having one carrier on a program refuse to pay their limit will cause huge problems up the tower."

 

Examine limits carefully--especially sublimits.

Financial coverage limits are one of the fundamental elements by which an organization should be judging its cyber insurance policies. First of all, it is essential that the organization have as good of an estimate as possible as to the amount of financial risk it needs to offset with a policy. 

"Because the frameworks used for cyber risk management are still immature and evolving, we find that the financial sector’s Value at Risk [VaR] framework can be very useful in determining the amount of cyber coverage an enterprise should be considering," says Jim Jaeger, chief cyber services strategist for Fidelis Security.

Jaeger warns that organizations consider their organization’s risk relative to average breach numbers. With the Ponemon Cost of Data Breach statistics pegging the average breach cost at $3.8 million, some businesses may find many $1 million to $5 million policies inadequate. 

"Based on the type of business, loss of large amounts of PII/PHI could run through a $5 million policy before you get to regulatory or any liability judgments," he says.

Even more important is the issue of sub-limits placed on specific categories of coverage within a policy.

"There is not a standard cyber insurance form," Jaeger says. "Policies have sub limits that will limit your forensic spend to a certain amount," for example.

If language exists to limit forensic spend drastically, the organization will still have to pay out-of-pocket for anything beyond the sub-limit even if the overall limit has not been exceeded.

 

Watch out for exclusions.

Similarly, understanding the language around exclusions is crucial to ensuring that a cyber insurance policy is worth the premium.

"Understand the insuring agreements to be sure you have the coverage you are looking for and then check the scope of the exclusions. Exclusions for minimum security standards can kill all best efforts," says Brian Branner, executive director of strategic alliances for RiskAnalytics.

Establishing clarity about vague standards for those types of exclusions is also important.

"Have counsel review for broadly worded exclusions such as 'breach of contract'--a data breach is just that and the reason you are buying the policy," Jaeger says.

In the same vein, if there are exclusions for security standards not being met, it is important to get in writing specifically what minimum standards in order to avoid heartache in the future. This may require more discipline on the risk management and visibility front for an organization, both in the evaluation stage and when proving standards have been met.

"Enterprises should also understand that the more risk they transfer to an insurance carrier the more visibility into that risk they must provide," Braunberg says says. "This can require a fairly intensive evaluation of security practices and potential vulnerabilities." 

 

Retroactive dates are important.

As an organization negotiates its policy, it should fight to get retroactive coverage as far back as possible, says Jaegar, given the low-and-slow attack tactics of criminals these days.

"The breach may have started a year or more ago and you don’t know it. This date will protect you if the forensics determine you were breached prior to purchasing the policy," he says, explaining that it is common to find breaches that started over a year after the initial forensics investigation.  "In these breaches, the attackers are often deeply embedded in the network, which dramatically raised the cost to investigate and contain the breach, as well as the damage done by the attackers."

 

Look for services benefits.

When vetting insurance providers against one another, things like premiums, limits, and exclusions will all be of utmost priority. But don't forget to consider other benefits on the table such as included security services or those offered at a discount to policy holders.

"A few of the insurers have recognized that they can reduce their own risk by enhancing the cybersecurity of the firms they are insuring," Jaeger says. "As a result, these firms are now providing security education and proactive services to their insurance clients. Other insurance firms provide vetted lists of cybersecurity firms to their clients for both proactive security projects and incident response services." 

In the latter case, though, be sure that if it is important for you that you can still hire your own folks during an incident.

"Make sure you can hire your attorney or forensic partner in the policy versus being limited to use of firms identified by the insurer," he says.

 

Get a great broker.

Time and time again, the experts who weighed in on best practices for procuring cyber insurance hammered on the importance of an experience and specialized broker in guiding the process.

"It is every insurance carrier’s job to limit coverage and charge a healthy premium. It is the broker’s job to get the lowest cost while expanding and customizing policy wordings/coverage specific to each insured," says Branner. "If your broker lacks in-depth expertise in this subject area, which is common outside of the top ten brokers, then you may just end up with a policy that will disappoint you in time of a claim."

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Robin2
50%
50%
Robin2,
User Rank: Apprentice
2/16/2016 | 6:50:16 AM
Great Post
great post i really appreciate your post
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "I don't think that's how Augmented Reality works."
Current Issue
The Changing Face of Identity Management
Mobility and cloud services are altering the concept of user identity. Here are some ways to keep up.
Flash Poll
10 Recommendations for Outsourcing Security
10 Recommendations for Outsourcing Security
Enterprises today have a wide range of third-party options to help improve their defenses, including MSSPs, auditing and penetration testing, and DDoS protection. But are there situations in which a service provider might actually increase risk?
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio

The cybersecurity profession struggles to retain women (figures range from 10 to 20 percent). It's particularly worrisome for an industry with a rapidly growing number of vacant positions.

So why does the shortage of women continue to be worse in security than in other IT sectors? How can men in infosec be better allies for women; and how can women be better allies for one another? What is the industry doing to fix the problem -- what's working, and what isn't?

Is this really a problem at all? Are the low numbers simply an indication that women do not want to be in cybersecurity, and is it possible that more women will never want to be in cybersecurity? How many women would we need to see in the industry to declare success?

Join Dark Reading senior editor Sara Peters and guests Angela Knox of Cloudmark, Barrett Sellers of Arbor Networks, Regina Wallace-Jones of Facebook, Steve Christey Coley of MITRE, and Chris Roosenraad of M3AAWG on Wednesday, July 13 at 1 p.m. Eastern Time to discuss all this and more.