Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

3/26/2014
04:00 PM
Sara Peters
Sara Peters
Commentary
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Don't Put Too Much Faith in Cyberinsurance

Cyberinsurance is great for covering discrete costs like breach notifications and legal fees, but don't rely heavily on it for much else.

When contemplating threats to your organization (perhaps counting them instead of sheep while you shiver in a cold sweat on another sleepless night), you might be comforted by the thought of transferring risk to someone else -- like, for instance, a cyberinsurance provider. The trouble is that not all risks can be transferred, no matter how much you pay for a policy.

The insurance company may absorb the immediate costs associated with a data breach -- sending out notifications and the like -- but no matter how much you pay for your policy, it cannot completely absorb the damage to your company's reputation. Just because you're insured doesn't mean you won't go out of business.

The other trouble, of course, is that cyberinsurance doesn't cover all security incidents. Big data breaches get the most attention, but what about the denials of service that bring your online store down for 48 critical hours during the holiday season? What about the insider who secretly obtains broader access credentials and uses that access to embezzle money or commit corporate espionage? What about the attacks that compromise the control systems for critical physical infrastructure? Some insurers will cover those incidents, but the policies are rife with exceptions and restrictions.

According to a recent Ponemon Institute survey of security and risk professionals, most policies will pony up cash for breach notifications, legal fees, and forensic investigations. About half will pay for regulatory fines and equipment replacements. However, only 34% cover revenue loss. Only 8% cover brand damages, and only 11% cover employee productivity losses.

As for the types of incidents the insurers will cover, you're probably protected against human errors and bad guys on the outside. However, only about half the survey respondents' policies cover attacks by malicious insiders. Only 11% cover attacks against "business partners, vendors or other third parties that have access to their company's information assets." (Sorry, Target.)

Despite the limitations, companies are still buying cyberinsurance. According to the Ponemon report, 31% of security and risk pros said their company has a cybersecurity insurance policy. Another 39% said they are planning to purchase insurance, and 41% said that, from a business perspective, cybersecurity risks are greater than other insurable business risks such as natural disasters, business interruption, and fires.

The most common reasons respondents gave for not purchasing insurance was that it was too expensive or didn't cover enough. However, 26% said their risk profile was too high, so insurers wouldn't sell them policies.

How do you alter your organization's risk profile to make it more palatable to insurers? Anyone who's ever had to improve a FICO credit score quickly to convince lenders that the borrower is not a high-risk scoundrel knows that it requires some fiscal acrobatics, a bit of sorcery, and a lot of incessant, obsessive monitoring. The cyberinsurance industry now has its own version of a FICO score to delight underwriters and frighten hopeful policy holders.

The startup BitSight Technologies recently launched an information security risk rating system. This system "provides objective and up-to-date ratings on the information security health of a company's partner ecosystem so it can better protect sensitive business and customer data shared with third-party vendors," BitSight said in a press release. "The information security ratings, which range from 250 to 900, are similar to consumer credit scores, with higher ratings indicating better security postures."

Liberty Insurance Underwriters (LIU) just partnered with Bitsight to provide the BitSight Security Rating Service to holders of LIU Data Insure policies. Liberty said in a release that the service will generate and deliver "timely, data-driven analysis of a company's security performance" on a daily basis. Policy holders won't need to provide any information or undergo any testing.

Though there are signs that the cyberinsurance industry is maturing, there remains a healthy amount of skepticism about its effectiveness. Thirty percent of the respondents to the Ponemon survey said they have no interest in purchasing a policy now. During an event at Fordham University this month, White House director for cybersecurity critical infrastructure protection Samara Moore said flat out that cyberinsurance is "not very well developed" and "not a very viable option."

What do you think? Has your organization bought a cyberinsurance policy? Do you think it's worth the money? Were you involved in the decision to purchase the insurance? Have you ever had to file a claim? How did that go? Do you think the cyberinsurance industry would ever consider offsetting risks through catastrophe bonds? Let us know in the comments below.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
kjhiggins
50%
50%
kjhiggins,
User Rank: Strategist
3/26/2014 | 9:17:16 PM
cyber insurers
Really interesting insight, Sara. Who are the main players in cyber insurance today?
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.