Given the threats implicated by ongoing, successful cyber incursions facilitating unauthorised access to sensitive materials and leading to other forms of the related exposure of people, it would seem to make very good sense to turn to cyber insurance for an additional level of protection to the organisation – albeit in the negative reactive mode.
But then I am left wondering if such a desired level of protection offers what would be considered a robust and calculated approach to provisioning the expected level of cover. So, I would like to look to the green fields, and consider the associations of sheep.
According to the NFU (National Farmers Union) insurance company, rural crime in the UK, and in particular the theft of sheep is running at an all-time high. Thus, naturally here, the instrument of calculated and adequate insurance cover is a critical consideration for any farmer who wishes to protect their assets and livelihood.
Based on a known calculation of the known goods (e.g. sheep), the farmer seeking cover will make the application for adequate cover to facilitate the correct level of robust protection for said known assets. And then at time of damage, loss, or theft occurring within the T&C’s of the established contract, a claim may be submitted, and post successful review, hopefully compensation will be forthcoming to cover the encountered loss.
So, here as we are dealing with an exact number, based on a known financial calculation of exposure/risk, and we may safely assess the outcome with a high degree of probability. In fact, it’s not just about sheep of course, as this same theory of offset protection applies to other tangible entities, such as home, contents, and car insurance, all of which are based on a known fact and an associated valuation.
Now when we consider the world of cyber insurance, there is a quantum shift away from what may be a case of calculated knowns that exist with other forms of tangible and conventional insurance. This being the case, we tend to move into the world of the unknown eventuality of a claim post cyber-attack or compromise.
The problem is, just how does a business ensure that the monies they are investing to provision an adequate level of cover are correct? And to understand just how effective the cover is based on how the provider is assessing the associated risk – and the applied calculated assessment of what is actually an unknown?
In fact, having been on the receiving side as an applicant for cyber insurance, I was amazed at just how agreeable the insurer was to accept what were both negative and dangerous levels of disclosure, which confirmed past multiple events involving malware, through to a successful compromise of an inner-company network segment – all were considered acceptable, and thus the said policy was issued in very quick time.
I have also been concerned as to the light on-boarding process which is applied by some large brand providers and agents. Spending the minimal amount of time on a tick-box assessment to conclude with the successful issue of what can be a very expensive validated policy.
Meaning that, as with many other forms of insurance, if at some later stage, usually during the claim process, the responses are found to be inaccurate, the chances may exist which may hold the policy as not valid (here I am comparing many of those known cases involving critical health cover).
It may be, however, that if an applicant does look to present a very high risk, the insurer may still wish to proceed at the right price. That is, a policy which over-compensates in weighted favour of the provider – as long gone are the days in which I was told, ‘excessive risks could be offset by excessive fees which could be reinvested on a lucrative market offering a guaranteed and maximised return on the investment’. Thus, reducing the actual surface of exposure.
From another angle we may well look to some of the recent events, ranging from Sony, through the debacle involving Ashley Madison, all of which were of course unpredicted, unknown, with some instances exhausting their cover; or with the implication of the cover not having deep enough pockets to cover all manifestations loss.
But all that said, I am not saying that cyber insurance is a bad thing. What I am outlining is, given the fact that a successful long-term breach could implicate (and has) multiples of millions of end-users spread across the globe, not to mention the association of those third parties and associates.
The facts of the matter are, if the cover has been based on an unqualified assumed state of security, resulting in an imperfect calculation based on an unknown level of expected exposure, there could be a considerable shortfall in anticipated compensation post an event.
My conclusion here must be: If I am to recommend such insurance cover to a client, I would advise them to look to any evidenced like-for-like successful security breach in a company of a similar profile. Then confirm the totality of the implicated cost, and then add 20 percent. Then, based on such a semi-known level of input criteria, present the application for cover to the potential provider, and await to see the price tag.
It may be that you are be pleasantly surprised, or will look to other providers. Or you may even consider applying some other compensatory controls to realise a saving – unless that is you have an open cheque book.
The problem with a risk-based approach is – where there is existence of a low probability, the acceptance of the risk may look very attractive. That is of course until such time as the ‘impact’ comes home to roost – then it is time to think again, and to apply a new model based on real-world calculations, based on real-world impact.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Title image courtesy of ShutterStock