Cyber Insurance: The Last Line of Defense or Frontline Offense?
It’s a common saying in the cybersecurity industry that if you haven’t yet suffered a cyberattack, you soon will. According to the Identity Theft Resource Center, this year alone has seen more than 600 data breaches and more than 78 million personal records have been exposed. This is a 25 percent increase in the number of breaches from January to November 2013, which shows that hackers are becoming increasingly more competent and cyberattacks are becoming more frequent and difficult to stop.
Not only are breaches growing in quantity, but hackers are constantly changing their attack methods. A 2013 PandaLabs report found that 30 million new malware threats were created in 2013 – an average of 82,000 new threats every day. When a security team doesn’t know what is coming, there is simply no way to defend against it.
Based on this and other statistics, it’s clear these attacks are going to occur with increasing frequency and success. Insurance professionals can’t stop attacks from happening, but they can find ways to minimize the effect of breaches to avoid irreparable harm to victimized clients. It starts with a cyber liability insurance policy, an evolving practice for both the underwriter drafting the policy and the company receiving it.
New Age of Pre-Binding Assessments
The process behind developing a cyber liability insurance policy has remained the same for years; however, the ways in which companies are suffering from cyberattacks is rapidly changing. When looking at recent data breaches, it’s clear that there are multiple factors and parties involved in a cyberattack. In the case of Home Depot’s massive data breach, the hackers gained access to 53 million email addresses and 56 million credit card accounts through a third-party vendor with legitimate access to the retailer’s network.
Traditionally, cyberinsurance policies are crafted based on a simple checklist that summarizes potential risks and protective security measures that an enterprise either has or has not put into place. Clearly, cyberthreat has evolved well beyond the limited, static examples included in these standardized lists. For instance, no checklist can assess the likelihood that a trusted insider is committing corporate espionage or that a third-party heating, ventilation and air conditioning (HVAC) partner has a network vulnerability that could lead to a data breach. Similarly, reliance on this checklist approach to accurately define enterprise risk can no longer be an accepted practice because it doesn’t adequately serve policyholders.
To combat the challenges and limitations of traditional cyber risk assessment, insurers and enterprises are placing more emphasis on holistic assessment performed by independent third-party security firms. Instead of checking off a list of requirements, these assessments look at everything including the maturity of the company’s security practices and the security of their third-party vendors, the sensitivity of their data, and their ability to recover and return to regular operations following a cyberattack. All of this information is taken into account to help an underwriter determine an entity’s insurability and craft a fair and accurate policy.
The Power of Proactive Risk Mitigation
Consider the examples of Home Depot, Target, Dairy Queen, JP Morgan Chase, Goodwill and Staples. These enterprises were all victims of major data breaches in the past year. In addition to the financial liability incurred, each breach has cost these businesses hundreds of millions in lost sales, not to mention customer trust. While each of these enterprises had strict cybersecurity policies in place, they were still unable to stop hackers from manipulating their way into their networks through unsuspecting third-party vendors and stolen credentials.
In most cases, these entities had some form of cyber liability insurance in place. But insurance has traditionally been a method for offsetting risk, not mitigating it. However, a third-party conducted, pre-binding risk assessment not only supplements the traditional checklist security review most underwriters use, it also provides the pre-insured with critical insights about their security preparedness and maturity. This data belongs to the assessed company and can be used to improve security maturity whether or not a policy is offered or purchased.
By requiring a thorough risk assessment at the outset, insurers are communicating their commitment to deliver fair and accurate policies. Additionally, there are new cyberinsurance policies that incorporate the findings of the pre-binding assessment and provide incentives and funds for risk mitigation. In this way, insurers are eliminating the us-versus-them mentality that’s historically prevalent between insurers and insured.
Cyber insurance is often viewed as the last line of defense, but when approached as an offensive measure, it can be a significant part of a proactive risk management strategy. By implementing comprehensive risk assessment as part of the pre-binding process, insurers can create a collaboration with both prospective clients and policyholders to improve cybersecurity maturity and resilience, and help organizations mitigate the impact of a cyberattack and get back to business faster.