Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

9/26/2012
12:56 PM
50%
50%

Don't Waste Your Money On Cyber Breach Insurance

Special insurance may offer value, but to get it you'll need to avoid common exclusions and stop trying to use a breach policy as a substitute for solid data security practices

As an increasing number of businesses are starting to look at cyber breach insurance as a tool to mitigate the risks of data breaches, IT security pros need to be prepared to help their organizations avoid the hazards of choosing a policy that may not pay out when the worst occurs.

Chief among the biggest pitfalls? Trying to use insurance as a financial replacement for investment in sound protection of databases and other data security infrastructure.

"These insurance policies can't eliminate risk, they can only help you control and minimize it," says Rich Santalesa, senior counsel for Infolaw Group. "It's really one arrow in the quiver of those dealing with today's cyber risks and some of the liabilities that can spring from them."

[Don't expect your general liability coverage to pay out for data breaches. See Fluke DSW Win Shouldn't Erase Breach Insurance Needs.]

Organizations that fail to encrypt sensitive data, that have few controls over who accesses database resources, and that do nothing to monitor activity within these data stores could be in for a rude awakening if they buy insurance as a stand-in for these practices. If legal or more traditional risk management personnel are under this misapprehension, it may be up to IT security pros to explain why, says Rich Mogull, analyst and CEO of Securosis.

"I think what IT needs to explain to those guys is two things. One is it certainly isn't going to keep us out of the newspapers and from a financial standpoint, that's one of our greatest risks," Mogull says. "And, two, that's not going to keep us from getting fined by, say, PCI."

And that's assuming you're going to get a payout anyway, he warns. If line-of-business and legal leaders unilaterally decide to get a breach policy without input from IT, they may miss exclusions in the policy that require a higher level of controls than what the organization currently has in place.

"If the insurance people say 'You didn't analyze your logs enough,' and then they don't have to pay, that's a problem," he says. "That is absolutely an area that I think IT needs to be clear, to say, 'These are the standards that they expect of us and this is our current rate of compliance with what that would be required for a payout.'"

One of the difficulties in shopping for one of these policies is the fact that cyber insurance is so new and is like no other insurance, says John Nicholson, an IT sourcing, privacy and data security attorney based out of the Washington, D.C. area.

"If you demonstrate that you're a really good driver, then your car insurance rates go down," he says. "In the cyber world, it's not quite there yet because people just don't know what those profiles are and how to accurately evaluate those levels of risk."

This greatly affects the variability of language within the range of different policies on the market, Santalesa says.

"Policies are still all over the place and a lot of the underwriters are still wrestling with how to quantify these risks, especially with laws changing as frequently as they do," he says. "So the short answer is it definitely provides value and predictability on limiting your liability and out-of-pocket cost, but it has to be entered in very carefully."

Because the insurance companies are themselves still taking baby steps into the market, the process of even just applying for one of these policies may actually provide one of the biggest parts of the breach insurance value proposition, Nicholson says.

"So they don't get blindsided by something in their clients' environments, the application process of these insurance policies is actually pretty extreme," he says. "They actually force you to go through a rigorous process to evaluate and disclose your own cybersecurity practices. That exercise in and of itself is very valuable."

He warns enterprises to be wary of an insurer that doesn't require them to go through this thorough pre-screening process.

"There's work that goes into your cyber insurance policy," Nicholson says. "If someone is offering you a cyber insurance policy that isn't requiring that kind of work? Well, there ain't no such thing as a free lunch."

Within the potential policy itself, shoppers need to be wary of vague language about what triggers a payout or exclusions that allow the insurer to pin the liability back on the policy holder.

"Look for anything that holds you to any kind of standard," Mogull warns. "They're going to have all sorts of clauses in there that they're not going to have to pay if you screw up."

For example, Santalesa says some breach policies may not cover incidents that occurred through the use of employee-owned devices.

"So if you're going to have a BYOD program, it may be something that you need to address in your coverage," he says.

Similarly, a policy could exclude the insurer from liability if the breach was caused by a third party, Nicholson warns. In cases of outsourcing, the enterprise will need to compare its potential policy with the liability coverage offered by its contractors.

"You've got that interplay between your own coverage and whether or not it will cover you if your vendor loses data, and whether or not your vendor has its own insurance," he says.

Similarly, enterprises should be looking out for clauses that limit payout amounts or keep a tight rein over what the breached organization can use the insurance money to pay for. He warns organizations to pay very close attention to the financial limits and sub-limits associated with the policy.

"You may think you've got a really big limit that will protect you," he says. "But if you're not reading the fine print on what the sub-limits are within certain types of events or certain types of costs, that's where you're going to get tripped up."

One place where Nicholson sees a lot of companies not getting sufficient coverage is for crisis management costs.

"A lot of policies are limiting those costs or don't cover them to the extent that companies actually incur them," he says.

Because looking for the right cyber insurer and negotiating for a beneficial policy is such a delicate process, Santalesa recommends that it be treated as a team exercise. The decision shouldn't be made by the business leaders or by legal or by IT executives alone--instead they need to combine forces he says. And for IT professionals' part, they need to provide the role of technical translator.

"The business people and legal people might not be as technically savvy," he says. "IT definitely adds value to understanding what the risks are and then selecting the most well-tuned cyber policy."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
pparay074
50%
50%
pparay074,
User Rank: Apprentice
9/27/2012 | 5:47:55 PM
re: Don't Waste Your Money On Cyber Breach Insurance
John -- you are dead on right regarding the title.- It does not-jive with the content of the article-and should-actually be more like:- "Don't Rely Solely on-Cyber Insurance"

One major takeaway from-the-article is that network security and privacy insurance is often-part of a balanced approach to network security and privacy-risk management.- In other words, the purchase of this insurance-should-work hand-in-hand with other risk management tools.-And, money spent on the insurance will have been wasted if these other risk management tools are not also-put in action.
johnrmerchant
50%
50%
johnrmerchant,
User Rank: Apprentice
9/27/2012 | 2:51:31 PM
re: Don't Waste Your Money On Cyber Breach Insurance
Your article has excellent content on how to approach Cyber insurance, but the title quite misleading.- Also, don't forget the value of a good broker or consultant to review a policy before buying.- Many (if not all) of the pitfalls listed would be removed or significantly softened by a good broker or consultant.-
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3460
PUBLISHED: 2021-04-13
The Motorola MH702x devices, prior to version 2.0.0.301, do not properly verify the server certificate during communication with the support server which could lead to the communication channel being accessible by an attacker.
CVE-2021-3462
PUBLISHED: 2021-04-13
A privilege escalation vulnerability in Lenovo Power Management Driver for Windows 10, prior to version 1.67.17.54, that could allow unauthorized access to the driver's device object.
CVE-2021-3463
PUBLISHED: 2021-04-13
A null pointer dereference vulnerability in Lenovo Power Management Driver for Windows 10, prior to version 1.67.17.54, that could cause systems to experience a blue screen error.
CVE-2021-3471
PUBLISHED: 2021-04-13
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
CVE-2021-3473
PUBLISHED: 2021-04-13
An internal product security audit of Lenovo XClarity Controller (XCC) discovered that the XCC configuration backup/restore password may be written to an internal XCC log buffer if Lenovo XClarity Administrator (LXCA) is used to perform the backup/restore. The backup/restore password typically exist...