Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

2/12/2016
06:00 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Quick Guide To Cyber Insurance Shopping

Experts offer their opinions on important due diligence tasks when procuring cyber insurance.

With analysts projecting the cyber insurance market to heat up in the coming year, it's clear there are a lot of organizations on the hunt for a good policy. With cyber insurance still very much in its earliest stages, there's very little consistency in policy coverage and language. Which means that due diligence is crucial, lest organizations find themselves financially holding the bag after a breach in spite of paying premiums for coverage they thought would help.

Here are some of the most important things to look out for as you start the process of vetting policies:

 

Know the difference between liability and risk policies.

As you start evaluating policies, understand that there are generally two kinds of cyber insurance policies, says Steve Durbin, managing director of the Information Security Forum. There's cyber liability insurance and there's cyber risk insurance.

"Cyber liability insurance provides coverage for liabilities that an organization causes to its customers or to others--insurers call this third-party risk," Durbin says. "Cyber risk insurance is used to cover direct losses to the organization, often known as first-party risk."

Durbin says that cyber risk insurance is less prevalent because these types of policies are more difficult to underwrite due to a lack of actuarial history. They're also less likely to be sought out because of mistaken beliefs, he says.

"Many organizations assume, perhaps incorrectly, that their corporate insurance or general liability policies will cover cyber risk," he says.

 

Carefully consider cyber insurance policy in context of other policies.

This misapprehension is why it helps to start first with existing insurance policies and look for gaps with regard to cyber risks.

"An enterprise first needs to understand how cyber insurance fits into its broader portfolio of insurance policies, such as errors and omissions, general liability, and directors and officers," says Andrew Braunberg, research vice president of NSS Labs. "Knowing what’s already covered in these policies, where holes exist, and how cyber insurance could fill some of those holes is a good start."

When building what insurance lingo calls an insurance "tower," it is also important for an organization's lawyers to comb through all the policies in totality to make sure that layered policies work properly together.

"In building large insurance towers, it is very important that the excess policies are true 'follow form' policies that will drop down over all of the coverage grants of the underlying policy," says Steve Bridges, senior vice president of the brokerage JLT Specialty USA's Cyber/Errors and Omissions team. "In a large loss scenario, having one carrier on a program refuse to pay their limit will cause huge problems up the tower."

 

Examine limits carefully--especially sublimits.

Financial coverage limits are one of the fundamental elements by which an organization should be judging its cyber insurance policies. First of all, it is essential that the organization have as good of an estimate as possible as to the amount of financial risk it needs to offset with a policy. 

"Because the frameworks used for cyber risk management are still immature and evolving, we find that the financial sector’s Value at Risk [VaR] framework can be very useful in determining the amount of cyber coverage an enterprise should be considering," says Jim Jaeger, chief cyber services strategist for Fidelis Security.

Jaeger warns that organizations consider their organization’s risk relative to average breach numbers. With the Ponemon Cost of Data Breach statistics pegging the average breach cost at $3.8 million, some businesses may find many $1 million to $5 million policies inadequate. 

"Based on the type of business, loss of large amounts of PII/PHI could run through a $5 million policy before you get to regulatory or any liability judgments," he says.

Even more important is the issue of sub-limits placed on specific categories of coverage within a policy.

"There is not a standard cyber insurance form," Jaeger says. "Policies have sub limits that will limit your forensic spend to a certain amount," for example.

If language exists to limit forensic spend drastically, the organization will still have to pay out-of-pocket for anything beyond the sub-limit even if the overall limit has not been exceeded.

 

Watch out for exclusions.

Similarly, understanding the language around exclusions is crucial to ensuring that a cyber insurance policy is worth the premium.

"Understand the insuring agreements to be sure you have the coverage you are looking for and then check the scope of the exclusions. Exclusions for minimum security standards can kill all best efforts," says Brian Branner, executive director of strategic alliances for RiskAnalytics.

Establishing clarity about vague standards for those types of exclusions is also important.

"Have counsel review for broadly worded exclusions such as 'breach of contract'--a data breach is just that and the reason you are buying the policy," Jaeger says.

In the same vein, if there are exclusions for security standards not being met, it is important to get in writing specifically what minimum standards in order to avoid heartache in the future. This may require more discipline on the risk management and visibility front for an organization, both in the evaluation stage and when proving standards have been met.

"Enterprises should also understand that the more risk they transfer to an insurance carrier the more visibility into that risk they must provide," Braunberg says says. "This can require a fairly intensive evaluation of security practices and potential vulnerabilities." 

 

Retroactive dates are important.

As an organization negotiates its policy, it should fight to get retroactive coverage as far back as possible, says Jaegar, given the low-and-slow attack tactics of criminals these days.

"The breach may have started a year or more ago and you don’t know it. This date will protect you if the forensics determine you were breached prior to purchasing the policy," he says, explaining that it is common to find breaches that started over a year after the initial forensics investigation.  "In these breaches, the attackers are often deeply embedded in the network, which dramatically raised the cost to investigate and contain the breach, as well as the damage done by the attackers."

 

Look for services benefits.

When vetting insurance providers against one another, things like premiums, limits, and exclusions will all be of utmost priority. But don't forget to consider other benefits on the table such as included security services or those offered at a discount to policy holders.

"A few of the insurers have recognized that they can reduce their own risk by enhancing the cybersecurity of the firms they are insuring," Jaeger says. "As a result, these firms are now providing security education and proactive services to their insurance clients. Other insurance firms provide vetted lists of cybersecurity firms to their clients for both proactive security projects and incident response services." 

In the latter case, though, be sure that if it is important for you that you can still hire your own folks during an incident.

"Make sure you can hire your attorney or forensic partner in the policy versus being limited to use of firms identified by the insurer," he says.

 

Get a great broker.

Time and time again, the experts who weighed in on best practices for procuring cyber insurance hammered on the importance of an experience and specialized broker in guiding the process.

"It is every insurance carrier’s job to limit coverage and charge a healthy premium. It is the broker’s job to get the lowest cost while expanding and customizing policy wordings/coverage specific to each insured," says Branner. "If your broker lacks in-depth expertise in this subject area, which is common outside of the top ten brokers, then you may just end up with a policy that will disappoint you in time of a claim."

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Robin2
50%
50%
Robin2,
User Rank: Apprentice
2/16/2016 | 6:50:16 AM
Great Post
great post i really appreciate your post
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Breaches Are Inevitable, So Embrace the Chaos
Ariel Zeitlin, Chief Technology Officer & Co-Founder, Guardicore,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19010
PUBLISHED: 2019-11-16
Eval injection in the Math plugin of Limnoria (before 2019.11.09) and Supybot (through 2018-05-09) allows remote unprivileged attackers to disclose information or possibly have unspecified other impact via the calc and icalc IRC commands.
CVE-2019-16761
PUBLISHED: 2019-11-15
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the [email protected] npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. All versions >1.0...
CVE-2019-16762
PUBLISHED: 2019-11-15
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the slpjs npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. Affected users can upgrade to any...
CVE-2019-13581
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A heap-based buffer overflow allows remote attackers to cause a denial of service or execute arbitrary ...
CVE-2019-13582
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A stack overflow could lead to denial of service or arbitrary code execution.