Cyber insurance is quickly emerging as an important cyber security complement to traditional security mechanisms for small, medium, and large enterprises
In a time when data breaches are common place, and even the largest and well–resourced businesses fall victim to a hostile cyber activity, cyber insurance is a necessity. Cyber insurance functions as other traditional insurance policies guarding against digital theft and/or damage, depending on the coverage parameters of the policy. In this capacity, cyber insurance is designed to safeguard organizations from severe financial damages as a result of substantial data loss or disruption/destruction of infrastructure that can impact business operations.
But insurance can extend beyond that. When sensitive data is compromised and exposed, some policies can address legal action that can result. As evidenced from class action lawsuits that have resulted from massive data breaches (see Target, Yahoo, Marriot, among others), organizations can incur substantial financial repercussion. Some settlement amounts have reached $29 million (Yahoo) and $4.5 million (Community Health System), and while these payments – while significant – are not back-breaking, the reputation loss can be more lasting, and in the most severe situation (the failures of Nirvanix, MyBizHomepage, and CodeSpaces), the end of a company. Given that approximately 60 percent of small businesses fold within six months of a cyber attack (according to one source), insuring against such activities can make the different between survival and bankruptcy particularly as cyber attack costs continue to escalate. A recent IT news article indicated that one in eight businesses are severely impacted by data breaches.
However, when it comes to cyber insurance policies, there is evidence that the language and terms are not so cut and dry, and unsurprisingly, may not clearly articulate coverage considerations. Indeed, at least one article revealed the necessary for properly and fully educating potential enterprises on the nature of cyber insurance, which means both insurers and insured need to transparently understand the circumstances under which organizations will be covered and not. Reading the “fine print” of these policies is essential for organizations to not misunderstand how cyber insurance can be implemented and against what activities.
To be fair, organizations need to be up front and honest with insurers when it comes to revealing how cyber attacks occurred, what happened, and perhaps most importantly, what was victimized. Creating this transparency is essential to getting the right coverage that meets the organization’s operational needs and financial considerations. But it also requires insurers to reciprocate about their coverage parameters, as well as their ability to “cover” specific incidents. Terms used by insurers to cover cyber incidents varies, calling into question the need to standardize coverage language and terminology.
Lack of common cyber terminology is a problem that extends to the national level and on the global stage and is one of the principle reasons the international community continually struggles to find consensus on defining cyber norms for state behavior. Yet evidently, such problems exist inside the cyber insurance industry as well. For example, according to one online periodical that covers insurance issues, what one market calls silent “cyber risk,” another market calls “non-affirmative cyber risk.” These terms sound similar but may or may not provide the same level of coverage, making it difficult for prospective customers to compare policies. It is important to stress that there should be set levels of policy coverage across the industry as a whole. However, agreeing to how the industry defines cyber terms that include a wide variety of hostile cyber activities that include disruption, destruction, supply chain, and data manipulation/loss, as well as the architecture that supports organizations should be.
Thus far, it appears that the challenge for organizations is selecting the right coverage, which creating terminology consistency should help support. Moreover, understanding how cyber insurance applies to an organization will also help inform how it needs to construct, revise, or revamp its cyber security posture. In all likelihood, the standardization of the industry is an expected outcome over time. But one thing is clear with cyberspace as opposed to other insurance areas: the speed with which cyberspace evolves, as well as the evolution of the attack space, requires such standardization to happen sooner rather than later.
But like all things cyber, there is no one-sized fits all security solution, and like any cyber security strategy steeped in risk management, cyber insurance is but one part of any organization’s multi-pronged posture. It’s incumbent on the organization to ensure that its as tailored as the strategy to which it supports in order to achieve maximum benefit.
About the Author
Emilio Iasiello has more than 12 years’ experience as a strategic cyber intelligence analyst, supporting US government civilian and military intelligence organizations, as well as the private sector. He has delivered cyber threat presentations to domestic and international audiences and has published extensively in peer-reviewed journals and blogs. Follow Emilio on Twitter