Insurance has long existed as a mechanism for the transferal of risk to a third party, particularly for those risks that fall outside of an organization’s direct control. However, as the threats we face evolve so must the insurance products that we purchase. Recently, the most significant dangers that have come to light and threatened to destroy a company overnight have emerged within the cybersecurity sphere. This has fueled the growing interest and appetite for cyber liability insurance.
We recently caught up with Hart Brown, a leading cybersecurity expert, to ask him about cyber liability insurance. Brown, is Executive Vice President and COO of Firestorm Solutions, a division of Novume Solutions (NASDAQ: NVMM), a leading crisis and risk management firm. A former Program Director for the U.S. Department of State and certified ethical hacker, Brown has 20 years’ experience in security, crisis management, emergency management and business continuity.
Q: What is cyber liability insurance?
Hart Brown: In the simplest possible terms, cyber liability insurance is a means of weeding out inadequate software providers and of holding people accountable for doing their job properly. Just like with any other insurance policy, there are certain conditions which must be met before a policy is issued. This helps to set a minimum bar for the cybersecurity of an organization and its suppliers. It gives you peace of mind that should you be struck by a cyber incident you will be able to access some funds to manage the response and get back up and running. Just as importantly, if you choose to only work with partners and suppliers who have cyber liability insurance it gives you the confidence that should their incompetence cause harm to your business then you will be able to successfully file a claim and get compensated. Sure, you can also try to sue those without it if you can demonstrate they were the cause of the loss. However, it won’t do much good if they don’t have the resources to cover the liabilities!
Q: How big is the market?
HB: The cyber liability insurance market is still in its relative infancy with many insurers having only recently started selling polices at any real volume. Right now, the estimated written premiums for policies around the world is valued at $2.5 billion. Yet, Allianz estimates published in the Financial Times last year suggest the figure could grow to $20 billion by 2025. Cyber-related risks are significant, so your premium will be high too. However, that doesn’t mean it won’t deliver good value.
Q: What isn’t cyber liability insurance?
HB: Cyber liability insurance isn’t a get out of jail free card that exonerates the board from ensuring and maintaining a high level of overall security. It doesn’t take away the need to conduct the appropriate due diligence when vetting a new supplier. It doesn’t make it any less important to ensure security patches are routinely being applied. And it certainly doesn’t lessen the need for all employees to be educated on appropriate security measures. As stated above, it will enable you to access some funds in the aftermath of an incident. However, it won’t compensate you for the longer-term effects such as reputational damage, reduced employee morale and being excluded from future tenders.
Q: What should boardroom professionals know about cyber insurance? How does it work, and if the need arises, how do they file a claim?
HB: Cyber insurance can be as complex as the types of security incidents. The first thing to understand is that most cyber policies are actually a package that can include as many as 12 different coverages with various types of triggers. This brings up the need for someone to have a good understanding of all of the coverage options for both the cyber/data related online and offline risks. In addition, there are over 100 insurance companies involved in providing cyber insurance policies. Some have good experience in both evaluating and supporting the risk management efforts, and some may not. Knowing the difference can be vital if an event were to occur.
This leads into the response aspect of a policy. When a policy is triggered by notifying the insurer and filing a claim, there should be a process that the insurer will go through to provide support and assistance. This can include crisis management, legal defense, forensic investigations, forensic accountants and other support firms. Knowing which firms are already involved with the insurance carrier and how to work with them are imperative. If there is a preference on using a different firm, getting those firms pre-approved by the carrier can avoid potential claim denials. All of this information should be included into a good cyber incident response plan for any organization.
Finally, knowing how the policy is positioned within other insurance coverages and understanding how to engage each one is also important. Normally we like to perform a cyber incident exercise and then review how the insurance would or would not have been triggered. This can become a highly enlightening process and assists in recognizing potential gaps.
Q: What are the key considerations when procuring cyber liability insurance?
HB: It is critical, and difficult, to be able to translate the cyber risk into a financial model. The most complex issue with this is to ensure the financial translation is specific to the organizations’ actual operations and not a simplified generalization of the industry at large. While this can be an incredibly complex process, there are financial models that can be tailored to each ecosystem and by accomplishing this, the fiduciary aspect of evaluating the financial risk transfer options becomes possible. This includes how broad the policy needs to be, the limits, the retentions, and if a tower of multiple carriers needs to be built.
Q: What factors do insurers take into consideration when pricing cyber insurance? What can companies do to reduce their premium?
An extremely important part of the cyber insurance puzzle is how the insurers view actual IT ecosystems. This knowledge is still developing and evolving. Traditionally, the actuarial process involves reviewing a significant amount of data to create the risk model. In the case of cyber, the necessary data is not fully developed. So, the process of getting cyber coverage involves a relatively standard set of questions on general IT policies, management hierarchy, size of the IT infrastructure and type of business. These components really do not have enough depth to develop an answer to why one organization is a better risk than another.
For organizations to put themselves in a better position, it takes a few things to come together at the same time. It is possible, but, the organization must have someone in a position to educate the insurance broker on why the decisions and investments made are better than everyone else in the sector. The broker must be able to understand this information and be able to present it to the carriers. The carriers must be able to understand this and then review how it could change the premiums or the policy language. This is all keeping in mind that most of those in the insurance industry are not necessarily IT experts.
So, at this time, it takes a few steps that not everyone is fully prepared for. However, if an organization is able to translate the cyber risk into a financial risk model, and is able to convey that information to the carrier, there is a much greater chance of being successful.
In the future, this will likely evolve and change into a more IT knowledgeable, data driven, risk model for insurance. Once that happens, the ability to discuss beneficial treatment in the market will improve. Until then, the organizations need to develop and prove their systems are well developed in a meaningful way, they need to financially model and partner with educated, experienced cyber brokers who will in turn educate the carriers.