Cyber Risk, Cyber Insurance and the Cost of Disruption

Companies evaluating cyber insurance sometimes complain that they don't know what they're buying, what it does and doesn't cover, how it compares to competitive offerings, and what it's really worth.

An Ovum report commissioned by FICO reported that only a quarter of the C-suite and senior security officers thought premiums accurately reflected their organization's risk profiles. Even fewer viewed cyber liability insurance pricing as "clear and transparent." On top of these factors, the introduction of cyber insurance as a viable option for businesses may even further incentivize threat actors to wreak havoc through malicious exploits.

There are long-term solutions available to mitigate opacity in cyber insurance pricing, but the insurer’s perspective on the added threat risk should also be a consideration.

The cyber insurance provider's question: What risks are we assuming?

As new insurance markets emerge, insurers typically face the challenge of quantifying and pricing risk based on limited historical data. With cyber insurance, that's an especially vexing problem, because many attacks have traditionally gone unreported. As Deloitte notes, governments now require reporting when personally identifiable information is exposed. But other attacks representing large cyber risks may still fly under the radar.

Even if a cyber liability insurance provider trusts its historical data, threats change rapidly. Previous claims and crimes may not be as predictive as insurers would like. What's more, cyber risk can aggregate. It's one thing to cover a claim for intrusion against one company's data centers. But if a public cloud that serves 1,000 policyholders is compromised, the insurer faces radically higher liability.

The costs of cyber liability insurance confusion

Each cyber insurance provider must make its own judgments about risks like these. Their judgments vary, leading to meaningful differences in cyber liability insurance premiums and policy terms, and what’s considered true disruption to customers’ businesses. Sensibly, insurers protect themselves by attempting to narrowly define their exposures, and by focusing on the cyber risks where they have the best information.

Accordingly, many policies address PII exposure, and promise to pay for definable expenses such as customer credit monitoring. But they may offer more limited coverage for other important cyber risks, such as reputational harm or lost intellectual property. These coverage components are critical for helping to define and manage the long-term disruption that inevitably takes place after a breach.

Consider, especially, the issue of negligence. As Nemertes Research points out, an insurer often reserves the right to refuse a claim if it finds that the loss was caused by policyholder negligence. But insurers and individual policies vary in how they define negligence, and whose negligence can be grounds for denying payment. A closely related issue is ransomware.

Costly ransomware attacks are often excluded by cyber liability insurance policies, and often arise from an employee's carelessness in clicking a malicious email or web link. In underwriting policies, cyber insurance firms would ideally assess the behaviors of a customer's employees as part of its risk profile but doing so has been challenging. This further points to the importance of understanding the potential for an incentivized hacker; risk profiles may inherently need to include the increased possibility of a breach.

The solution: greater clarity about cyber insurance risk

Fortunately, for both cyber insurance underwriters and their customers, the answer is the same: greater clarity about cyber risk, and more effective action to reduce the human errors that cause or contribute to most security compromises.

What works best is a platform that gives organizations actionable, up-to-the-minute data about how well their workforces can resist nearly all contemporary cyberattacks and helps them identify specific areas of risk, quickly focus mitigation, drive changes in behavior, and track the results. That platform should also partner with innovative insurers who want to use those datasets to price risk more accurately, and design more attractive, cost-effective policies.

In fact, new certifications with strict criteria are cropping up, designed to help organizations make well informed cybersecurity decisions, and have greater clarity and confidence in navigating the complex cybersecurity marketplace. Insurers should look for the following when they evaluate potential customers’ cybersecurity solutions:

• Reduction of cyber risk: demonstrated ability to address major enterprise cyber risk such as data breach, theft or corruption; business interruption; or cyber extortion.
• Key performance metrics: demonstrated ability to quantitatively measure and report on factors that reduce the frequency or severity of cyber events.
• Viability: client-use cases and successful implementation.
• Efficiency: demonstrated ability of users to successfully implement and govern the use of the product to reduce cyber risk.
• Flexibility: broad applicability to a range of companies/industries.
• Differentiation: distinguishing features and characteristics.

These criteria represent the inaugural Cyber Catalyst by MarshSM designation. Read more about the evaluation program and its benefits here.

For centuries, insurance has empowered enterprise by making new forms of risk more manageable. If we can gain greater clarity on human risk and demonstrate better ways to reduce it, cyber insurance can play an equally important role in the digital age. Quantifying and reducing human error is hard, but it's crucial.