Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

2/12/2016
06:00 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
100%
0%

Quick Guide To Cyber Insurance Shopping

Experts offer their opinions on important due diligence tasks when procuring cyber insurance.

With analysts projecting the cyber insurance market to heat up in the coming year, it's clear there are a lot of organizations on the hunt for a good policy. With cyber insurance still very much in its earliest stages, there's very little consistency in policy coverage and language. Which means that due diligence is crucial, lest organizations find themselves financially holding the bag after a breach in spite of paying premiums for coverage they thought would help.

Here are some of the most important things to look out for as you start the process of vetting policies:

 

Know the difference between liability and risk policies.

As you start evaluating policies, understand that there are generally two kinds of cyber insurance policies, says Steve Durbin, managing director of the Information Security Forum. There's cyber liability insurance and there's cyber risk insurance.

"Cyber liability insurance provides coverage for liabilities that an organization causes to its customers or to others--insurers call this third-party risk," Durbin says. "Cyber risk insurance is used to cover direct losses to the organization, often known as first-party risk."

Durbin says that cyber risk insurance is less prevalent because these types of policies are more difficult to underwrite due to a lack of actuarial history. They're also less likely to be sought out because of mistaken beliefs, he says.

"Many organizations assume, perhaps incorrectly, that their corporate insurance or general liability policies will cover cyber risk," he says.

 

Carefully consider cyber insurance policy in context of other policies.

This misapprehension is why it helps to start first with existing insurance policies and look for gaps with regard to cyber risks.

"An enterprise first needs to understand how cyber insurance fits into its broader portfolio of insurance policies, such as errors and omissions, general liability, and directors and officers," says Andrew Braunberg, research vice president of NSS Labs. "Knowing what’s already covered in these policies, where holes exist, and how cyber insurance could fill some of those holes is a good start."

When building what insurance lingo calls an insurance "tower," it is also important for an organization's lawyers to comb through all the policies in totality to make sure that layered policies work properly together.

"In building large insurance towers, it is very important that the excess policies are true 'follow form' policies that will drop down over all of the coverage grants of the underlying policy," says Steve Bridges, senior vice president of the brokerage JLT Specialty USA's Cyber/Errors and Omissions team. "In a large loss scenario, having one carrier on a program refuse to pay their limit will cause huge problems up the tower."

 

Examine limits carefully--especially sublimits.

Financial coverage limits are one of the fundamental elements by which an organization should be judging its cyber insurance policies. First of all, it is essential that the organization have as good of an estimate as possible as to the amount of financial risk it needs to offset with a policy. 

"Because the frameworks used for cyber risk management are still immature and evolving, we find that the financial sector’s Value at Risk [VaR] framework can be very useful in determining the amount of cyber coverage an enterprise should be considering," says Jim Jaeger, chief cyber services strategist for Fidelis Security.

Jaeger warns that organizations consider their organization’s risk relative to average breach numbers. With the Ponemon Cost of Data Breach statistics pegging the average breach cost at $3.8 million, some businesses may find many $1 million to $5 million policies inadequate. 

"Based on the type of business, loss of large amounts of PII/PHI could run through a $5 million policy before you get to regulatory or any liability judgments," he says.

Even more important is the issue of sub-limits placed on specific categories of coverage within a policy.

"There is not a standard cyber insurance form," Jaeger says. "Policies have sub limits that will limit your forensic spend to a certain amount," for example.

If language exists to limit forensic spend drastically, the organization will still have to pay out-of-pocket for anything beyond the sub-limit even if the overall limit has not been exceeded.

 

Watch out for exclusions.

Similarly, understanding the language around exclusions is crucial to ensuring that a cyber insurance policy is worth the premium.

"Understand the insuring agreements to be sure you have the coverage you are looking for and then check the scope of the exclusions. Exclusions for minimum security standards can kill all best efforts," says Brian Branner, executive director of strategic alliances for RiskAnalytics.

Establishing clarity about vague standards for those types of exclusions is also important.

"Have counsel review for broadly worded exclusions such as 'breach of contract'--a data breach is just that and the reason you are buying the policy," Jaeger says.

In the same vein, if there are exclusions for security standards not being met, it is important to get in writing specifically what minimum standards in order to avoid heartache in the future. This may require more discipline on the risk management and visibility front for an organization, both in the evaluation stage and when proving standards have been met.

"Enterprises should also understand that the more risk they transfer to an insurance carrier the more visibility into that risk they must provide," Braunberg says says. "This can require a fairly intensive evaluation of security practices and potential vulnerabilities." 

 

Retroactive dates are important.

As an organization negotiates its policy, it should fight to get retroactive coverage as far back as possible, says Jaegar, given the low-and-slow attack tactics of criminals these days.

"The breach may have started a year or more ago and you don’t know it. This date will protect you if the forensics determine you were breached prior to purchasing the policy," he says, explaining that it is common to find breaches that started over a year after the initial forensics investigation.  "In these breaches, the attackers are often deeply embedded in the network, which dramatically raised the cost to investigate and contain the breach, as well as the damage done by the attackers."

 

Look for services benefits.

When vetting insurance providers against one another, things like premiums, limits, and exclusions will all be of utmost priority. But don't forget to consider other benefits on the table such as included security services or those offered at a discount to policy holders.

"A few of the insurers have recognized that they can reduce their own risk by enhancing the cybersecurity of the firms they are insuring," Jaeger says. "As a result, these firms are now providing security education and proactive services to their insurance clients. Other insurance firms provide vetted lists of cybersecurity firms to their clients for both proactive security projects and incident response services." 

In the latter case, though, be sure that if it is important for you that you can still hire your own folks during an incident.

"Make sure you can hire your attorney or forensic partner in the policy versus being limited to use of firms identified by the insurer," he says.

 

Get a great broker.

Time and time again, the experts who weighed in on best practices for procuring cyber insurance hammered on the importance of an experience and specialized broker in guiding the process.

"It is every insurance carrier’s job to limit coverage and charge a healthy premium. It is the broker’s job to get the lowest cost while expanding and customizing policy wordings/coverage specific to each insured," says Branner. "If your broker lacks in-depth expertise in this subject area, which is common outside of the top ten brokers, then you may just end up with a policy that will disappoint you in time of a claim."

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Robin2
50%
50%
Robin2,
User Rank: Apprentice
2/16/2016 | 6:50:16 AM
Great Post
great post i really appreciate your post
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-2729
PUBLISHED: 2019-06-19
Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0 and 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise ...
CVE-2019-3737
PUBLISHED: 2019-06-19
Dell EMC Avamar ADMe Web Interface 1.0.50 and 1.0.51 are affected by an LFI vulnerability which may allow a malicious user to download arbitrary files from the affected system by sending a specially crafted request to the Web Interface application.
CVE-2019-3787
PUBLISHED: 2019-06-19
Cloud Foundry UAA, versions prior to 73.0.0, falls back to appending ?unknown.org? to a user's email address when one is not provided and the user name does not contain an @ character. This domain is held by a private company, which leads to attack vectors including password recovery emails sent to ...
CVE-2019-12900
PUBLISHED: 2019-06-19
BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.
CVE-2019-12893
PUBLISHED: 2019-06-19
Alternate Pic View 2.600 has a User Mode Write AV starting at PicViewer!PerfgrapFinalize+0x00000000000a8868.