ISACA Journal
Volume 5, 2,016 

Features 

Cyberinsurance Value Generator or Cost Burden? 

Syed K. Ishaq, CISA, CRISC, CCISO 

The rapid advancement in technology is driving tremendous change in many industries. As a result, vast amounts of data are generated, which can be harnessed into information to facilitate and make sense of a world in constant motion. Data are now considered a wealth generator for the 21st century. Consequently, the financial costs of data loss through cyberevents can be staggering. For instance, the highly publicized attack on Target cost the retailer and financial institutions an astronomical US $348 million.1 Another costly cyberattack was the attack on the Wyndham hotel chain, which not only lost credit card data of more than 619,000 customers, causing US $10.6 million in loss, but also subjected the company to a US government lawsuit for deceptive business practices for getting hacked on three separate occasions.2 Another example is attacks using CryptoWall, which caused US $18 million in losses in 2014 related to ransom payments to unencrypt personal data.3

The focus on cybersecurity has, perhaps, never been sharper, as cybercriminals continue to push the bar higher with more sophisticated attacks supported by the Dark Web, which consists of web sites that hide their identity and are typically accessed by an encrypted network (e.g., Tor) that also conceals the user’s identity, enabling a lucrative e-commerce black market of stolen data from legitimate sources. Although the short-term impact from a cyberattack can be overwhelming, the long-term implications can be quite burdensome. Some of those long-term implications include:

  • Business continuity/supply chain disruptions
  • Finding and fixing vulnerabilities
  • Forensic accounting for lost data and record management
  • Data restoration
  • Notification cost to those affected by the breach
  • Payment of ransom in cyberextortion
  • Identity theft protection and credit monitoring
  • Reissuing compromised cards
  • Regulatory and civil sanctions
  • Shareholder suits against board and management
  • Lawyer fees during investigations and trials
  • Loss in competitive advantage and markets
  • Brand damage
  • Loss of customers, profits and jobs

The probability of incurring one or more of these damages and the impact they have on an organization depends on a combination of factors that include, but are not limited to, the:

  • Type of attack, e.g., distributed denial of service (DDoS) vs. ransomware
  • Scope of attack, e.g., the entire network offline for days vs. a social media account takeover for only a few hours
  • Complexity of the attacked network, e.g., high interconnections with numerous third-party suppliers vs. impact only to telecommunications because IT is hosted on a secure cloud
  • Time of attack, e.g., during sensitive merger or acquisition negotiations vs. off-peak hours
  • Affected business area, e.g., mission-critical services/products downtime preventing core business activities vs. the unavailability of nonessential services/products
  • Readiness capability of the affected organization, e.g., nonexistent recovery policies and procedures vs. mature incident response program

A 2016 survey found 66 percent of US, 75 percent of UK and 57 percent of German respondents were likely to stop doing business with a hacked organization.4 Though larger companies may be better equipped to weather a cyberstorm and its aftermath, according to Experian, 60 percent of small businesses close their doors within six months after an attack,5 making cybercrime an equal opportunity with unequal consequences. Hence, organizations would be well served to utilize the risk management strategies of avoidance, mitigation, acceptance and transference. In other words, performing all business activities manually instead of using any form of technology may help avoid cyberrisk altogether. This strategy, however, is susceptible to creating a competitive disadvantage in the modern era and is unlikely to be a viable option for most companies. Securing the network perimeter with firewalls and an intrusion prevention system, performing timely patching of vulnerabilities, and baselining configurations are methods to mitigate, or lessen, cyberrisk. Having a robust monitoring program, but making it formal policy to review audit logs on an infrequent basis due to other priorities demonstrates risk acceptance, i.e., the consented risk appetite of management. With data breaches and hacks seemingly inevitable and their detrimental impact ostensibly inescapable, enterprises are beginning to consider cyberinsurance as a component of their risk transfer strategy. In other words, organizations contractually obligate an insurer to accept part or all of their risk in the event of a cyberattack and/or breach.

