CyberSecurity Insurance is growing in popularity and many organizations are beginning to consider CyberSecurity Insurance as a mechanism to transfer the risk of losses associated with a data breach and data loss events. If you’ve looked at a CyberSecurity Insurance policy lately you know it’s confusing to figure out what is covered in the policy and what’s excluded. For the security practitioner this confusion is compounded by the frustration that you are often dealing with an Insurance Agent that is not versed in security or even IT. NuHarbor has assisted many organizations navigate the “muddy” CyberSecurity Insurance landscape, and here’s 9 topics to consider when evaluating a CyberSecurity Insurance policy.
I’m going to break down this article into three parts:
- What is CyberSecurity Insurance,
- What CyberSecurity Insurance is not,
- Topics to consider when evaluating a CyberSecurity Insurance Policy.
What is CyberSecurity Insurance?
CyberSecurity policies breakdown to First Party coverage, and Third Party Coverage.
First Party Coverage includes direct coverage from losses related to CyberSecurity events, examples:
- Security Breach, which includes the cost to restore systems.
- Breach Incident Management, which includes costs related to public communications; legal guidance (lawyers have to be pre-approved otherwise a lawyer will be appointed to you); credit monitoring costs; forensic investigations (important point for PCI Merchants).
- Loss of Income, which includes a sustained outage for a certain period of time that you can prove fiscal business losses were incurred.
- Extortion, includes ransom fees paid (think CryptoLocker on a grand scale).
Third Party Coverage includes indirect coverage from losses related to claims made by third parties, examples:
- Privacy Liability, which includes legal fees related to defending events such as individual or class action suits related to the breach.
- CyberSecurity Liability, which is loses to another persons computer system caused by your data breach. One example might be a breach of customer login information has lead to fraudulent purchases at another Company, and the Company is suing for loses. Tough to prove, but I suppose it’s possible.
- Copyright or Trademark Infringement, covers loses related to legal defense of Copyright claims.
What CyberSecurity Insurance is not.
Companies buy cyber insurance for many reasons including the transfer of risks whether it’s a risk of a new business venture or operating in a high-risk business business industry vertical. Companies should not buy a cyber insurance policy to replace a non-existent or weak security program in the organization. Organizations who buy cyber insurance policies for known security weaknesses and do not completely understanding the policy coverages run the risk of non-payout in the event of the data breach or security incident.
I highly recommend working with your Legal Team to navigate your Insurance Policy and play out a couple Black Swan scenarios to determine if your policy would pay out (consider this a table-top exercise for your CyberSecurity Insurance). If your Information Security Program is weak, you might find the money spent on Insurance is better spent on new Security Technology or GRC tools.
Topics to consider when selecting a CyberSecurity Insurance Policy.
1. Buying the hype. CyberSecurity Insurance is a hot topic now-a-days. All of the high profile data breaches in the news coupled with Executive angst creates an interesting market for this product. Resist falling into this cycle. An investment of CyberSecurity Insurance should be a judicious and purposeful selection that compliments your Information Security strategy and program. At a macro level this policy might make sense. At a micro level, the technical landscape might add a lot of complexity. Example being, your policy might require you to maintain appropriate perimeter security controls. If your security team is out of the office an no one is managing the rule set on an Intrusion Prevention Device and data is subsequently lost in a breach, depending on your policy verbiage, you might be excluded from coverage because you weren’t maintaining your Security Posture. This nuance of Security management might be out of the purview of your executive team, so it’s important that everyone moves in a coordinated way to maximize the benefit of the Insurance Policy.
2. Your broker. CyberSecurity Insurance Policies are new within the last few years, and they are still changing today based on the laws, regulations, risks in the Security field, and emerging technology. You might have been with your Insurance Broker for a long time, but if they are not up to date on the CyberSecurity Insurance provisions and are unable to articulate the value of coverages in a contextually relevant way you might want to shop around. It’s okay to shop around and get another data point from a different Broker, all of these data points help you make a better decision.
3. Complexity of the policy. CyberSecurity Insurance policies have a reputation for being very complex. There’s no good way around this except to put in the time to understand coverages, coverage limits, definitions, exclusions, etc. Your Broker should be able to help you explain everything in lay-terms. If you able to do so, you might consider including the legal team in your conversation to help navigate what the contract and coverage verbiage and policy relevance based on the landscape of your Information Security Program.
4. Underwriting Surveys. Underwriting surveys are usually administered before an Insurance Company actually issues a CyberSecurity Insurance Policy. Your insurance company will usually collect some preliminary data about your Information Security Program. It’s important you answer these questions honestly because an inaccuracy that becomes the pivot point for a data breach or loss could be interpreted as a misrepresentation in the application process excluding you from coverage. From experience, these surveys are challenging to answer because they are often “grey” in nature and the security control questions are often less onerous than even the PCI-DSS (which a lot of people consider the minimum level of security for any business). The Insurance Company does this for a reason, and it’s usually to get you to over-provide data points for evaluation and underwriting. It’s important to know your scope and ask the right people for clarifications when you are unsure on a topic area.
5. Working with your providers. Most companies have a business partner (third-party) they are familiar with working with. Your Legal Department has outside council they prefer, your Public Relations department has external firms they like to work with, and Security teams have Digital Forensics firms they know and prefer to work with. In the event of a incident your Insurance Firm will provide a list of approved Lawyers, Public Relations Firms, and Digital Forensics firms with pre-approved rates that you can select from. If you are interested in using your existing professional contacts you can check to see if your business partners can be pre-approved by your Insurance provider to assist should an incident happen.
6. Selecting the coverage. This can be a tricky topic. Based on all the coverages available (common coverages listed above), you need to select how much of each coverage you need or want. Some of the larger CyberSecurity Insurance providers will give you premium discounts if you can prove you have a mature process in-house. For example, if you have a strong Public Relations department who could competently message externally in the event of a data breach your insurance provider might offer a discount on the insurance premium. A couple expenses you can’t avoid, such as a data breach on PCI systems–the PCI-DSS requires an independent forensic investigation and that’s an expense you can transfer via CyberSecurity Insurance. For other coverage areas, you need to measure your risk tolerances and what coverage areas and amounts are important to you and your Company.
7. Understand Exclusions. As with any insurance it’s important to understand what is not included in your insurance policy, but it’s even more important to understand what events exclude you from coverage. One example I often see, any data not encrypted and subsequently lost due to data breach is excluded from coverage. As most security professionals know encrypting data is one thing, but managing the encryption keys and associated crypto-periods is equally important. Your insurance underwriting survey (#5 above) isn’t going to cover this aspect of data security, so it further underlines that Security, Legal, and Insurance teams need to be moving in lock step and communicating often to navigate around nuances such as encryption key management.
9. Payment of Claims. Well, this is why you’re buying a policy–to receive compensation when you file a claim. Your insurance policy isn’t going to be much assistance if your Insurance firm has a history of not paying out. You should inquire with your Insurance Broker as to what the payout process looks like and how disputes are normally handled.
CyberSecurity Insurance Policies are still in their infancy and will be maturing for the next few years, and I expect they will become very mainstream one day. Today, these policies are incredibly complex and you shouldn’t be in a position where you feel confused as to your coverages and exclusions. If you find yourself in this position, it might be time to start seeking a new Insurance Broker who will explain everything clearly and concisely in a way where Security, Legal, and Risk teams can all understand the value being received for the money.