Back in the late ‘90s, the insurance industry came out with an early cyber insurance product. As it was a product for Y2K losses, “it was a dud, and when it died, everybody thought that cyber insurance would never take off,” said Peter Foster, in the opening remarks of his session at the 2016 CyberCrime Symposium on cyber insurance realities. "Today," said Foster, who helps large companies manage risk in his role as EVP and FINEX Cyber Leader for Willis Towers Watson, "US companies are paying a total of $3 billion in cyber insurance premiums and insurance companies are covering losses caused by breaches."
In fact, with losses growing due to breaches, and tightening regulations around cybersecurity and data protection, cyber insurance has become a key component of risk mitigation strategies for organizations in financial services, healthcare, technology services, defense, and other industry sectors. In his presentation, Foster discussed the shifting cyber-threat landscape and the features of cyber insurance coverage that help organizations mitigate losses.
A Morphing Cyber-Threat Landscape
Cyber-claim data captured and analyzed by Chubb in the 2013-2015 timeframe corroborates general statistics provided by other symposium presenters. Personally Identifiable Information breaches caused by rogue employees and lost or stolen devices have dropped in that timeframe, while those resulting from external hacks climbed from 29% in 2013 to 43% in 2015.
Foster attributes the decreased threat from insider attacks and poor data security practices to better security awareness programs and training, and an increased focus on access controls and encryption. As for 2015 industry targets, the healthcare sector suffered the highest-severity breaches in terms of the most records comprised, at more than 12.8 million, while the business sector endured the largest number of breaches for the year, at 312.
“Companies in regulated industries – those that manage Personally Identifiable Information and Personal Health Information – are prime targets because that’s where the money is,” said Foster. While cyber-criminals have traditionally leveraged malware to breach defenses so they can exfiltrate this personal data, more and more are attacking organizations with ransomware, encrypting critical data and demanding a ransom in return for the decryption key. Organizations victimized by these attacks suffer a financial impact that goes beyond the ransom they’re forced to pay – there are also business interruption costs from lost income and remediation expenses, among other costs.
As these costs are covered by cyber insurance, it benefits infosec and risk managers to determine what protection policies can offer them. Moreover, service providers are increasingly required by clients to prove they’re carrying sufficient insurance to cover specific contracts. The core coverage in cyber insurance policies addresses direct costs associated with breach response, and mitigates exposure to liability costs associated with increased IT system outsourcing, class-action lawsuits, and regulatory compliance.
Building an Enterprise Risk Profile
For organizations looking to secure cyber insurance coverage, Foster outlined the financial and operational risk factors that underwriters will consider. These include:
- Records: This step assesses the number of records the organization collects and holds, where they’re stored, and its reporting requirements should these records be compromised.
- Service provider relationships: This process determines the extent the organization rely on third-party service providers, whether they’re providing hosted services directly related to sensitive data, or managing critical applications needed for business continuity. It also reviews associated contracts to assess protections covered under each provider’s contractual obligations and indemnifications.
- Network reliance: This phase seeks to quantify the systems and processes that rely on a functioning network, and the extent that overall operations depend on network availability. It also attempts to assess the financial loss caused by a network event, how long network outages are likely to last, and how data is backed-up, where it’s stored, and how backup systems are activated in the event of an outage.
Underwriters may also request details on events and related losses for the previous three years, and the number of records that could be accessed and/or stolen in a single occurrence.
Nobody’s excited at the prospect of buying cyber insurance but Foster has a couple of clients who’d be devastated if they hadn’t. One, a healthcare organization, suffered a breach that resulted in the exfiltration of 80 million records. After showing proof of its losses, the client received a check – for $100 million – five weeks after the event.
This is the eighth in our series presenting key takeaways and actionable insight from select presentations given at Sage Data Security’s 2016 CyberCrime Symposium, held November 3-4, 2016. If you couldn’t get a seat at the event or just want a refresher, check out our series featuring actionable insight from select presentations.
No one is immune to cyber-attacks
Be confident that threats to your network will be detected consistently and accurately with Tyler Detect. Our team of cybersecurity experts actively investigates to find threats and are always ready to offer you support and answer your questions.