Cyber Insurance in Perspective
Cyber insurance is relatively new compared to more traditional business insurance products. When underwriting many insurance policies, carriers can quantify risk with relative ease, relying on decades of reliable data, using tried-and-true actuarial models and tools. But in the cyber domain–where reliable data isn’t readily available–risk is much harder to quantify. Threat actors are resourceful and agile, adjusting quickly to defenses, rendering historical data less relevant. New vulnerabilities appear even more rapidly, making cyber risk a constantly moving target.
When you add it all up, you have something more akin to the wild west than to the staid image of the traditional insurance world. In today’s enterprise, chief information security officers (CISOs)--along with the entire executive team--are on the frontier when it comes to insuring against cyber risk.
In late 2021, Rain Capital convened a panel of 14 CISOs from multiple industries to discuss cyber insurance trends and risks. The event included two attorneys with expertise in cyber insurance: Charisse Castagnoli, adjunct professor of law at John Marshall School of Law, and Judy Selby, a partner with Kennedys, an international law firm. Castagnoli focuses on information security, approaching risk from a legal and data privacy perspective, while Selby focuses on insurance matters, particularly emerging technology, digital, and compliance risks. Selby also authored the book “Demystifying Cyber Insurance .” (This is the second of three posts on the presentations they gave the group and the discussions that ensued. The first post focused on ransomware risks.)
Overall, there are no easy answers when it comes to cyber insurance. The underlying dynamics driving turbulence in the cyber insurance market–rapidly evolving risk and market immaturity–won’t change in the foreseeable future. However, there are a few steps CISOs can take to mitigate uncertainty amid this challenging climate. They are:
Perform an annual review to normalize policies
Work with legal counsel to understand cyber insurance coverage
Digest the fine print
Understand the exclusions
Operationalize policy requirements
Create important relationships in advance of an attack
Do your best to control premiums
We’ll dig into each of these in the sections that follow.
Perform an Annual Review
Most companies have a variety of traditional insurance instruments, including business interruption, commercial general liability (CGL), errors and omissions, and criminal acts/fidelity. Some or all of these may include coverage that applies to a cyber security incident. Enterprises should evaluate their entire insurance portfolio annually, ensuring that their policies dovetail effectively. To that end, the panel recommended that companies should engage outside legal counsel and perform a coverage gap analysis. Selby said enterprises should use an insurance lawyer with cyber expertise instead of a cybersecurity lawyer who has some insurance expertise.
As Figure 1 illustrates, insurance coverage generally falls into two categories: Third-Party Coverage and First-Party Coverage. Figure 1 includes examples of first-party and third-party coverages that you can use as a guideline when discussing cyber insurance coverage.
First-party coverage applies to the organization’s risks on its own systems, typically including losses related to ransomware. As a part of first-party coverage, many policies cover the cost of managing and recovering from a breach. Third-party coverage applies when a company’s action or inaction harms a third party--such as a customer. Most modern enterprises cannot avoid third-party risk. Any organization dealing with personally identifiable information (PII) or personal health information (PHI), or doing business in a jurisdiction with significant privacy regulation, is exposed to substantial third-party risks.
Understand Cyber Insurance Coverage
Depending on the policy, cyber insurance can cover the following across those buckets:
Vendor acquisition: Hiring forensic investigators and the like is usually covered, and many insurance companies have a stable of approved vendors with negotiated rates they work with regularly. Enterprises with a preferred vendor can work with the insurance company to get that vendor on the list as a part of the policy. In either case, identifying vendors upfront is preferable to shopping for one while under attack.
Legal representation: Retaining attorneys for dealing with regulators and running the incident response effort are often covered.
Costs and awards from lawsuits: Litigation costs are typically covered, subject to policy limits.
Regulatory fines: Similarly, costs related to regulatory investigations and fines are typically covered, although the applicable law may preclude coverage for fines and penalties.
Notification costs: Required breach notifications to customers, regulatory agencies, and others are typically covered.
Public relations costs: Coverage for hiring a PR firm to manage communications about the incident is common across many policies.
Customer support: The cost of providing credit monitoring services for affected customers is often covered.
Incident response costs: External costs are covered, such as engaging an incident response specialist. Internal costs, such as an organization’s internal investigation and response efforts, are not.
Damage to physical assets: Some policies cover physical damage if an attack causes actual harm to equipment. Many do not.
Ransomware payouts: Insurance can cover payouts, but policies often contain prior written consent requirements. And ransomware coverage requirements are changing almost as rapidly as the attacks themselves are growing. (More on this later.)
