Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:56 PM

Don't Waste Your Money On Cyber Breach Insurance

Special insurance may offer value, but to get it you'll need to avoid common exclusions and stop trying to use a breach policy as a substitute for solid data security practices

As an increasing number of businesses are starting to look at cyber breach insurance as a tool to mitigate the risks of data breaches, IT security pros need to be prepared to help their organizations avoid the hazards of choosing a policy that may not pay out when the worst occurs.

Chief among the biggest pitfalls? Trying to use insurance as a financial replacement for investment in sound protection of databases and other data security infrastructure.

"These insurance policies can't eliminate risk, they can only help you control and minimize it," says Rich Santalesa, senior counsel for Infolaw Group. "It's really one arrow in the quiver of those dealing with today's cyber risks and some of the liabilities that can spring from them."

[Don't expect your general liability coverage to pay out for data breaches. See Fluke DSW Win Shouldn't Erase Breach Insurance Needs.]

Organizations that fail to encrypt sensitive data, that have few controls over who accesses database resources, and that do nothing to monitor activity within these data stores could be in for a rude awakening if they buy insurance as a stand-in for these practices. If legal or more traditional risk management personnel are under this misapprehension, it may be up to IT security pros to explain why, says Rich Mogull, analyst and CEO of Securosis.

"I think what IT needs to explain to those guys is two things. One is it certainly isn't going to keep us out of the newspapers and from a financial standpoint, that's one of our greatest risks," Mogull says. "And, two, that's not going to keep us from getting fined by, say, PCI."

And that's assuming you're going to get a payout anyway, he warns. If line-of-business and legal leaders unilaterally decide to get a breach policy without input from IT, they may miss exclusions in the policy that require a higher level of controls than what the organization currently has in place.

"If the insurance people say 'You didn't analyze your logs enough,' and then they don't have to pay, that's a problem," he says. "That is absolutely an area that I think IT needs to be clear, to say, 'These are the standards that they expect of us and this is our current rate of compliance with what that would be required for a payout.'"

One of the difficulties in shopping for one of these policies is the fact that cyber insurance is so new and is like no other insurance, says John Nicholson, an IT sourcing, privacy and data security attorney based out of the Washington, D.C. area.

"If you demonstrate that you're a really good driver, then your car insurance rates go down," he says. "In the cyber world, it's not quite there yet because people just don't know what those profiles are and how to accurately evaluate those levels of risk."

This greatly affects the variability of language within the range of different policies on the market, Santalesa says.

"Policies are still all over the place and a lot of the underwriters are still wrestling with how to quantify these risks, especially with laws changing as frequently as they do," he says. "So the short answer is it definitely provides value and predictability on limiting your liability and out-of-pocket cost, but it has to be entered in very carefully."

Because the insurance companies are themselves still taking baby steps into the market, the process of even just applying for one of these policies may actually provide one of the biggest parts of the breach insurance value proposition, Nicholson says.

"So they don't get blindsided by something in their clients' environments, the application process of these insurance policies is actually pretty extreme," he says. "They actually force you to go through a rigorous process to evaluate and disclose your own cybersecurity practices. That exercise in and of itself is very valuable."

He warns enterprises to be wary of an insurer that doesn't require them to go through this thorough pre-screening process.

"There's work that goes into your cyber insurance policy," Nicholson says. "If someone is offering you a cyber insurance policy that isn't requiring that kind of work? Well, there ain't no such thing as a free lunch."

Within the potential policy itself, shoppers need to be wary of vague language about what triggers a payout or exclusions that allow the insurer to pin the liability back on the policy holder.

"Look for anything that holds you to any kind of standard," Mogull warns. "They're going to have all sorts of clauses in there that they're not going to have to pay if you screw up."

For example, Santalesa says some breach policies may not cover incidents that occurred through the use of employee-owned devices.

"So if you're going to have a BYOD program, it may be something that you need to address in your coverage," he says.

Similarly, a policy could exclude the insurer from liability if the breach was caused by a third party, Nicholson warns. In cases of outsourcing, the enterprise will need to compare its potential policy with the liability coverage offered by its contractors.

"You've got that interplay between your own coverage and whether or not it will cover you if your vendor loses data, and whether or not your vendor has its own insurance," he says.

Similarly, enterprises should be looking out for clauses that limit payout amounts or keep a tight rein over what the breached organization can use the insurance money to pay for. He warns organizations to pay very close attention to the financial limits and sub-limits associated with the policy.

"You may think you've got a really big limit that will protect you," he says. "But if you're not reading the fine print on what the sub-limits are within certain types of events or certain types of costs, that's where you're going to get tripped up."

One place where Nicholson sees a lot of companies not getting sufficient coverage is for crisis management costs.

"A lot of policies are limiting those costs or don't cover them to the extent that companies actually incur them," he says.

Because looking for the right cyber insurer and negotiating for a beneficial policy is such a delicate process, Santalesa recommends that it be treated as a team exercise. The decision shouldn't be made by the business leaders or by legal or by IT executives alone--instead they need to combine forces he says. And for IT professionals' part, they need to provide the role of technical translator.

"The business people and legal people might not be as technically savvy," he says. "IT definitely adds value to understanding what the risks are and then selecting the most well-tuned cyber policy."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Apprentice
9/27/2012 | 2:51:31 PM
re: Don't Waste Your Money On Cyber Breach Insurance
Your article has excellent content on how to approach Cyber insurance, but the title quite misleading.- Also, don't forget the value of a good broker or consultant to review a policy before buying.- Many (if not all) of the pitfalls listed would be removed or significantly softened by a good broker or consultant.-
User Rank: Apprentice
9/27/2012 | 5:47:55 PM
re: Don't Waste Your Money On Cyber Breach Insurance
John -- you are dead on right regarding the title.- It does not-jive with the content of the article-and should-actually be more like:- "Don't Rely Solely on-Cyber Insurance"

One major takeaway from-the-article is that network security and privacy insurance is often-part of a balanced approach to network security and privacy-risk management.- In other words, the purchase of this insurance-should-work hand-in-hand with other risk management tools.-And, money spent on the insurance will have been wasted if these other risk management tools are not also-put in action.
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-06
Unconstrained Web access to the device's private encryption key in the QR code pairing mode in the eWeLink mobile application (through 4.9.2 on Android and through 4.9.1 on iOS) allows a physically proximate attacker to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the...
PUBLISHED: 2021-05-06
A security vulnerability has been identified in the HPE Edgeline Infrastructure Manager, also known as HPE Edgeline Infrastructure Management Software, prior to version 1.22. The vulnerability could be remotely exploited to bypass remote authentication leading to execution of arbitrary commands, gai...
PUBLISHED: 2021-05-06
emlog v5.3.1 and emlog v6.0.0 have a Remote Code Execution vulnerability due to upload of database backup file in admin/data.php.
PUBLISHED: 2021-05-06
** UNSUPPORTED WHEN ASSIGNED ** The 'id' parameter of IBM Tivoli Storage Manager Version 5 Release 2 (Command Line Administrative Interface, dsmadmc.exe) is vulnerable to an exploitable stack buffer overflow. Note: the vulnerability can be exploited when it is used in "interactive" mode wh...
PUBLISHED: 2021-05-06
Stormshield SNS with versions before 3.7.18, 3.11.6 and 4.1.6 has a memory-management defect in the SNMP plugin that can lead to excessive consumption of memory and CPU resources, and possibly a denial of service.