Types of Policies

A traditional general liability policy only covers property damage making it insufficient to address cyber because data are intangible property. To address this shortcoming, there are approximately 50 global insurers offering cybercoverage, 35 of which are in the United States.6 Carriers offer some combination of the following four components (figure 1):7

  1. Errors and omissions (E&O)—E&O covers claims arising from errors in the performance of service.
  2. Multimedia liability—Multimedia liability covers defacement of web sites, media, intellectual property rights, copyright/trademark infringement, libel and slander. Coverage here can also extend to offline content.
  3. Network security and extortion liability—Network security liability covers the costs associated with a failure of the network to guard against a virus transmission, loss of trade secrets or patent applications, and data breaches. It includes the cost of data restoration, voluntary notification, public relations and risk management, business interruption, and crisis management. In like manner, extortion liability covers damages incurred from extortion, such as ransomware or distributed denial of service (DDoS) that demands payment to stop the attack.
  4. Privacy management—Privacy includes the wrongful disclosure of personally identifiable information (PII), health and confidential information. It includes the costs for investigation, notification, credit monitoring, regulatory fees (e.g., US Federal Trade Commission [FTC] and state attorney general) and associated legal fees. Privacy can also include a loss of physical records such as improperly disposed-of files, human errors (e.g., a lost laptop, sending sensitive information to the wrong email address, a photocopier with a hard drive that contains unwiped customer records) or the wrongful collection of information.

What is unique about the network security and privacy coverages is that both first-party costs and third-party liabilities are covered. First-party coverage applies to direct costs for responding to a security failure or privacy breach. Third-party coverage applies when a company is sued, has claims made against it or has regulators demanding information.

On the other hand, what cyberinsurance does not cover is prior knowledge of issues, pending litigation, reputational harm, loss of future revenue, cost to improve internal technology systems, lost value of intellectual property, bodily injury or property damage, and effects from malicious cyberattacks. Some insurers, however, have begun making exceptions to the rule, in particular for the latter two limitations. For example, although Verizon reported a tripling of nation-/state-sponsored attacks between 2012 and 2013,8 this type of attack source still remains uncovered due to the difficulty in attributing an attack solely to a nation/state adversary. As threats keep evolving, cyberliability brokers and insurers need to continually tailor exclusion policies.

The Fine Print

Although there are a variety of policies available, each is designed differently by individual insurers. Without careful due diligence, the insured may receive a policy that excludes most real-world threats, places unreasonable limits on others and over-covers less likely scenarios. In particular, a simple failure of timely notification to the insurer can be a common reason for denying coverage. For instance, a policy may require reporting a breach prior to or within 60 days of the policy’s expiration. However, a 2015 Ponemon Institute study found that cyberattacks go undetected for an average of eight months,9 which is more than enough time for purveyors of data to erase audit logs to impede forensic analysis and wipe out legal evidence. As a consequence, a company unaware that it has been breached until months later or until notified by a third party, e.g., its credit card processor or law enforcement, will have missed the date to file a claim.

By the same token, some policies may exclude upgrades and improvements even if a company is determined eligible for reimbursement. A payout for recovery objectives that do not include restoring the system(s) to a more resilient state than prior to the attack will only place the network back in the same predicament of being exposed to similar attack types, depending on the nature of the attack. The following case studies highlight the real-world, complex nature of cyberattacks and their impact on cyberliability insurance reimbursement many companies face.

Cottage Health System, a health care provider, had its cyberinsurance claim denied for a 2013 breach because it failed to continuously reassess its exposure to information security and privacy threats and follow minimum required practices such as encrypting medical records on a system fully accessible to anyone on the Internet.10

Ubiquiti Networks Inc. was subjected to an increasingly popular chief executive officer (CEO) scam in 2015. Cybercriminals spoofed (or impersonated) the CEO’s email account, then sent an employee at a subsidiary company in Hong Kong instructions to transfer US $39 million to overseas accounts controlled by hackers. Since the payment was “voluntarily” wired by the employee, “the company may not be successful in obtaining any insurance coverage,” explained the company in a released statement.11

BTC Media had its CEO’s email compromised, but the breach included a social-engineering (spear-phishing) component. The compromised CEO account sent an email to a potential acquisition target’s chief financial officer (CFO) with instructions to review the modifications on the proposed deal by opening an attachment, upon which the CFO’s authentication credentials also became known to the hacker. The compromised CFO then instructed his CEO, in anticipation of the deal, to transfer 5,000 bitcoins valued at US $1.8 million to a spoofed holding account controlled by the hacker. Since the source of the fraud was BTC Media, the acquisition target’s insurer denied its claim because the policy only covered losses from direct fraud.12 The insurer defines “direct” to mean without any intervening steps or diverting factors.

Challenges

The aforementioned case studies raise the question: How does one go about evaluating the myriad of policies and selecting coverage that ensures timely and adequate reimbursement after an attack? Though companies are able to discuss their cyberinsurance needs with insurers, there are important issues both parties must separately overcome. For starters, brokers with a rudimentary evaluation process may rely on generic questionnaires to gauge how embedded cybersecurity is in a company’s risk management strategy to set insurance premiums. Despite this, there is no standard baseline among insurance companies, thereupon insurers with less mature questionnaires may take on increased risk exposure.

