What is it? Is it Worth it? What Else Should it Provide?
Contributors: Dr. David Reis, CIO, Lahey Health & James Sheehan, Principal, Integro Group
Industry leaders and cyber insurance providers weigh in on this emerging, and increasingly important element of any cyber security strategy.
Dr. David Reis, CIO at Lahey Health has been involved in the review and purchase of cyber insurance at several organizations. “Is it necessary? Yes. Is it working? I’m not sure,” says Dr. Reis.
Dr. Reis says that cyber insurance is necessary because it is an effective tool to help organizations understand and mitigate risk, and it is useful because it does cover some of the real, hard dollar costs of a breach. He continues, “First, cyber insurance is provocative. It helps CISOs focus business leaders on what needs to be done. Cyber insurance comes with its own set of requirements, or terms, that the organization has to meet in order to be covered. The information we need to give to the insurance provider just to get a quote on cyber Insurance is a good way to give insight to non-IS executives about what we are doing, and what we need to be doing to effectively mitigate risk.”
“Second, cyber insurance is necessary because it covers the real cost of a breach. There are real, quantifiable costs to a breach – including costs of notifying customers, replacing systems, and incident response.”
The Future of Cyber Insurance Dr. Reis feels that cyber insurance has a way to go before it is truly effective. “In information security, as an industry, we are struggling to understand the likelihood of a specific breach. This is something I think the cyber insurance industry is, or should be, moving towards. For example, with flood insurance, we know exactly how likely it is that an area will experience flooding. Actuary tables exist to help insurance providers and their clients understand the risk. We need actuary tables for the different types of threats. We need cyber insurance to get to a point where everything can be objectively defined – here is your risk, here is what you are doing to stop it, here is how likely you are to experience a specific breach.”
James Sheehan is a Principal with Integro Group, an insurance brokerage, and heads its Cyber Practice. Sheehan notes the cyber insurance market is growing quickly and that organizations are changing their approach to cyber risks. Historically, cyber insurance was purchased as part of an organization’s management liability program. As such, the CISO’s role was limited to providing information concerning an organization’s IT security posture. However, over the past three renewal cycles, Sheehan has seen the CISO become an integral member of the insured’s risk management team, with responsibility for providing both updated IT security information and guidance with regard to potential new exposures.
Sheehan agrees with Reis that cyber insurance is a great way to hedge against known risks and the hard costs of a breach or data loss, but he also understands that companies and insurance providers are struggling to appropriately quantify and insure the true cost of a breach – which includes intellectual property theft and damage to the brand.
Still, given its current limitations, Dr. Reis is, in general, a fan of cyber insurance. He says that all CISOs should be considering it. “Ask if we have it, and should we think about it, given our risk profile.”
As of 2015, cyber insurance was a $2.5 billion dollar industry in the US. It is expected to increase significantly this year and reach as high as $7.5 billion in 2020. (Cyber Risk Threat and Opportunity Report)
In 2015, 63% of companies were insured against loss of income due to a data breach. (Statista)
More than a quarter of underwriters responded that clients frequently seek higher limits for cyber insurance premiums. (2016 Survey of Cyber Insurance Market Trends by Advisen)
In 2016, healthcare organizations were responsible for the most new cyber insurance policies. (2016 Survey of Cyber Insurance Market Trends by Advisen)
“The maximum a company can be insured for is about $500 million, but the reality for many companies is that it’s tough to even get coverage for $300 million.”
- Don Ulsch, a senior managing director at PwC, quote from SC Magazine