The cyber insurance market is still relatively in its infancy. The first policies were introduced in the early 90s with the onset of the internet, and it had quite a slow take-off. This was most likely due to a lack of perceived risk. With the explosion of technology, cyber-attacks increased, but cyber insurance probably only reached more relevancy in 2014/2015.
When you look at the fact that cyber-attacks have become a weekly occurrence in our lives, it begs the question: where is cyber insurance right now? As a market, cyber insurance is probably worth £5.5 billion, which is astounding. With the increase in cyber-attacks, more insurance companies are jumping onto the cybersecurity bandwagon.
What does cyber insurance include?
The two key areas to consider are 1st party and 3rd party aspects. 1st party insurance relates to your own cost, e.g. investigation services, interruption to business, and data recovery. 3rd party insurance includes everything mentioned under 1st party insurance but also includes the liability to the client.
RSA got breached a few years ago because hackers were after the details of Lockheed Martin. Even though RSA got hacked, it was Lockheed Martin who may have paid a heftier price as their data and reputational damage was compromised. If cyber insurance were then what it is now, then all parties you hope would have been covered. But would they? Think of the cost to pay out for Lockheed Martin via RSA’s insurance. Would the insurers have paid?
I remember another cybersecurity company called Bit9 getting hacked, and perpetrators managed to access sensitive client information via compromise of Bit9’s whitelisting certification system. In this case, you want a cyber insurance company to cover both your costs, as well as the costs of your client. If you have thousands of clients, the damage could be enormous, and the cost of covering such a claim could be crippling for an insurance provider. Based on all the legal jargon and loopholes covered in a contract of this nature, it would be interesting to see whether an insurance company would pay up. There would be pages of loopholes to mitigate having to pay out. They have to do the due diligence beforehand to ascertain the amount of money it could set them back in the worst-case scenario.
We have seen that costs of insurance, in general, are going up exponentially. It is not a straight line. I have taken the time to compare costs for Q1 2020 to Q1 2021. It was a steep curve, and the numbers are soaring up. The cost increase makes sense when you take into consideration what is happening with ransomware.
What insurance companies are, and are not, covering is all a big mystery. It is almost shrouded in a cloud of secrecy as they are not open about their activities. When you compare cyber insurance to car insurance, you see a similar trend; the consumer is in the dark about how payments are determined, when payments are made and how the premiums get calculated. Statistics show that individuals that have claimed in the past are more likely to claim in future. Which is really stretching the maths to the advantage of insurance companies. They are looking at generic scenarios to increase premiums instead of looking at individual circumstances.
I am a little untrusting when it comes to insurance companies as I view them as a necessary evil. Cybersecurity is such a complex beast and what they require is a comprehensive understanding of how to identify blame, risk, and cost. These concepts are subjective and require expertise in cybersecurity to estimate. I have yet to be convinced that insurance companies fully understand the market they are getting themselves into. I doubt if they have the statistical data to deliver an accurate assessment such, I am curious to see how valuable cyber insurance will be going forward.
What are the key areas to consider when pricing up a premium?
Cost to self and cost to 3rd parties are typical things covered by insurance companies. They even talk about blackmail payments these days. There are laws, particularly in the US, which stipulate that you should not be paying ransoms. Some insurance companies allude to the fact that they will cover ransom payments, but will they really? Ultimately, there will be a clause stipulating that they will pay, as long as it is legal. I have seen cut-and-dry cases where the client was supposed to get a pay out, and the insurance company found a reason not to pay. This has happened on more than one occasion, so I am hesitant to promote cybersecurity as an option.
What is the benefit of spending more money on security if insurance will cover the fallout?
Cyber insurance is not a get-out-of-jail-free card!
Insurance companies say they will pay for anything that is not caused by human error. But what isn’t caused by human error? When you think about this in terms of breaches, what is not human error? When you get phished, that is human error. You need to be more aware of phishing emails. When there is a system vulnerability or flaw, and it gets breached, the insurance company could argue that you should have patched the systems sooner. Because you did not patch within a 1-week timeframe, that will be considered a human error, and payment might not be made.
I have a suspicion that when a claim is very high, that is when the negotiations will start. Should the claim amount to £40 million, the human error card will most likely be played. They may, however, settle a smaller amount to circumvent bad press. Insurance providers can always find a reason to say that they will not pay. But if they do that continually, word would get out, and people would stop buying their premium, which will hurt them financially. However, when a certain number is reached, a caveat will be introduced, and the negotiations will start.