For prospective insurance customers, the interpretation of questions can vary significantly, especially if technical resources are not involved in the company’s internal response process. Given that effective measures require several layers of security, if one or more layers are overlooked or misunderstood, it can result in unnecessarily higher premiums and/or greater policy restrictions. For example, a strong compliance program does not equate to an effective information security program, and vice versa. Moreover, an adoption of either program does not necessarily correspond to a reduction of risk. With cybersecurity dynamically evolving, if management, lawyers or brokers lack the requisite background to evaluate questions and safeguards at their disposal, then they may miss an opportunity to negotiate more favorable policy language to maximize liability protections. On the other hand, the coverage portfolio they do receive may not provide a complete measure of protection for the actual state of their organization’s security posture. Furthermore, a completed insurance application detailing the controls in place may not be vetted by the insurer until after an incident occurs; henceforth, if it is found the information submitted by the business overstates the actual controls in place, it can render the entire policy useless post incident.

In the same fashion, insurers, brokers and underwriters versed solely in business and financial risk lack the requisite skills to adequately assess technology safeguards and risk. IT requires a specialized understanding, but IT security necessitates even more focused expertise because the impact of cyber transcends well beyond the IT department. Best practice in cybersecurity continues to evolve, reinforcing the notion that the solutions that work well today might become obsolete tomorrow. A point-in-time evaluation of a company’s security posture in a constantly evolving threat landscape only increases the complexity of determining the appropriate scope and cost of coverage. The interconnected nature of IT means the more networks with which a single business interacts, the more risk it is subjected to. To get a clear picture of the material risk, each third-party network must also be assessed, which is no easy task for an insurer. And the emerging threats from increased adoption in end points, social media and the Internet of Things (IoT) should not be overlooked. For example, it can be difficult to conclusively tie a case of identity theft to a single attack vector because a breach could occur from a lost phone, logging onto an infected web site, data stolen in real-time transit or an IoT device connected to public Wi-Fi. Insurers must overcome this wide knowledge gap as they try to figure out the type, frequency and severity of cyberthreats facing an organization.

The early days of this hopeful industry present additional challenges worthy of consideration. For instance, government pressures to release breach details without a guarantee of immunity disincentivizes firms from sharing attack analysis data. In the same way, the negative market perception that surrounds a breach restrains companies from talking about their cyberincidents unless they absolutely must. This paradox restricts the flow of historical data and trends released into the market that insurance companies could otherwise rely on to make comparisons within and across industries. From a legal perspective, cyberinsurance language in contracts is still relatively new and not well litigated. For that reason, the lack of robust precedence compels courts to be reluctant to hear cybercases, thereby leading to disputes addressed chiefly through arbitration.

Return on Investment

The market for cyberinsurance is relatively new, unpredictable, and lacks trending data and comprehensive coverage packages. Greater technical intricacies can lead to vague or complicated contract language and increased trepidation regarding cyberinsurance’s actual value. Does cyberinsurance tangibly demonstrate that it increases security, reduces liability, and is a reliable source of relief during and after an attack? Market sentiment is perhaps best captured in a 2015 KPMG survey, which found that 74 percent of businesses reported not having any sort of cyberliability insurance. Of those that did, only 48 percent believed their coverage would cover the actual cost of the breach.13 And in a separate report by Reuters, for the few businesses that do get hacked, their premiums triple at renewal time.14 Nevertheless, shareholders expect the board and management to meet their fiduciary requirements to protect company interests. On top of that, not only are regulations beginning to require cyberinsurance, but mergers and acquisitions transactions also increasingly view cyberinsurance as a means to limit liability.

In simple terms, a breach can occur in the infrastructure and the information; the former is inevitable, but the latter is preventable through effective strategies that do not necessarily require costly technology purchases. Unsurprisingly, companies and boards are forced to spend money when there has been a breach or when they are facing a civil lawsuit after an incident, but proactive measures may actually help reduce the overall burden. For example, a strong security awareness program, an effective business continuity plan and an incident response plan can significantly strengthen an enterprise’s preparedness and reaction to an attack and help avoid a breach.

