Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

3/26/2014
04:00 PM
Sara Peters
Sara Peters
Commentary
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Don't Put Too Much Faith in Cyberinsurance

Cyberinsurance is great for covering discrete costs like breach notifications and legal fees, but don't rely heavily on it for much else.

When contemplating threats to your organization (perhaps counting them instead of sheep while you shiver in a cold sweat on another sleepless night), you might be comforted by the thought of transferring risk to someone else -- like, for instance, a cyberinsurance provider. The trouble is that not all risks can be transferred, no matter how much you pay for a policy.

The insurance company may absorb the immediate costs associated with a data breach -- sending out notifications and the like -- but no matter how much you pay for your policy, it cannot completely absorb the damage to your company's reputation. Just because you're insured doesn't mean you won't go out of business.

The other trouble, of course, is that cyberinsurance doesn't cover all security incidents. Big data breaches get the most attention, but what about the denials of service that bring your online store down for 48 critical hours during the holiday season? What about the insider who secretly obtains broader access credentials and uses that access to embezzle money or commit corporate espionage? What about the attacks that compromise the control systems for critical physical infrastructure? Some insurers will cover those incidents, but the policies are rife with exceptions and restrictions.

According to a recent Ponemon Institute survey of security and risk professionals, most policies will pony up cash for breach notifications, legal fees, and forensic investigations. About half will pay for regulatory fines and equipment replacements. However, only 34% cover revenue loss. Only 8% cover brand damages, and only 11% cover employee productivity losses.

As for the types of incidents the insurers will cover, you're probably protected against human errors and bad guys on the outside. However, only about half the survey respondents' policies cover attacks by malicious insiders. Only 11% cover attacks against "business partners, vendors or other third parties that have access to their company's information assets." (Sorry, Target.)

Despite the limitations, companies are still buying cyberinsurance. According to the Ponemon report, 31% of security and risk pros said their company has a cybersecurity insurance policy. Another 39% said they are planning to purchase insurance, and 41% said that, from a business perspective, cybersecurity risks are greater than other insurable business risks such as natural disasters, business interruption, and fires.

The most common reasons respondents gave for not purchasing insurance was that it was too expensive or didn't cover enough. However, 26% said their risk profile was too high, so insurers wouldn't sell them policies.

How do you alter your organization's risk profile to make it more palatable to insurers? Anyone who's ever had to improve a FICO credit score quickly to convince lenders that the borrower is not a high-risk scoundrel knows that it requires some fiscal acrobatics, a bit of sorcery, and a lot of incessant, obsessive monitoring. The cyberinsurance industry now has its own version of a FICO score to delight underwriters and frighten hopeful policy holders.

The startup BitSight Technologies recently launched an information security risk rating system. This system "provides objective and up-to-date ratings on the information security health of a company's partner ecosystem so it can better protect sensitive business and customer data shared with third-party vendors," BitSight said in a press release. "The information security ratings, which range from 250 to 900, are similar to consumer credit scores, with higher ratings indicating better security postures."

Liberty Insurance Underwriters (LIU) just partnered with Bitsight to provide the BitSight Security Rating Service to holders of LIU Data Insure policies. Liberty said in a release that the service will generate and deliver "timely, data-driven analysis of a company's security performance" on a daily basis. Policy holders won't need to provide any information or undergo any testing.

Though there are signs that the cyberinsurance industry is maturing, there remains a healthy amount of skepticism about its effectiveness. Thirty percent of the respondents to the Ponemon survey said they have no interest in purchasing a policy now. During an event at Fordham University this month, White House director for cybersecurity critical infrastructure protection Samara Moore said flat out that cyberinsurance is "not very well developed" and "not a very viable option."

What do you think? Has your organization bought a cyberinsurance policy? Do you think it's worth the money? Were you involved in the decision to purchase the insurance? Have you ever had to file a claim? How did that go? Do you think the cyberinsurance industry would ever consider offsetting risks through catastrophe bonds? Let us know in the comments below.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
kjhiggins
50%
50%
kjhiggins,
User Rank: Strategist
3/26/2014 | 9:17:16 PM
cyber insurers
Really interesting insight, Sara. Who are the main players in cyber insurance today?
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3493
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
CVE-2021-3492
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
CVE-2020-2509
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 Build 20210202 and later Q...
CVE-2020-36195
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
CVE-2021-29445
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...