Cybersecurity incidents and data breaches have become a normal part of the news cycle. It feels like every day you hear about a big corporation or organization suffering an attack that has put customer or user data in jeopardy. Sometimes this is because a security strategy was lacking; sometimes, the criminal’s attack was simply too powerful.
Regardless of how or why a cyberattack begins, the fallout can be devastating for all those involved. Individuals may have their privacy at risk or even be in danger of having their identity stolen. From the organizational point of view, a cybersecurity incident can have a huge range of consequences, each of which can result in damaging profits.
These consequences include a dramatic drop in reputation and a potential halt in business operations. Cyberattacks can also lead to a company being fined by regulators. These fines can sometimes be higher than the cost of the actual attack itself. And then there are the knock-on effects of a cyberattack: companies may need to rebuild databases or even purchase new security software and hardware.
Cybersecurity experts recommend that companies focus their efforts on preventative measures for detecting and blocking potential attacks while also putting disaster recovery practices into place so they can respond appropriately. However, there is also another tool at their disposal: cybersecurity insurance.
By one estimate, the cybersecurity insurance market will reach an astounding mark of $7.5 billion by the year 2020. That makes it a topic worth learning more about.
History of Cybersecurity Insurance
The concept of cybersecurity insurance has actually been around for close to 20 years. At the start of the new millennium, the Internet had matured into a state where customers felt more comfortable shopping and banking online. At the same time, companies were concerned about the Y2K threat and how computer systems would react when the calendar flipped over. Protections were put into place to preserve data and a company’s financial standing in case anything went wrong.
Insurance policies were the logical place to look. Corporations invest in a range of different insurance types to safeguard the business, employees and the bottom line. These policies can cover general liability, commercial properties and workers’ compensation. With the Internet becoming such a vital part of all industries, insurance companies realized that cybersecurity was an untapped market for them.
Today, cybersecurity insurance is a common tool for risk management, regardless of company size or focus. The basic idea is that the business will pay monthly or yearly premiums to the insurance company in exchange for financial protection against a set of events. These include cyber attacks, data breaches and other incidents that affect third parties or supply chains.
The Role of GDPR
Before obtaining a cybersecurity insurance policy, every organization must complete a detailed cost-benefit analysis to weigh its internal risks. If a company employs a large IT team with a focus on security, then it may not see the value in paying premiums to protect against events that have a low chance of happening.
However, the scenario is rapidly changing because of government action being taken around the world. The European Union was one of the first bodies to prioritize cybersecurity for its citizens with the passing of the General Data Protection Regulation (GDPR). GDPR dictates how companies are allowed to store user data and how they must react if a breach occurs.
One of the most publicized aspects of GDPR has been the fines that the EU can assign if an organization fails to issue a breach notification or is found negligent. These penalties are dependent upon the scope and severity of the offenses, but they can easily reach up to 20 million Euros, representing a significant revenue hit for many companies.
Cybersecurity insurance companies are starting to tailor their offerings with GDPR and other government legislation in mind. Many policies now account for the risk of cybersecurity fines. In the event that a company is hacked and gets hit with a financial penalty, the insurance provider will pay out a certain amount of coverage.
What Cybersecurity Insurance Policies Protect
One of the most complex parts of cybersecurity insurance is determining exactly what types of events are covered under a policy. With something like health insurance, the workflow is simple. A patient receives care from a doctor, and the office bills the insurance company for the services provided. But there are no doctor offices when it comes to our digital security. Sometimes, a company doesn’t even know they’ve been attacked until weeks or months after the fact.
The cloud computing model also introduces some other variables. A hacker might be targeting Company A’s data, but their attack is actually executed on Company B, the hosting provider. As the software subscription business model continues to expand into 2020, companies that inhabit this new space in the software market need to have a clear view of their assets and dependencies. Cybersecurity policies must stipulate exactly what systems are covered and what types of events will initiate a payout.
In addition, there has been a worrying recent trend in which cybersecurity insurance companies are refusing to pay out claims for attacks that their customers thought were covered. In a recent high-profile incident, for example, AIG argued to a New York federal court that it was not responsible for covering nearly $6 million in losses suffered by SS&C Technologies, a $6 billion financial technology company. Malicious actors scammed SS&C out of $5.9 million in 2016 by emailing company employees from spoofed email addresses and requesting monetary transfers. AIG stated, however, that its policy stipulates that the insurer will not cover losses stemming from criminal activity.
In other cases, insurance companies have refused to pay out, even where criminal acts are covered under their policies because they view intra-state hacks as “acts of war.” This means that, even when a company thinks it is covered against criminal hacks, it may not be.
With all of the cybersecurity products on the market today, you’d think that staying safe online would be relatively easy. But in reality, malicious hackers are smart, creative individuals who are always looking for new things to expose. As cybercrime evolves, so must the insurance policies that protect against them.
With the cybersecurity insurance market set to reach that $7.5 billion mark mentioned earlier, expect more organizations to jump on the bandwagon for the first time, while others increase their investment. Risk management always has a movable target, so companies need to constantly evaluate their liabilities and negotiate with insurance providers to fully meet their needs.
When a cybersecurity incident occurs, the affected organization is typically thrown into chaos. IT teams will jump into recovery mode in order to bring systems back online or restore data from backups. Security professionals will be busy analyzing the root cause of the attack and why defensive tools did not stop it. Meanwhile, service teams will be focused on relaying information to customers.
Weeks or months after an attack, the company will finally have time to look back at the full scope of the attack and estimate the cost. The total number will include lost revenue, wasted working hours and regulatory fines. With a well-structured insurance policy, the financial loss could be minimized and provide peace of mind.
About the Author: Sam Bocetta is a freelance journalist specializing in U.S. diplomacy and national security, with emphasis on technology trends in cyberwarfare, cyberdefense, and cryptography.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.