Lost income: Ransomware and other attacks can interrupt business operations, sometimes taking them completely offline. Many policies insure against the loss of income due to business interruption.
Digest the Fine Print, Understand the Legalese
While all of this sounds great, it’s the fine print of the policy that determines whether a policy fits your needs. And there is rarely a one-to-one relationship between a security incident and a single type of coverage. Incidents often invoke multiple coverages and lead to follow-on issues that invoke other coverages. Ransomware attacks now commonly include a data breach, for example, with the attacker threatening to publish the stolen data unless the victim pays a ransom.
Given these complexities, it’s crucial to understand the relevant definitions in the policy and how they apply to the actual risks the organization faces. Examples include:
Regulatory Fines: Most cyber policies provide coverage for regulatory investigations, fines, and penalties, but coverage may be limited in an event arising from a security incident or data breach. Under the GDPR and other privacy laws, enterprises can face regulatory risks unrelated to a security incident or breach. Enterprises handling PII or PHI need to confirm that a given policy applies to a violation of any applicable privacy laws.
PCI DSS Violations: Violations of the Payment Card Industry Data Security Standards (PCI DSS) often come with what a reasonable person would consider a fine or penalty. But a recent ruling by the Fifth Circuit court held that PCI DSS fines weren’t “fines” but “assessments.” Whether a policy covers such “assessments” may come down to the relevant definitions in the policy or legislative acts. For example, some states are moving to codify DSS, which would provide a stronger case that PCI DSS fines are “fines.”
Remediation Costs: Cyber policies typically provide coverage for data restoration to get the company back to its pre-incident condition. But in some cases, that may not be feasible. Equipment may be damaged or no longer available. Or it may be more economical to upgrade systems in the recovery process. Organizations that want those options should ask for “bricking” coverage, which can cover the costs of replacing systems that malware damages permanently.
Understand the Exclusions
In addition to understanding the relevant definitions, enterprises need to understand the specific exclusions in the policy and how those exclusions relate to their internal operations and risks. Examples include:
Who’s covered: Some policies can limit coverage for enterprises doing business with other companies. If a third-party payment processor you use is hacked, and someone sues you as a result, are you covered?
Knew or Should Have Know Provisions: Cyber policies may preclude coverage where the insured “knew or should have known” of undisclosed prior events or circumstances that could reasonably result in a claim under the policy.
Operationalize Policy Requirements
Most cyber insurance policies have specific process requirements for notifying the carrier of an incident and triggering coverage. Given these requirements, both Castagnoli and Selby stressed how important it is for CISOs to operationalize these requirements within their companies. Security teams should make policy requirements a core component of the incident response plan, ensuring the organization doesn’t make crucial mistakes in the chaos during an incident. Examples include:
Notification: Under many policies, the carrier’s duty to pay doesn’t trigger until the insured organization gives the carrier notice as specified in the policy. Some define whose knowledge of an incident or event will trigger notification requirements.
Authorization: Most policies require the insured to get prior approval from the carrier before hiring incident response vendors, making ransomware payments, and so on. Security teams should bake specific directions into their IR plan.
Approved vendors: As we said earlier, many insurance policies require the use of specific incident response companies, ransom negotiators, and so on. Enterprises should vet and choose from that panel in advance or negotiate to include their preferred vendors. (More on this later.)
Contact info: Contact information for the insurance broker, legal counsel, and the service providers that the company plans to use should be readily available in the IR plan.
Create Important Relationships In Advance
Being prepared for an attack also means creating relationships with the relevant players well before any attack. As Selby said several times, there’s nothing worse than starting a search for a preferred IR vendor or figuring out which law enforcement people to contact while the house is on fire.
Both Castagnoli and Selby strongly recommend using peer networks, talking to insurance brokers, and creating a relationship with an attorney specializing in incident response. As attacks continue to spike, these relationships will be increasingly important because the well-known and reputable firms are extremely busy, and availability is a significant problem. If your insurance carrier has a list of approved vendors with negotiated rates, vet those vendors, pick your preferred vendors, and build a relationship with them as soon as possible.
Anything CISO’s can do to build relationships and communications channels in advance will make the initial response to an incident easier. Examples include:
Law Firms and IR Vendors: Enterprises need to choose law firms and IR vendors with relevant industry experience. Handling breaches in the healthcare industry is different from handling breaches in the oil and gas sector. It’s also important to consider the expertise of the IR firms. Some may be well-versed in handling incident response for on-premises systems but not as effective for cloud-based systems.
The Carrier: Many carriers offer loss control services to their clients, sometimes free or for a negotiated rate. Some allow CISOs to meet with a breached company to learn from its experience. Some also include getting an approved incident response company to review and provide input to the organization’s IR plan.
