Former FBI Director Robert Mueller once said, “There are only two types of companies: those that have been hacked and those that will be. Even that is merging into one category: those that have been hacked and will be again.” This is the environment in which risk managers must protect their businesses, and it isn’t easy.
Cyber risk is not an IT issue; it’s a business problem. As such, risk management strategies must include cyber risk insurance protection. Until recently, cyber insurance was considered a nice-to-have supplement to existing insurance coverage. However, following in the wake of numerous, high-profile data breaches, cyber coverage is fast becoming a must-have. In fact, new data from The Ponemon Institute indicates that policy purchases have more than doubled in the past year, and insiders estimate U.S. premiums at around $1 billion today and rising.
But is a cyber policy really necessary? In short, yes. As P.F. Chang’s China Bistro recently discovered, commercial general liability (CGL) policies generally do not include liability coverage to protect against cyber-related losses. CGL policies are intended to provide broad coverage, not necessarily deep coverage. Considering the complexity of cyber risks, there is a real and legitimate need for specialized policies that indemnify the insured against cyber-related loss and liability.
The fact is, cyber risk is a problem all its own. The cyber threat is pervasive, and attacks are increasing exponentially. Cyberattack trends are also shifting constantly. An attack can come from multiple directions and in multiple forms, targeting different information and outcomes: an attack launched by a hacker group intent on making a political statement, malware that enters the network through a third-party service provider to steal credit card information, or a data breach perpetrated by a trusted insider seeking competitive intellectual property (IP).
In this complex, dynamic threat landscape, the ability to accurately assess risk becomes a monumental undertaking. If we accept that every organization has been hacked or will be again, it’s clear that prior incidents are no longer relevant or legitimate indicators of a company’s risk. Similarly, stagnant security checklists required by many insurers are hardly representative of actual, ever-changing cyber risk. Traditional risk assessment methodologies that rely on these elements to determine pre-binding risk simply have no place in today’s world.
Risk assessment for the cyber era
The industry needs assessment methods consistent with the changing threat landscape. That means real-time, active assessment of an entity’s entire business ecosystem including upstream and downstream threats, as well as the often overlooked insider threat. What this provides is a holistic understanding of an entity’s vulnerabilities, high priority risks and security maturity.
In the current cyber environment, it’s implicit that every organization will be the victim of a cyberattack and that there will be some cyber loss as a result. Thus, savvy underwriters are looking beyond mere ticks on a checklist to determine insurability; rather, they’re looking for security maturity and cyber resilience.
The more cyber resilient an organization, the faster it can identify a cyberattack, stop it and recover from the impact. Data loss is expected. It’s the severity of the data loss that will impact the company’s business, damage its brand and customer loyalty and erode investor confidence. Those organizations that can quickly and effectively minimize the risk and get back to business are generally considered a safer bet.
This is where organizations can realize the benefits of holistic cyber insurance assessment. All too often, critical data is uncovered after a breach occurs. By implementing a proactive risk assessment before an attack occurs, the organization can gain in-depth intelligence about its highest priority risks before an incident, not years later when it’s too late to do anything about it. A pre-binding assessment provides the right data at the right time to inform risk management decisions and align resources with an organization’s highest priority risks.
Additionally, organizations that adopt continuous proactive assessment and ongoing risk mitigation demonstrate mature security practices, which indicate an organization’s ability to return to regular operations faster following a cyber incident.
Partners against cybercrime
Historically, there has been an antagonistic relationship between the insurer and client, but in the wake of catastrophic data breaches, these two sides are now finding common ground. For instance, several insurance brokers today are requiring a holistic, pre-binding risk assessment before a company can receive a policy. This benefits both the insurer and the pre-insured by providing invaluable insights about the company’s security, often revealing unexpected weaknesses and new priorities. Some policies also tie risk assessment to financial incentive to encourage ongoing risk mitigation. This becomes a virtuous circle situation for the insured, as it gets the benefit of reduced premiums after risk maturity has been measured, which allows the company greater insight and the ability to be proactive about reducing security risks.
For decades, the bargaining power has been with the insurer. With a revised approach, and in keeping with the demands of today’s cyber landscape, the relationship between insurer and insured has become collaborative as both sides work together to identify and mitigate risk. In this way, cyber insurance becomes an avenue for companies to improve cybersecurity, not to simply offset risk.
Authored by: Nick Fearon, executive associate and senior practice leader, cyber insurance at Miller Insurance Services, LLP and Natalie Lehr, co-founder and vice president of analytics for TSC Advantage. Previously, Natalie held roles in U.S intelligence and security.