In response to the ongoing spate of data breaches, the most recent of which include the U.S. Postal Service, Staples, the NOAA weather satellite network and Dropbox, businesses are beginning to develop a new appreciation for cyber risk.
This is evident in how companies are reallocating funds in an effort to mitigate possible cyber attacks. For instance, according to a recent survey by the Association of Finance Professionals, 71 percent of respondents reported their organizations have increased cyber security spending over the past year. At the same time, a comparable percentage (73 percent) believed that a data breach would have significant detrimental effects on their organization.
Those fears are justified, for the costs of responding to a data breach are rising.
Today, the payout per compromised account averages between $145-$201. This figure could easily require businesses to pay millions of dollars in response to a security incident that affects only a few tens of thousands of customers.
Given the fact that most states now require companies notify their customers in the event of a breach, businesses are beginning to purchase cyber insurance policies.
But not as many enterprises as you might think are making this investment.
In that same AFP poll, only 15 percent of respondents confirmed an increase in the amount of cyber insurance they have purchased in the past year. Additionally, nearly one-third said their companies carry no cyber insurance whatsoever.
The premiums for data breach insurance are a fraction of what it would cost to respond to an actual incident. So, what is driving companies to not invest in cyber risk protection? Here are a few factors that may at least be partially responsible.
Potential Liability for Cloud Providers
In the event of a cyber attack on a cloud provider, the company may still be held liable even if their proprietary systems are not hacked.
The issue here is what your cyber insurance policy actually covers. Most first-party policies protect companies in the event of a security incident insofar as they help them notify their customers and launch a PR campaign to restore their reputation.
However, this does not mean that the policy will automatically cover a breach of the company’s cloud provider—even though the incident may have indirectly compromised their users’ data.
Sony Corp. of American recently learned this lesson the hard way. In February, the New York Supreme Court ruled in favor of Zurich American Insurance Co. and Mitsui Sumitomo Insurance Co. of America, liability insurers whose primary policies only covered “personal and advertising injury” and not either a defense or indemnity in Sony’s favor in connection with a PlayStation data breach.
Cyber insurance is a valuable form of protection, yet if certain policies do not cover them in the event of a third-party breach, some companies may elect to not purchase a plan rather than risk the legal fees of arguing with their cloud providers in court.
Security Events Perpetrated by Foreign Agents Are Excluded
Most insurance policies today come with a terrorism exclusion clause. It reads:
Notwithstanding any other provision to the contrary within this insurance or any endorsement thereto it is agreed that this insurance excludes loss, damage, costs or expense of whatsoever nature directly or indirectly caused by, resulting from or in connection with any act of terrorism regardless of any other cause or event contributing concurrently or in any other sequence to the loss.
This may be fine for home insurance plans. However, such a clause could drastically limit companies’ protection in cyberspace.
As we all know, cyber terrorism is rampant these days. In October, the FBI found that JP Morgan and 13 other financial organizations were likely breached by foreign government hackers moonlighting as cyber terrorists.
Whether companies could activate their cyber insurance policies in similar incidents remains to be seen.
To plan for this exclusion, some companies might be forced to purchase more comprehensive insurance, such as supplementary coverage pursuant to the Terrorism Risk and Insurance Act of 2002 (TIRA).
Even then, different policies define terrorism differently. Some companies might not be able to find a provider that conceives of terrorism in a way that aligns with the cyber threats confronting them. In that case, rather than spend money on a plan that offers inadequate coverage, they might decide to not purchase a policy.
A Nascent Industry
Still other companies might be hesitant to purchase cyber insurance because of its novelty.
Companies and insurers are still trying to determine how to quantify cyber risk in terms of insurance premiums, as explained by Kelly Lang, Vice President and CFO at Tripwire: “Brokers try to assist on sizing the coverage, but it feels like a guess at best since there isn’t a long history of losses related to attacks. Target has incurred well over $200 million in direct costs and losses to date but only had $160 million of insurance.”
Lang goes on to explain how insurers are becoming more sophisticated and selective in deciding whom they want to insure.
Even so, insurers are still struggling to grasp what security controls are most effective, as well as understand the interconnected role of cyber security threats.
Today, many cyber insurance companies are beginning to hire cyber security experts to help them evaluate the threats confronting different organizations and weigh in on individual insurance claims.
But it will still likely take a few more years before insurers can adequately evaluate cyber security issues. In the meantime, some companies may reason their in-house security personnel are the best judges of their cyber risk.
A Few Flaws, Yet Many Benefits
Clearly, cyber insurance has a few flaws. In some cases, providers may choose to deny a specific claim, whereas in others, exclusions may force companies to purchase additional forms of coverage. Also, brokers may not be sufficiently knowledgeable in cyber security to suggest one cyber protection policy over another.
But despite those minor shortcomings, cyber insurance is still an invaluable tool for enterprises. As Lang notes, “Like most insurance, cyber insurance provides a company with at least a partial backstop if your company is adversely affected by a cyberattack…. [It] won’t stop an attack, but it can provide at least partial financial relief.”
Just like with other insurance policies, companies need to investigate what policies are right for them. Ultimately, any policy, however small, is an added layer of protection that can help companies recover from serious security incidents.