Cyberinsurers may require the implementation of basic cybersecurity measures to avert voiding coverage. Hence, the mere process of applying for cyberinsurance can encourage companies to identify best practices and tools, perform advance review, and improve communication among appropriate stakeholders, such as legal, IT, finance and risk management teams, they may not otherwise consider. Residual benefits can include a higher chance of repelling an adversary and lower premiums, the promise of which may encourage organizations to get serious about their defenses beyond the bare minimum. In a sample of 33 companies spanning IT, health care, education, retail and financial services industries, cyberpremiums cost, on average, 1.2 percent of total revenues.15 Premiums for health care companies cost, on average, 2.8 percent of total revenues, largely due to higher risk and increasing breaches involving patient data. In general, chief information security officers (CISOs) will be able to demonstrate a measurable net profit with their cybersecurity initiatives if the savings achieved from decreased incidents plus cyberinsurance reimbursements can be far greater than the cost of safeguards plus countermeasures.

All things considered, as this nascent industry continues to mature, it remains to be seen if cyberinsurance can demonstrate sufficient value to warrant widespread adoption as a necessary component of an overall cyberdefense strategy.

Endnotes

1 Chiarodo, J.; P., Beshara; “What Cyber Insurance Can Do for Contractors,” FCW, 7 July 2015, https://fcw.com/articles/2015/06/30/comment_chiarodo_beshara.aspx
2 Northrop, S.; “Is Your Business Ready for FTC Oversight of Data Security?,” IAPP, 21 September 2015, https://iapp.org/news/a/is-your-business-ready-for-ftc-oversight-of-data-security
3 Federal Bureau of Investigation, “Criminals Continue to Defraud and Extort Funds From Victims Using CryptoWall Ransomware Schemes,” USA, www.ic3.gov, 23 June 2015, www.ic3.gov/media/2015/150623.aspx
4 Mann, B.; “Centrify Consumer Trust Survey: The Corporate Cost of Compromised Credentials,” Centrify, 8 June 2016, http://blog.centrify.com/corporate-cost-of-compromised-credentials/
5 National Cyber Security Alliance, “3 Reasons Hackers Love Your Small Business Infographic,” StaySafeOnline.org, 2015, http://staysafeonline.org/ncsam/resources/3-reasons-hackers-love-your-small-business-infographic
6 Kirkpatrick, K.; “Cyber Policies on the Rise,” Communications of the ACM, vol. 58, no. 10, p. 21-23, http://cacm.acm.org/magazines/2015/10/192376-cyber-policies-on-the-rise/fulltext
7 Schutzer, D.; “An Assessment of Cyber Insurance,” CTO Corner, February 2015, http://fsroundtable.org/cto-corner-assessment-cyber-insurance/
8 Ibid.
9 Ponemon Institute Research Report, 2015 Cost of Data Breach Study: Global Analysis, May 2015, https://nhlearningsolutions.com/Portals/0/Documents/2015-Cost-of-Data-Breach-Study.PDF
10 Greenwald, J.; “Insurer Cites Cyber Policy Exclusion to Dispute Data Breach Settlement,” Business Insurance, 15 May 2015, www.businessinsurance.com/article/20150515/NEWS06/150519893
11 Hacker, R.; “Fraudsters Duped This Company Into Handing Over $40 Million,” Fortune, 10 August 2015, http://fortune.com/2015/08/10/ubiquiti-networks-email-scam-40-million/
12 Dotson, K.; “BitPay Hacked for $1.8 Million in Bitcoin During December 2014,” SiliconAngle, 17 September 2015, http://siliconangle.com/blog/2015/09/17/bitpay-hacked-for-1-8-million-in-bitcoin-during-december-2014/
13 Reeve, T.; “Cyber Insurance Not Trusted by Business, KPMG Claims,” SC Magazine UK, 1 May 2015, www.scmagazineuk.com/cyber-insurance-not-trusted-by-business-kpmgclaims/article/412535/
14 Finkle, J.; “Cyber Insurance Premiums Rocket After High-Profile Attacks,” Reuters, 12 October 2015, www.reuters.com/article/us-cybersecurity-insurance-insight-idUSKCN0S609M20151012
15 Marciano, C.; “How Much Does Cyber/Data Breach Insurance Cost?,” Data Breach Insurance, 1 June 2016, https://databreachinsurancequote.com/cyber-insurance/cyber-insurance-data-breach-insurance-premiums/

Syed K. Ishaq, CISA, CRISC, CCISO
Is the founder of ControlPoints, a trusted strategy-through-execution information security firm. Ishaq has 15 years of audit, compliance and cybersecurity experience. He can be reached at syed@controlpoints.com.

 

Add Comments

Recent Comments

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and from opinions endorsed by authors’ employers or the editors of the Journal. The ISACA Journal does not attest to the originality of authors’ content.