When contemplating threats to your organization (perhaps counting them instead of sheep while you shiver in a cold sweat on another sleepless night), you might be comforted by the thought of transferring risk to someone else -- like, for instance, a cyberinsurance provider. The trouble is that not all risks can be transferred, no matter how much you pay for a policy.
The insurance company may absorb the immediate costs associated with a data breach -- sending out notifications and the like -- but no matter how much you pay for your policy, it cannot completely absorb the damage to your company's reputation. Just because you're insured doesn't mean you won't go out of business.
The other trouble, of course, is that cyberinsurance doesn't cover all security incidents. Big data breaches get the most attention, but what about the denials of service that bring your online store down for 48 critical hours during the holiday season? What about the insider who secretly obtains broader access credentials and uses that access to embezzle money or commit corporate espionage? What about the attacks that compromise the control systems for critical physical infrastructure? Some insurers will cover those incidents, but the policies are rife with exceptions and restrictions.
According to a recent Ponemon Institute survey of security and risk professionals, most policies will pony up cash for breach notifications, legal fees, and forensic investigations. About half will pay for regulatory fines and equipment replacements. However, only 34% cover revenue loss. Only 8% cover brand damages, and only 11% cover employee productivity losses.
As for the types of incidents the insurers will cover, you're probably protected against human errors and bad guys on the outside. However, only about half the survey respondents' policies cover attacks by malicious insiders. Only 11% cover attacks against "business partners, vendors or other third parties that have access to their company's information assets." (Sorry, Target.)
Despite the limitations, companies are still buying cyberinsurance. According to the Ponemon report, 31% of security and risk pros said their company has a cybersecurity insurance policy. Another 39% said they are planning to purchase insurance, and 41% said that, from a business perspective, cybersecurity risks are greater than other insurable business risks such as natural disasters, business interruption, and fires.
The most common reasons respondents gave for not purchasing insurance was that it was too expensive or didn't cover enough. However, 26% said their risk profile was too high, so insurers wouldn't sell them policies.
How do you alter your organization's risk profile to make it more palatable to insurers? Anyone who's ever had to improve a FICO credit score quickly to convince lenders that the borrower is not a high-risk scoundrel knows that it requires some fiscal acrobatics, a bit of sorcery, and a lot of incessant, obsessive monitoring. The cyberinsurance industry now has its own version of a FICO score to delight underwriters and frighten hopeful policy holders.
The startup BitSight Technologies recently launched an information security risk rating system. This system "provides objective and up-to-date ratings on the information security health of a company's partner ecosystem so it can better protect sensitive business and customer data shared with third-party vendors," BitSight said in a press release. "The information security ratings, which range from 250 to 900, are similar to consumer credit scores, with higher ratings indicating better security postures."
Liberty Insurance Underwriters (LIU) just partnered with Bitsight to provide the BitSight Security Rating Service to holders of LIU Data Insure policies. Liberty said in a release that the service will generate and deliver "timely, data-driven analysis of a company's security performance" on a daily basis. Policy holders won't need to provide any information or undergo any testing.
Though there are signs that the cyberinsurance industry is maturing, there remains a healthy amount of skepticism about its effectiveness. Thirty percent of the respondents to the Ponemon survey said they have no interest in purchasing a policy now. During an event at Fordham University this month, White House director for cybersecurity critical infrastructure protection Samara Moore said flat out that cyberinsurance is "not very well developed" and "not a very viable option."
What do you think? Has your organization bought a cyberinsurance policy? Do you think it's worth the money? Were you involved in the decision to purchase the insurance? Have you ever had to file a claim? How did that go? Do you think the cyberinsurance industry would ever consider offsetting risks through catastrophe bonds? Let us know in the comments below.