Are insurance company pay-outs subjective?
There is human bias when it comes to making fair decisions and calculations. How do you put a percentage of blame on an activity? Especially when you are using systems that were coded by people. Does that automatically imply that the fallout should be attributed to human error?
Should there be prerequisites from insurers giving out policies?
Yes, companies already expect you to complete a series of questions before “onboarding” you as a client. The US company, AIG, is a prime example. Through a series of questions, they try to establish the cybersecurity culture of the organisation, risk appetite, and what kind of security is in place. If the answers are not great, it won’t necessarily mean they won’t payout. The compensation may, however, be reduced. This is based on the fact that you have not been diligent, which is fair. When you are pouring thousands into your cybersecurity provisions, you should not be paying the same premium as a company that doesn’t and flies by the seat of its pants. That does not seem right.
Keep in mind that insurance companies need to make a profit. The cost of asking a few questions is not too harsh. But if they wanted to take it a step further and do a risk assessment, the greatest consideration would be the cost they would have to pay a company like Samurai Security to do the assessment. The cost would have to be recouped through their monthly premiums, and they may lose clients that way. The consideration will always be around how much the insurance company stands to lose should they go the extra mile and initiate a risk assessment. It is a tricky one. I’ve not found a decent case history for when insurers will and will not pay, and therefore it is something I would simply not trust at this point.
There are things an insurance company is unable to cover, like reputational damage. If your company gets breached, it will cost a fair amount to get your systems back online, and you could lose business since you are not trading during that timeframe. When the breach results in someone taking legal action against you, the insurer may pay for that too. But when the dust has settled, other organisations may look at you and decide not to do business with you because they don’t trust you. That is probably the most significant loss of all, and no insurance company will cover you for that.
Sometimes it is tempting to be disingenuous to get the lower premium. But when a post-breach investigation determines that you have lied, your insurance will be invalidated. The insurer will send loss assessors in, and they are not necessarily there to help. They are there to apportion blame and reduce the pay-out. Should you be to blame, you are not going to get the money. Just be prepared that someone will be snooping around and unearthing the truth.
What would be the minimum level of acceptable security you would consider should you start your own cyber insurance company?
I would probably take the easy option. I would be nervous about insuring a company that did not have a meaningful certification obtained from an established body. I would expect larger organisations to carry at least an ISO 27001 certification, and smaller companies need at least Cyber Essentials+. Without those certifications, you would have to pay a much higher rate. I would also probably be building in the same loopholes as insurance companies. You don’t want to be put out of business when a company you are insuring is getting hacked! You need to set yourself up for survival. I can therefore understand why insurers are operating in the way which they are. You cannot buy your way out of risk. There is a limit to how much risk an insurance company will allow you to transfer to them. Be extremely careful about your perception of your insurance cover and protection.
I think I read somewhere that when seatbelt insurance was introduced, the number of accidents increased because people became more negligent. They knew they were protected. Their risk appetite increased, and people started doing more stupid things. Maybe the same theory holds for cyber insurance: you will gamble more with the perceived risk and not put the usual measures in place. And when that bad thing does happen, and the insurance does not cover you for it, then the perceived safety of having cyber insurance got you hacked and into trouble! The very reason that you have insurance made you more vulnerable to get you breached.
It is so important to read the fine print of these policies. Know the get-out-clauses. Know where you are and where you are not covered so that you can know exactly where you stand in the unfortunate event of an incident.
A word of caution
I phoned an insurance company as a prospective client once to try and decipher the terms of one of our clients. Almost every answer to each question I asked was prefixed with the words ‘it depends’. And even when you try to qualify and quantify a phrase from their policy documents, you get an even more verbose and wishy-washy answer. The terms, and the way it is written, is incredibly subjective. It almost comes down to the goodwill and discretion of the insurance provider about whether you are covered or not. It boils down to the business an insurance provider may lose for not paying versus how much it will cost if they do pay. And they will continue to try and match those sums – it’s purely a business decision.
The bottom line is: don’t rely on cybersecurity to dig you out of trouble if you get breached. Do not change your behaviour from being sensible to risky because you have cyber insurance. If you have the insurance, treat it as another tool in your cybersecurity arsenal, as it will mitigate some risk. But put everything in place to prevent a breach from happening. Cyber insurance does not replace the need to have your cybersecurity basics covered. Allow common sense to prevail; insurers can’t pay-out in every situation. There is no silver bullet, no panacea.