With data breaches mounting and with regulation putting companies under increasing pressure to protect customers data, is it time to insure yourself against a data breach? Cyber-insurance may carry some surface appeal, but it harbours some hidden complexities that you should be prepared for.
Only 29% of senior UK executives have cyber-insurance, compared to an average of 38% worldwide, according to NTT’s 2018 Risk:Value report, which polled 1800 senior non-IT decision makers worldwide.
Given the prevalence of high-profile data breaches, why aren’t more people getting coverage? One reason could be that it’s still a relatively young industry with a lot of uncertainty on both the insurer and the client side.
Cyber-Insurance only really began in the early 2000s, which isn’t surprising given that the web was barely a decade old at that point. As a conservative industry not known for playing fast and loose with actuarial tables, insurance has been grappling with one of the fastest-moving segments of an already accelerated industry.
The US seems a little more evolved than the UK in cyber-insurance adoption. 54% of US respondents had a dedicated cyber-insurance policy, suggesting that insurance companies and clients alike there are slowly figuring out how to agree on contracts cover cyber-risk.
The dangers of cyber-insurance disputes
Nevertheless, even in the US the mismatch between insurance companies and their clients over cyber-insurance has resulted in some nasty disputes. In 2015, insurance company Columbia Casualty complained about its client, Cottage Health Systems, after it left tens of thousands of patient files exposed on the Internet when security on one of its servers was disabled. Columbia argued that the company had failed to follow minimum cybersecurity measures laid out in its insurance policy.
Other cases have seen clients suing cyber-insurance providers. In 2016, the State Bank of Bellingham prevailed in court against insurance firm BancInsure, which had said that a breach at the bank shouldn’t be covered because it stemmed from an employee mistake. Law firm Moses Afonso Ryan sued its insurer Sentinel Insurance, which refused to compensate it for $700,000 in lost billable fees after a ransomware attack. Sentinel’s response said that the policy form “speaks for itself.”
Insurance companies are working on standardising their approach to insuring against cybersecurity risks. In the UK, insurance broker Marsh collaborated with the government in 2015 to create some best practice guidelines for cyber-insurance providers and their clients. These included a suggestion that insurance mandate the government’s Cyber Essentials cybersecurity guidelines when negotiating contracts.
In 2016, Chubb launched CyberCOPE, an attempt to map traditional risk evaluation models to cybersecurity operations. And last month n North America Marsh launched a program called Cyber Catalyst to evaluate cybersecurity software and technology sold to businesses, according to a report in the Wall Street Journal.
Time to buy?
As these efforts to normalise cybersecurity insurance play out, should you get cyber-insurance? Given that data breaches are a clear and present danger for almost any business, it certainly couldn’t help to explore it. However, you should be aware of the difficulty in getting appropriate coverage from nervous insurers, each of which may have their own risk tolerance and approach to the topic.
Avoid using cyber-insurance as a way to compensate for inadequate cybersecurity governance in your organisation. Work hard to implement robust cybersecurity measures before having conversations with insurers.
Pay extra attention to what your policy will cover, and what will be left out. For example, does the policy cover only those costs arising directly from an information security breach, or will the insurer also cover the costs of the consequent data loss, such as credit protection for customers, regulatory penalties, lost business and lawsuits? While 38% of firms had insurance policies in the UK, only 33% were covered for both, pointed out the NTT survey.
Having a mature cybersecurity operation will make it easier to meet the insurer’s benchmarks when negotiating a contract. Understanding the parameters of the contract will help you manage your own risk. And both will make it easier to get a payout should disaster strike.