Law Enforcement: CISOs should identify the law enforcement representatives they need to call in the case of an incident, making their contact information a part of the IR plan. Finding the right FBI agent to notify is a must, for example, as is the SEC representative for a public company (in the case of a material incident). Knowing who those people are—and having a pre-existing relationship with them—will make responding to an incident more efficient.
Communications Plan: If attackers are on the network, they can monitor communications, disrupting attempts to limit the damage. CISOs should establish out-of-band communication methods ahead of time and make them a part of the IR plan. These include mobile phone numbers, email accounts on unrelated services (such as Gmail), and other mechanisms that aren’t associated with the enterprise network.
Do Your Best to Control Premiums
The recent proliferation of ransomware attacks has, of course, caused companies to file a significant number of cyber insurance claims. Due primarily to the rapid rise in insurance claims and payouts, Selby said, cyber insurance premiums in the United States and the United Kingdom rose more than 50 percent in the second quarter of 2021. In the United States, premiums increased 68 percent in June of 2021 alone.
Selby says that, in reality, cyber insurance policies were underpriced for quite some time. Because cyber insurance was one of the few new opportunities in the insurance industry, many new carriers entered the market. As carriers competed for market share, premiums were often aggressively low, and underwriting criteria weren’t very stringent. In the insurance world, this is a “soft market,” which is typified by lower premiums, broader coverage, relaxed underwriting criteria, and increased capacity, meaning insurance carriers write more policies with higher limits.
What was once a soft cyber insurance market is now a “hard market.” In addition to charging higher premiums, carriers are strengthening underwriting criteria and applicants are getting more scrutiny. Carriers are narrowing coverage for losses and putting caps on payouts. Some insurers are now utilizing ransomware-specific supplemental applications and reducing ransomware sub-limits.
In more traditional insurance markets, hard and soft market cycles last two to ten years. But because the underlying threat of ransomware and other security incidents is proving very difficult to prevent, Selby says these trends won’t likely improve for some time. In other words, enterprises should anticipate a hard cyber insurance market for the foreseeable future, which only increases the impetus to control claims as much as possible.
There are, of course, the basic controls over insurance premiums: overall policy limits, deductibles, and self-insured retentions, all of which are subject to negotiation. As long as it doesn’t violate any contractual requirements, reducing policy limits can lower premiums, but a realistic risk assessment must inform any reduction. Likewise, retentions can lower premiums by shifting risk back onto the insured. (Anyone looking for a good explanation of the difference between retentions and deductibles can find one here.)
When it comes to cyber insurance premiums, Selby and Castagnoli discussed these recommendations:
Implement Demonstrably Strong Controls: Enterprises must have demonstrably good controls in place to get coverage. Companies that don’t have two-factor authentication in place are unlikely to get coverage, for example. Showing that the company is a lower risk is helpful, and companies can improve their negotiating position by demonstrating strong controls.
Train Employees: Likewise, effective security awareness training can help make a case for lower risk. Training programs backed up by analytics that give enterprises real insight into the human risk in their employee population can make progress more demonstrable. (We discussed Living Security’s approach to this issue here.)
Look for Duplicative Coverages: As we said earlier, insurance portfolio reviews can often reveal overlapping coverages across multiple policies. Organizations may want to eliminate cyber endorsements in a general liability policy in favor of a cyber insurance policy or shape the cyber policy so that it doesn’t overlap the general liability policy.
Get Appropriate Coverage: Per our earlier discussion on understanding the relevant definitions and reading the fine print, CISOs should ensure they’re not paying for coverage they don’t need. Policy reviews can help make sure companies only pay for what they need.
Unfortunately, more than a few of the CISOs in the discussion indicated that the underwriters they’re dealing with don’t understand the differences in underlying data or how third-party interactions impact risk. Many companies in our forum use third-party payment card processors, for example, and never see credit card data. Still, underwriters push companies to buy coverage as if they process payment information directly.
Selby agreed that underwriting expertise needs to increase. But in the meantime, both Selby and Castagnolli recommend working with an insurance lawyer with cyber and privacy expertise to review policies and identify the right coverages.
Conclusion
The cyber insurance market is immature, and the risks insurance attempts to cover are evolving rapidly. Consequently, buying and managing cyber insurance will be a challenging task for the foreseeable future. While it won’t be easy, enterprises can make the job a bit easier by following the advice we gleaned from the panel. In the third and final post on this subject, we’ll examine the legal issues around maintaining attorney-client privilege in the midst of responding to an incident.