As an increasing number of businesses are starting to look at cyber breach insurance as a tool to mitigate the risks of data breaches, IT security pros need to be prepared to help their organizations avoid the hazards of choosing a policy that may not pay out when the worst occurs.
Chief among the biggest pitfalls? Trying to use insurance as a financial replacement for investment in sound protection of databases and other data security infrastructure.
"These insurance policies can't eliminate risk, they can only help you control and minimize it," says Rich Santalesa, senior counsel for Infolaw Group. "It's really one arrow in the quiver of those dealing with today's cyber risks and some of the liabilities that can spring from them."
[Don't expect your general liability coverage to pay out for data breaches. See Fluke DSW Win Shouldn't Erase Breach Insurance Needs.]
Organizations that fail to encrypt sensitive data, that have few controls over who accesses database resources, and that do nothing to monitor activity within these data stores could be in for a rude awakening if they buy insurance as a stand-in for these practices. If legal or more traditional risk management personnel are under this misapprehension, it may be up to IT security pros to explain why, says Rich Mogull, analyst and CEO of Securosis.
"I think what IT needs to explain to those guys is two things. One is it certainly isn't going to keep us out of the newspapers and from a financial standpoint, that's one of our greatest risks," Mogull says. "And, two, that's not going to keep us from getting fined by, say, PCI."
And that's assuming you're going to get a payout anyway, he warns. If line-of-business and legal leaders unilaterally decide to get a breach policy without input from IT, they may miss exclusions in the policy that require a higher level of controls than what the organization currently has in place.
"If the insurance people say 'You didn't analyze your logs enough,' and then they don't have to pay, that's a problem," he says. "That is absolutely an area that I think IT needs to be clear, to say, 'These are the standards that they expect of us and this is our current rate of compliance with what that would be required for a payout.'"
One of the difficulties in shopping for one of these policies is the fact that cyber insurance is so new and is like no other insurance, says John Nicholson, an IT sourcing, privacy and data security attorney based out of the Washington, D.C. area.
"If you demonstrate that you're a really good driver, then your car insurance rates go down," he says. "In the cyber world, it's not quite there yet because people just don't know what those profiles are and how to accurately evaluate those levels of risk."
This greatly affects the variability of language within the range of different policies on the market, Santalesa says.
"Policies are still all over the place and a lot of the underwriters are still wrestling with how to quantify these risks, especially with laws changing as frequently as they do," he says. "So the short answer is it definitely provides value and predictability on limiting your liability and out-of-pocket cost, but it has to be entered in very carefully."
Because the insurance companies are themselves still taking baby steps into the market, the process of even just applying for one of these policies may actually provide one of the biggest parts of the breach insurance value proposition, Nicholson says.
"So they don't get blindsided by something in their clients' environments, the application process of these insurance policies is actually pretty extreme," he says. "They actually force you to go through a rigorous process to evaluate and disclose your own cybersecurity practices. That exercise in and of itself is very valuable."
He warns enterprises to be wary of an insurer that doesn't require them to go through this thorough pre-screening process.
"There's work that goes into your cyber insurance policy," Nicholson says. "If someone is offering you a cyber insurance policy that isn't requiring that kind of work? Well, there ain't no such thing as a free lunch."
Within the potential policy itself, shoppers need to be wary of vague language about what triggers a payout or exclusions that allow the insurer to pin the liability back on the policy holder.
"Look for anything that holds you to any kind of standard," Mogull warns. "They're going to have all sorts of clauses in there that they're not going to have to pay if you screw up."
For example, Santalesa says some breach policies may not cover incidents that occurred through the use of employee-owned devices.
"So if you're going to have a BYOD program, it may be something that you need to address in your coverage," he says.
Similarly, a policy could exclude the insurer from liability if the breach was caused by a third party, Nicholson warns. In cases of outsourcing, the enterprise will need to compare its potential policy with the liability coverage offered by its contractors.
"You've got that interplay between your own coverage and whether or not it will cover you if your vendor loses data, and whether or not your vendor has its own insurance," he says.
Similarly, enterprises should be looking out for clauses that limit payout amounts or keep a tight rein over what the breached organization can use the insurance money to pay for. He warns organizations to pay very close attention to the financial limits and sub-limits associated with the policy.
"You may think you've got a really big limit that will protect you," he says. "But if you're not reading the fine print on what the sub-limits are within certain types of events or certain types of costs, that's where you're going to get tripped up."
One place where Nicholson sees a lot of companies not getting sufficient coverage is for crisis management costs.
"A lot of policies are limiting those costs or don't cover them to the extent that companies actually incur them," he says.
Because looking for the right cyber insurer and negotiating for a beneficial policy is such a delicate process, Santalesa recommends that it be treated as a team exercise. The decision shouldn't be made by the business leaders or by legal or by IT executives alone--instead they need to combine forces he says. And for IT professionals' part, they need to provide the role of technical translator.
"The business people and legal people might not be as technically savvy," he says. "IT definitely adds value to understanding what the risks are and then selecting the most well-tuned cyber policy."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.