The top three identified obstacles to cyber insurance adoption remain “not understanding exposures” (73%), “not understanding coverage” (63%), and “cost” (46%), according to Advisen’s 2019 Cyber Insurance Market View survey. These obstacles are quite similar to general insurance obstacles of the past. In the 1850s, boiler explosions were occurring at the rate of one every four days. Despite thousands of boilers in operation, there was widespread ignorance about the causes of boiler explosions. It was generally assumed that boilers would explode resulting in severe injuries or loss of lives. However, a few, namely the future founders of The Hartford Steam Boiler Inspection and Insurance Company thought otherwise, and brought coverage innovation that reshaped the insurance market.
By Jack Kudale, Founder and CEO, Cowbell Cyber
Cyber Incidents: Underinsured with Exploding Risk Exposures
A cyberattack takes place every 39 seconds, for a total of 750 million worldwide per year. Cyberattacks come in many forms: malware, phishing, SQL injection, denial-of-service, ransomware, cryptojacking, man-in-the-middle, zero-day-exploit, and many more.
From the 2013 Target breach that resulted in the CEO resignation to the exposure of 56 million debit and credit cards due to a breach at Home Depot, or the 2018 Marriott incident that revealed personal details of 500 million users, and now the series of ransomware attacks on cities and businesses, the impact of cyber incidents is significant. Impacted companies had procured cyber insurance in the hundreds of millions, yet they reported breach-related expenses way above their elected coverage. They also faced broad consumer-driven class-action lawsuits that lasted for years.
These cases illustrate the need for thoughtful deliberation when deciding how much cyber insurance to buy. The decision is no trivial matter, and the responsibility should rest squarely with the CEO and the Board of Directors.
The Need for Risk Observability
Cyber insurance contracts should be contingent on the level of cyber protection (external and internal) deployed by the insured organization. Insurers’ inability to observe an organization’s internal protection efforts has posed significant challenges to cyber insurance. The observability gap is an even bigger challenge for claims and the near impossibility to correlate losses to a specific cyber incident. There is a dire need for adequate risk observability.
Businesses, especially in the small and mid-size market, are under-insured for cyber liability, primarily due to the lack of insights into risk and adequate quantification of exposures that are required to obtain insurance. There is also a myth that only large organizations get targeted by cybercriminals. This misperception is fueled by only large company data breaches making the news headlines and regulations carving small businesses out of the requirement to report breaches unless they process personal health care information (medical records) or personally identifiable data that are regulated (credit card, Social Security Number, etc).
According to Gartner, businesses invested upward of $125 billion in 2019, in security tools that are mostly focused on threat prevention and mitigation. By comparison, cyber insurance premiums are estimated at about $5 billion, or 25 times less. As security expenditure shifts from prevention and mitigation to response and recovery, there is an opportunity to not only measure the severity (financial impact) of cyber events but also their probability (% likelihood). With probability and severity data, threats become insurable and can be mapped to risk exposure and insurance coverages.
Continuous Risk Assessment for Continuous Underwriting and Resiliency
Businesses should view the cyber insurance application process as an opportunity to assess their risk exposures. The cyber environment of modern enterprises changes continuously: new technologies, new business initiatives that modify the level of exposure or the type and quantity of data processed. For fast-growing businesses, the number of regulated records under management might double in a year. Every time a business’ cyber policy lags the state of the business, there is an opportunity for expenses and liability costs in the aftermath of a cyber incident to be significantly higher than the aggregate limit and sub-limits in the cyber policy in force. Insureds (enterprises) need to continuously re-evaluate risks to be covered; insurers need to update coverage accordingly — continuous underwriting is becoming imperative for cyber insurance.
Continuous risk assessment and continuous underwriting benefit insureds and insurers equally:
- Coverage remains aligned with the enterprise risk exposure.
- Continuous risk assessment can proactively feed into the enterprise cybersecurity strategy rather than a limited exercise that informs a once-a-year policy renewal process.
- For insurers, risk and exposure accumulation are reduced.
Most importantly, with always up-to-date coverage, businesses gain the peace of mind that, in the unfortunate event of a cyber incident, their insurance will adequately cover incident-related expenses, allowing them to recover faster to normal operations and minimizing the disruption to their business. As such, continuous underwriting is critical to achieving greater cyber resiliency.
Demystifying Cyber Coverage
For effective protection and cyber risk transfer, businesses should consider the following when evaluating cyber insurance:
• Standalone cyber coverage – Compared to coverage bundled in Errors and Omissions (E&O), standalone coverage brings clarity over what’s covered. Cyber coverage usually includes security breach expenses, regulatory fines, public relations, notification expenses, extortion threats, computer & funds transfer fraud, social engineering, business interruption with aggregate and sub-limits.
• Individualized policy – Every enterprise has its own unique cyber environment and risk exposure. Loss mitigation in the aftermath of an incident is dependent on coverages selected, aggregate and sub-limits, deductibles, and other parameters. Coverage should also be individualized based on the business risk appetite and risk transfer strategy.
• Coverage options available – Insurability gaps have been increasing due to new technologies: cloud migration, new architectures, AI, IoT—as well as new regulations–EU GDPR, CCPA. The inclusion of innovative coverage for cloud workload and social engineering, for example, will help close the gaps. Enterprises need clarity over technology deployed and seek comprehensive coverage aligned to their risk footprint.
• State-admitted insurance programs – Insurance programs are regulated at the state level. Fees and forms of state-admitted insurance products have been reviewed and approved by the state insurance commissioner. Most important, admitted insurance products are backed by the state’s guaranty fund if the insurance carrier becomes insolvent. In this case, the state will pay claims on admitted products up to a state-specified limit.
Redefining Cyber Insurance for the 2020s
As the digitization of every industry sector accelerates, cyber is one of the top risks facing many businesses in the 2020s. As a starting point, there is a significant opportunity for insurance professionals to demystify how cyber coverage contributes to the resilience of businesses of any size. But threats and technology will continue to evolve; insurers and security professionals have the opportunity to collaborate and to deliver technical and financial protections that complement each other while accelerating innovation on risk exposure and risk quantification.
A true innovation in cyber will go beyond the move to standalone and individualized coverage. Continuous risk assessment supports innovation across all three insurance pillars: underwriting, distribution, and claims. We already have examples of monthly construction reporting forms or annual true-up aligned to payroll for workers’ compensation. In 2020, a century and a half later, observability and customized coverage are becoming a reality, this time for cyber.
This story first appeared in the April 2020 issue of CISO MAG. Subscribe to CISO MAG
About the Author
Jack Kudale is a 25-year enterprise software veteran who founded cyber Insurance startup, Cowbell Cyber in 2019, with an aim to make enterprises more insurable in cyber liability. Previously, he led three venture-backed Silicon Valley cybersecurity and data analytics startups after a long stint as an executive in charge of distribution at a Fortune 500 software company.
Disclaimer
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.
