Michael Madon

by Michael Madon

SVP & GM of Mimecast Security Awareness

Posted Oct 18, 2018

Here's the deal with cyber insurance.

Companies evaluating cyber insurance sometimes complain that they don't know what they're buying, what it does and doesn't cover, how it compares to competitive offerings, and what it's really worth.

A recent Ovum/FICO survey reported that only a quarter of CxOs and senior security officers thought premiums accurately reflected their organization's risk profiles. Even fewer viewed cyber liability insurance pricing as "clear and transparent."1

We'll discuss a long-term solution -- but before we do, we need to briefly consider the issue from the insurer's perspective.

The cyber insurance provider's question: What risks are we assuming?

As new insurance markets emerge, insurers typically face the challenge of quantifying and pricing risk based on limited historical data. With cyber insurance, that's an especially vexing problem, because many attacks have traditionally gone unreported. As Deloitte notes, governments now require reporting when personally identifiable information is exposed. But other attacks may still fly under the radar, representing large cyber risks.2

Even if a cyber liability insurance provider trusts its historical data, threats change rapidly. Previous claims and crimes may not be as predictive as insurers would like. What's more, cyber risk can aggregate. It's one thing to cover a claim for intrusion against one company's data centers. But if a public cloud that serves 1,000 policyholders is compromised, the insurer faces radically higher liability.

The costs of cyber liability insurance confusion

Each cyber insurance provider must make its own judgments about risks like these. Their judgments vary, leading to meaningful differences in cyber liability insurance premiums and policy terms. Sensibly, insurers protect themselves by attempting to narrowly define their exposures, and by focusing on the cyber risks where they have the best information.

Accordingly, many policies address PII exposure, and promise to pay for definable expenses such as customer credit monitoring. But they may offer more limited coverage for other important cyber risks, such as reputational harm or lost intellectual property.3

Consider, especially, the issue of negligence. As Nemertes Research points out, an insurer often reserves the right to refuse a claim if it finds that the loss was caused by policyholder negligence. But insurers and individual policies vary in how they define negligence, and whose negligence can be grounds for denying payment. A closely related issue is ransomware.

Costly ransomware attacks are often excluded by cyber liability insurance policies, and often arise from an employee's carelessness in clicking a malicious email or web link. In underwriting policies, cyber insurance firms would ideally assess the behaviors of a customer's employees as part of its risk profile, but doing so has been challenging.

The solution: greater clarity about cyber insurance risk

Fortunately, for both cyber insurance underwriters and their customers, the answer is the same: greater clarity about cyber risk, and more effective action to reduce the human errors that cause or contribute to most security compromises.

What works best is a platform that gives organizations actionable, up-to-the-minute data about how well their workforces can resist nearly all contemporary cyberattacks and helps them identify specific areas of risk, quickly focus mitigation, drive changes in behavior, and track the results.

That platform should also partner with innovative insurers who want to use those datasets to price risk more accurately, and design more attractive, cost-effective policies.

For centuries, insurance has empowered enterprise by making new forms of risk more manageable. If we can gain greater clarity on human risk and demonstrate better ways to reduce it, cyber insurance can play an equally important role in the digital age. Quantifying and reducing human error is hard, but it's crucial.

Want more great articles like this?Subscribe to our blog.

Get all the latest news, tips and articles delivered right to your inbox

Michael Madon

by Michael Madon

SVP & GM of Mimecast Security Awareness

Posted Oct 18, 2018

You may also like:

Dealing with Ransomware - A Simple Checklist

With Cybersecurity Awareness Month here,…

With Cybersecurity Awareness Month here, we’re ready to help… Read More >

Michael Madon

by Michael Madon

SVP & GM of Mimecast Security Awareness

Posted Oct 09, 2018

'PhishPoint': How to Tackle the Latest Office 365 Threat

There’s a new phishing attack targeting …

There’s a new phishing attack targeting Office 365/SharePoin… Read More >

Matthew Gardiner

by Matthew Gardiner

Director of Product Marketing

Posted Sep 19, 2018

Azure/Office 365 Outages: The IT Admin's Guide to Continuity

A major outage in the US takes down a ke…

A major outage in the US takes down a key Microsoft datacent… Read More >

J.Peter Bruzzese

by J.Peter Bruzzese

Office 365 MVP

Posted Sep 06, 2018