Imagine an insurance market plagued by eye-popping premiums and deductibles, skimpy coverage, a lack of standards that makes "apples-to-apples" comparisons of policies nearly impossible, and customers who are at a significant disadvantage because they don't fully understand their risks or how much coverage they need.
No, the above isn't a description of the individual health insurance market; it describes the enterprise cyber-insurance market.
What's in Your Policy?
Although the cyberthreat landscape grows more dangerous by the day, half of U.S. firms have no cyber insurance, 27% have no plans to buy coverage, and only 16% report having a policy that covers all of their risks, according to a FICO survey.
While it's true that some organizations refuse to buy cyber insurance out of the misguided notion that they don't "need" to worry about being hacked, this mindset isn't entirely at fault. Just as many individuals have found their "good" health insurance to be useless in the face of a catastrophic illness, many enterprises have been left high and dry by cyber-insurance policies that didn't fully protect them after a major cyber attack.
Ameriforge Group sued its cyber insurer, Chubb Group, when Chubb refused to cover the $480,000 in losses the manufacturer incurred due to a CEO email phishing scam. Chubb paid out on some of the losses P.F. Chang's suffered after a point-of-sale data breach but did not cover the $1.9 million Payment Card Industry Data Security Standard assessment the restaurant chain was slapped with. Sometimes, firms can inadvertently void their policies before an attack happens. Policies that include cyber-extortion clauses prohibit organizations from publicly disclosing that they have purchased this coverage – such as in a security operations center report or a press release.
Cyber Insurance Market “Promising” but Dysfunctional
A report by Deloitte released in February, "Demystifying Cyber Insurance Coverage," describes a market that is "promising" but "problematic" for both insurers and customers. Because cybersecurity is a relatively new field and the threat landscape changes daily, insurers don't have the historical data they need to build reliable predictive models. They fear a catastrophic accumulation of claims if a major attack were to hit multiple insured customers, as happened with WannaCry and NotPetya ransomware. Insurers also tend to offer policies focused on the protection of personally identifiable information (PII), even though many organizations don't handle PII or are more susceptible to ransomware, cyber extortion, or other attacks that don't involve PII.
Customers, meanwhile, many not have a complete grasp of their organizations' vulnerabilities or the threat landscape in general. This results in firms buying "skinny" (but still very expensive) policies that offer scant protection or exclude the threats they're most vulnerable to. Other organizations mistakenly believe that their general business liability or business interruption policies cover cyber attacks.
Cyber Insurance Isn't a Replacement for Cybersecurity
Cyber insurance may promote a moral hazard, where companies feel they don't have to invest in cybersecurity because “the insurance will cover it” if they get hacked. Yet, even the most robust policy will not cover all of a business's losses after an attack. It may not cover regulatory fines, as in P.F. Chang's case, and it won't cover all of the losses incurred if a business has to scale back operations or even temporarily shut down in the wake of an attack. Cyber policies also generally don't cover ransomware attacks that can be traced back to malicious insiders, such as rogue employees or disgruntled third-party vendors.
Other organizational challenges include the need to have a thorough knowledge of the corporate data environment, vulnerabilities, and risks, as well as the overall threat environment, which changes daily. Furthermore, there's a lack of standardization in the insurance market, which makes comparing policies difficult.
Cyber-insurance policies also don't eliminate the need for organizations to take proactive steps to secure their systems. In fact, insured customers are required to do so or their policies will be voided. So, regardless of whether an organization purchases a policy or not, it will still need to do the following:
• Keep all software and operating systems updated (remember, WannaCry and NotPetya both attacked older versions of Windows)
• Run robust, up-to-date antivirus software
• Maintain compliance with industry and regulatory standards like HIPAA and PCI-DSS
• Continually monitor networks for suspicious activity, 24 hours a day, 365 days a year
• Have in-house and/or remote security staff on hand at all times to respond to anomalies and attacks
• Have a comprehensive, written cybersecurity policy that is regularly reviewed and updated
• Train all employees on cybersecurity best practices, such as how to spot phishing emails
• Control physical access to sensitive areas on its premises, such as server rooms
• Utilize other controls, such as firewalls, network segmentation, and encryption as appropriate
• Perform regular backups so that systems can be restored in the event of a ransomware attack, or even a natural disaster like a fire or flood