If you have ever tried to obtain property insurance, you know you have a “project” cut out for you. Figuring out what each insurer’s policies cover — and don’t cover — is a chore. When you finally get to the point where you can compare premiums, many of you just want the pain to end quickly and probably pick a carrier more out of expediency than economy.
Now multiple this by two factors: first, you want to get business insurance, and then you want to get business cyber insurance. If you are a big company, you probably have specialists that can handle these tasks — maybe. The problem is that insurance specialists don’t necessarily understand the inherent cyber risks, and IT folks don’t know how to talk to the insurance pros. And to make matters more complex, the risks are evolving quickly as criminals get better at plying their trade.
My first job was working after college in a key punch department of a large insurance company in NYC. We filled out forms for the keypunch operators to cut the cards that were used to program our mainframe computers. It was strictly a clerical position, and it motivated me to go back and get a graduate degree. I had no idea what the larger context of the company was, or anything really about insurance. I was just writing numbers on a pad of paper.
Years later, I worked in the nascent IT department of another large insurance company in downtown LA. This was back in the mid 1980s. We didn’t know from cyber insurance back then: indeed, we didn’t even have many PCs in the building. At least not when I started: my job was to join an end-user support department that was bringing in PCs by the truckload.
So those days are thankfully behind me, and behind most of us too. Cyber insurance is becoming a bigger market, mainly because companies want to protect themselves against any financial losses that stem from hacking or data leaks. So far, this kind of insurance has been met with mixed success. Here is one recent story about a Virginia bank that was hit with two different attacks. They had cyber insurance, and filed a claim, and ended up in a court battle with their insurer who (surprise!) didn’t want to pay out, claiming some fine print on the policy.
Sadly, that is where things stand for the present day. Cyber insurance is still a very immature market, and there are many insurers who frankly shouldn’t be writing policies because they don’t know what they are doing, what the potential risks are, and how to evaluate their customers. If you live in a neighborhood with a high rate of car thefts, your auto premiums are going to be higher than a safer neighborhood. But there is no single metric — or even a set of metrics — that can be used to evaluate the cyber risk context.
I talk about these and other issues with two cyber insurance gurus on David Senf’s 40 min. podcast Threat Actions This Week here. I am part of a panel with Greg Markell of Ridge Canada and Visesh Gosrani of Guidewire. If you are struggling with these issues, you might want to give it a listen.
One of my readers, Dean Thompson, wrote about this piece (you can find him here
https://blog.centrify.com/author/deanthompson/):
The webcast was great. Most companies don’t realize they have cyber liability as it is often put under their general errors & omissions. You are right that insurance companies are not really sure yet what they are insuring, however, they are getting smarter. They are leveraging large GSI’s like PwC, Verizon, etc. to do security assessment of customers to determine, for lack of a better term, if they are an at risk driver. They do know that companies that follow good security practices are a lower risk.
At some point you won’t be able to get this type of insurance without going through a security audit. The other thing companies do not realize when they ask for this type of coverage is what is covered is different by policy. A lot of policies simply cover the cost of communications and maybe credit monitoring for a year for someone, but does not cover resolving these issues in your internal systems.
The thing that is badly missing in our industry is one security standard for you to have vendors certify to or even yourself. There’s SOX, PCI, NIST, SOC2, FedRAMP, GDPR (though a bit different), ISO, etc. We’ve created our own problems by not being able to settle on a universally accepted standard and thinking Europe needs their own and the federal government needs their own and on and on. IMHO there is a real problem there that needs solving but it will be difficult to get those many people to agree. The real rub is these are common sense security best practices. Lock up the root and administrator accounts. Only give people the minimum permissions they need. Use MFA. You get my point. If we could come together on one standard, every vendor would do it because it would be the cost of doing business.