Perimeter
10/2/2014
05:25 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Cyberinsurance Resurges In The Wake Of Mega-Breaches

Insurance policies customized for cyberattack protection are on the rise as businesses worry they could be the next Target.

The string of data breaches at Target, Home Depot, JPMorgan Chase, and so many other major brands has reinvigorated the cyberinsurance industry.

Cyberinsurance, which originally was rolled into other insurance policies or even considered unnecessary and ineffective, is enjoying a resurgence of late. Policy purchases have more than doubled in the past year, according to new data from The Ponemon Institute: 10% of companies held cyberinsurance policies in 2013, but 26% do in 2014. That's still a relatively low percentage, but insurers say cyberinsurance indeed is on the rise.

Kirstin Simonson, underwriting director for Travelers Global Technology, says US premiums today are estimated at around $1 billion, and it won't be long before they reach $2 billion.

A handful of carriers offered cyberinsurance coverage in the early days -- the late 1990s -- and the focus was more on privacy and trademark infringement. "There are now over 50 to 60 insurers" offering cyberinsurance coverage, Simonson says, including Travelers.

The surge, not surprisingly, is mostly due to data breach concerns. And cyberinsurance experts say demand is growing rapidly as companies watch victim organizations like Target and Home Depot try to dig out from under their data breach costs and fallout. Target, which reported $61 million of expenses related to the breach, had about $40 million in cyberinsurance, though security analysts estimated its overall breach costs could reach $500 million when all is said and done.

"It is not an overstatement to say that there is a 'pre-Target' and 'post-Target' state of the cybermarket for major retailers from both the underwriting and the client side," Emily Freeman, risk management cyber and professional liability specialist for the global technology and privacy practice at Lockton Companies, said in a recent report.

Simonson says concerns over data breaches are driving cyber insurance. "Most people are talking around the breach component of it. They may also be driven by regulatory compliance concerns."

However, cyber espionage attacks remain a bit fuzzy for insurers, she says. "Cost to cover intellectual property [cyberattacks] are not a widely insurable thing yet."

The cost of forensics, downtime, breach notification, credit monitoring services for customers, legal fees, and crisis management teams all factor into the insurance equation today. "They have to protect their brand reputation," and retailers look for insurers to help support that.

There are even tools now designed specifically for cyberinsurance underwriters to vet their prospective clients. This week, BitSight rolled out a security ratings service specifically for cyber insurers based on its Security Ratings Platform, which analyzes publicly available data from its global sensors that track security events and malware behavior daily for organizations, specifically looking for botnet communication, malware distribution, and email server configuration. The scoring model is akin to consumer credit ratings.

"There's not been to date a quantifiable, objective metric" for the cyber insurers, says Ira Scharf, chief strategy officer at BitSight. "We've developed a product specifically for cyber insurers… The rating technology is the same, but built on top of it is a series of analytics and specific dashboards and organizational tools that fit right into the workflow of a cyberinsurance underwriter."

The service alerts an insurer to breaches at a retailer, for instance, and how that retailer compares with other retailers security-wise. "The underwriter now has a window into the risk… If a company gets breached, how many days did it take for them to mitigate the problem? That's a real good indicator of the sophistication of a company's security procedures."

"It's the fastest-growing segment of the insurance industry," Scharf says. "Carriers are looking to develop standalone cyber products, and companies are looking for more coverage."

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
TerryQ049
50%
50%
TerryQ049,
User Rank: Apprentice
10/30/2014 | 4:26:23 PM
cyber insurance, cyberinsurance...
Organizations don't need cyber insurance, it really is an unnecessary expense - unless, that is, they have a website, use the internet, collect credit cards, have employees and a bank account - not sure who all that might be but they're probably not buying much other insurance either (I know, there's plenty of exceptions... bear with me)

- I've seen so-called cyber insurance that costs $14 (you get what you pay for, with everything), and yes the cyber insurance market is all over the place with pricing and coverage offerings, but not buying cyber insurance when you're part of the connected world is like not buying fire insurance on the house you live in - just too risky. BTW, take a look through all the media you like for all the fires recently, first wade past the data breach stories and you'll find some good fire stories out there somewhere - good luck!

- meantime, don't worry about the business burning down if its correctly insured, and don't worry about hackers, genius employees, every business you interact with online, every customer or the State and Federal authorities, if you have a GOOD cyber insurance policy.
JasonPolancich
50%
50%
JasonPolancich,
User Rank: Author
10/8/2014 | 11:23:16 AM
Re: Cyber insurance small part of quickly evolving strategy
Exactly. Hence the burden on individual business and the need to see cyber insurance as what it is: part of a bigger multi-faceted startegy that's tailored to you.


