Buyers Must Prepare and Beware
Policies may not ensure full protection for all cyber system breaches.
Cyber insurance can protect organizations from losing more than data, but choosing a cyber insurer and policy comes with its own caveats. The purchase decision maker must consider an individual company’s circumstances, such as revenue, risk tolerance, board guidance and regulatory environment relative to protected categories of information. In addition, every purchase decision must be critically reviewed, particularly regarding the extent of coverage exclusions in each policy.
Cyber insurance hit the market in the late 1990s. Companies’ desires to purchase it come and go, sometimes hinging on no more than the lead story on the evening news. For example, when word of the Sony hack hit the airwaves in 2014, cyber insurance seemed like a must-have. Less than six months later in April 2015, when the Office of Personnel Management discovered some of its files had been hacked, interest in cyber insurance escalated even more. Yet once news about breaches waned—or worse yet, became so common as to be ignored—the interest in cyber insurance seemed like an unnecessary expense as long as companies improved their precautions against network break-ins.
Experts on AFCEA International’s Cyber Insurance Subcommittee, a group within the association’s Cyber Committee, delved into this topic to examine cyber insurance as an instrument for risk transference and a market catalyst to incentivize the adoption of cybersecurity measures.
To explore these topics, the subcommittee consulted a range of sources, including RAND Corporation researchers Sasha Romanosky, Lillian Ablon, Andreas Kuehn and Therese Jones, as well as their publication “Content Analysis of Cyber Insurance Policies: How Do Carriers Price Cyber Risk?” that appeared in the Journal of Cybersecurity.
The RAND researchers analyzed 235 individual claims filed in New York, Pennsylvania and California from 2007 to 2017. The team primarily obtained the information from online electronic records available in the System for Electronic Rate and Form Filing, which the National Association of Insurance Commissioners manages.
Across these claims, the data indicated significant variations in cyber insurance policies coverages, both in first-party coverage, such as losses the insured incurred directly and including restoring business services, and third-party coverage, which covers the cost of defending against litigation, including fines, fees and settlements. Each sometimes featured assigned sublimits for significant issues such as personally identifiable information loss, theft or accidental release.
According to the study, the research team found cyber insurers principally based the policies they offered a company on corporate applicant-completed questionnaires. As in other aspects of cyber insurance, significant variability was seen in how carriers assessed an applicant’s technical security measures, information technology and computing infrastructure, access control, and supporting policies and procedures.
One fairly striking observation for network security professionals was that only a few insurers covered the applicant’s technology and infrastructure and, when they did, only a few questions were posed about the number of computing devices, Internet protocol addresses or websites.
One expectation would be that insurers would inquire about technical security measures. However, most questionnaires focused on anti-virus software that scans email, downloads and devices to detect malicious files; firewalls; intrusion detection; or prevention systems to detect possible intrusions and abnormalities in networks.
Encryption for data at rest and in motion was often mentioned in questionnaires; however, the researchers surmised insurers may underestimate cybersecurity risks the Internet of Things, or IoT, poses.
“Some questions also focused on mobile devices,” researchers note. Interestingly, for all the focus among companies to implement the Defense Department-required National Institute of Standards and Technology guidance, “VPN and two-factor authentication were less frequently listed as technical measures,” the RAND research states.
Considerable variations also were evident in how carriers priced cyber insurance. “Overall, many carriers described how ‘cyber’ is a relatively new insurance line,” RAND researchers note. “They have no historic or credible data upon which to make reliable inferences about loss expectations.”
To set rates in these instances, some carriers use external services or experience from their underwriters, claims adjusters and actuaries for similar coverage lines such as fiduciary liability data, or they appear to guess at an appropriate level for the relative size of each of the insured. “In only a few cases were carriers confident in their own experience to develop pricing models,” the researchers note.
The field’s immaturity generates uncertainty, which explains some of the subcommittee members’ experiences with cyber insurance. They cite “short coverage and long premiums” that require the stacking of policies from multiple carriers to attain adequate coverage for appropriate risk transference.
In a not-for-attribution forum at a Washington, D.C.-area think tank, one Cyber Committee member recounted a carrier representative’s comments: “Cyber insurance is the fastest growing insurance product. … We’re making a ton of money. … The premiums buy low coverage limits. … Carriers are not presently interested in definitizing actuarial data.”
RAND researchers cite further challenges with respect to cyber insurance litigation evolving from material gaps in coverage for both commercial general liability (CGL) policies and stand-alone cyber policies. These challenges include determining first- versus third-party coverage; the cause of the compromise, such as hacker versus employee; the meaning of “publication” of sensitive information released during a breach; and whether the breach or release of information is eligible for coverage.
Questions also arise about whether the loss of data counts as property damage. Whether physical damage “arising out of” a cyber attack is covered under most CGL policies is likewise uncertain. In addition, stand-alone cyber policies usually exclude physical damage.
Significantly for companies, social engineering is not necessarily covered by the typical CGL or stand-alone cyber policies according to RAND. The researchers cited court precedent that found an insured was not covered because of an authorized user’s input of information to transfer funds to a fraudulent source rather than an unauthorized entry. When nation-state spear phishing continues to be a predominant vector to target companies in the defense industrial base, this aspect of cyber insurance policies warrants special consideration before buying a policy.
With all its complexities, gaps, exclusions and expense, the question is whether cyber insurance creates a market incentive that promotes sound network security countermeasures by offering discounted premiums that take those into account. That potential appears to lie in an indeterminate future and is contingent upon developments that might influence carriers such as legislation or changes in regulatory requirements.
Creating a moral hazard also is an issue. Using the analogy of improving auto safety, the addition of air bags in vehicles could induce riskier behavior among some drivers because they have protection from injuries. In a cybersecurity context, the question is if the cyber insurance safety net would induce less attention to best security practices because a breach in information or networks results in less damage to the organization.
Cyber insurance is an important consideration for many companies, but it is still a maturing insurance product and marketplace. Accordingly, careful analysis by the corporate chief risk officer, chief financial officer and corporate counsel should precede a decision to buy a policy.
The RAND research and additional issues should be considered when shopping for a policy.
Companies should expect a lack of transparency in how carriers assess risk or compute premiums.
They must understand the distinction in insurance regulation between admitted and non-admitted markets. In addition, corporations should determine what losses each cyber insurance policy covers and excludes.
The insured likely will be asked to complete a questionnaire as part of the application process, and companies can expect considerable variability in the content and focus of the questions among carriers.
Also, insurers will ask about a company’s information and data management policies and procedures. The most common question in this category includes whether a data retention and destruction policy exists.
A questionnaire rarely includes an inquiry about information technology security budgets. In the RAND survey, only one questionnaire solicited information about the size of the IT/information security budget.
As purchasers, companies should ask how premiums are priced. Researchers identified several themes that carriers used to determine premiums, including external sources, competitors and the experience of their own underwriters.
“At the end of the day, even if the carrier is imperfect in its assessment, the policy still allows an insured to recover extreme losses. So in that regard, it’s still valuable,” RAND’s Romanosky observes. “I would further argue the following benefits: The policies, and any claims, help the insured track its own losses, which will help with better decision making in the future.”
Before making any decisions, companies should speak with a broker who can provide alternative perspectives.
Steve Shirley is the executive director of the National Defense Information Sharing and Analysis Center. Jim Barrineau is the program manager for ENCORE III ID/IQ and director of U.S. Defense Department business development for Phacil LLC, a ByLight Company. Jamie Dos Santos is the chairman of the board at Cybraics.