I think it is a good thing in parts, not in others. Inconsistent is the word I'd use. Too early to see what it wll become as insurers collect and analyze data over time. they are great at it, so we'll see.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/8/2014 | 11:17:49 AM
Re: Cyber insurance small part of quickly evolving strategy
Hard to imagine an insurance company going down into the weeds like that to manage risk/make money. In your view, is cyberinsurance a good bet for the insurance  industry, and is it even possible for companies to protect themselves against risk through liability insurance? Or too early to tell?
JasonPolancich
50%
50%
JasonPolancich,
User Rank: Author
10/8/2014 | 11:13:41 AM
Re: Cyber insurance small part of quickly evolving strategy
Marilyn,

this has become a very interesting question for me!

collecting and analyzing data for a long time, we've begun to realize that the answers to questions like these are very specific to indovidual business. in other words, your specific business profile analyzed against relevant industry trends as a whole yields the most accurate insight, so each company is different (e.g. your size, your industry sub-sector, your web and social exposures, what products you have, who your customers are, your IT landscape, your suppliers, their profiles and on and on).

Just starting to keep track of this kind of data in this way as it relates to your specific organizaition almost immediately yields key insights when you being to get educated on what threats are out there and how those overlay with the data specific to your business. For example, a florist chain with 6 locations, 20 employees, 4 web and socal properties, 25 suppliers, large online ad spend and with a majority of their sales coming via cloud-hosted SaaS apps for eCommerce has a very different profile than say a large, single-city accounting with a 100-year history that does everything IT-wise in-house and has high revenue, large data set under storage but almost zero web presence and so on. The picture of the attack surface profile for these two businesses is dratsically different and they would priortize a cyber defense or response strategy - in $$$, people, tools and overall approach outlay - in different ways.

Major keys to "knowing yourself" more in this way? practical data and intel diligence, constantly updating info across the board, beign responsive to indicators and signs, 360 degree and multi-dimensional view of your risks, etc.

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/8/2014 | 10:55:06 AM
Re: Cyber insurance small part of quickly evolving strategy
Aptly put, Jason. The insurance industry has much more experience analyzing risk (not necessarily cyberrisk) and putting a monetary value on it vis a vis insurance policies. What do you think are the top risk profiles/surfaces that organizations should focus on. And would that be the same areas for insurance companies?  
JasonPolancich
50%
50%
JasonPolancich,
User Rank: Author
10/8/2014 | 10:38:05 AM
Cyber insurance small part of quickly evolving strategy
The market for cyber insurance has certainly needed to evolve to assist enterprises (and small guys too!) and surely we're seeing that happen now.

That said, most of the advantage is now and will continue to be on the side of the market most profiting from our cyber circumstances. Insurers will, for a long time, act like Vegas in that they'll efficiently manage the risk matirx against real events and bet on those vulnerabilities most profitable for them in the long run.

In the end, companies still benefit, for sure, but there will be lots of gaps.This is where companies of all sizes must begin to evolve as well to manage their risks and vulnerabilities more actively as part of their core oprrations just as accounting or anything else.

Part of the problem for both sides is that characterizing risks across sectors and individual/sets of companies is an immature art right now, as oposed to a data-backed science. It will take time and the efforts of organizations on both sides of the fence to build up data and analysis that leads to, among other things, more complete and accuarate covergaes, niche product needs, etc.

In my view, most of the burden right now is on the businesses themselves to become more daily aware of their own risk profiles and surfaces, novel trends, etc. and the real, measurable connection these things have to their core value offeerings (e.g. products, customers, partners, etc.).
Brian Bartlett
50%
50%
Brian Bartlett,
User Rank: Apprentice
10/7/2014 | 5:57:20 PM
Re: Another new cyberinsurance company
On the flip side of insurance industry practices where reducing premium costs for particular practices (think hard hats, sprinklers, ...) And what pressures can be brought about through regulatory lobbying and civil suits. Pardon me, but about damned time. And that's speaking as the guy (engineer) who'll be in the cross-hairs.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
10/6/2014 | 2:09:54 PM
Re: Another new cyberinsurance company
All good points, Sara. Reputation recovery should be a service offering of its own for some firms.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
10/6/2014 | 1:35:25 PM
Re: Another new cyberinsurance company
@Kelly   I still think that companies are going to spend some time hemming and hawing over whether or not to buy the insurance -- because, on one hand, they're getting scared into buying it, but on the other hand, they're learning that most cyber-insurance doesn't quite cover all the things they think it will.

And then of course there's the fact that there's one big thing insurance can never really cover: reputation damage.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
10/6/2014 | 1:21:37 PM
Re: Another new cyberinsurance company
I saw that this morning, @Sara. Really interesting. It seems this market is maturing pretty fast now. 
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Five Things Every Business Executive Should Know About Cybersecurity
Don't get lost in security's technical minutiae - a clearer picture of what's at stake can help align business imperatives with technology execution.
Flash Poll
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Social engineering, ransomware, and other sophisticated exploits are leading to new IT security compromises every day. Dark Reading's 2016 Strategic Security Survey polled 300 IT and security professionals to get information on breach incidents, the fallout they caused, and how recent events are shaping preparations for inevitable attacks in the coming year. Download this report to get a look at data from the survey and to find out what a breach might mean for your organization.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Security researchers are finding that there's a growing market for the vulnerabilities they discover and persistent conundrum as to the right way to disclose them. Dark Reading editors will speak to experts -- Veracode CTO and co-founder Chris Wysopal and HackerOne co-founder and CTO Alex Rice -- about bug bounties and the expanding market for zero-day security vulnerabilities.