Cyber Risk and Insurance: What Every Business Leader Should Know, Part 1
There’s not a day that we don’t hear something about “cyber” in the press or elsewhere. Many of us, however, do not truly understand the risks and impact a major cyber event can have.
The Threat Landscape
Many business leaders erroneously think only the large companies, “the brands,” are at risk for a cyber event. And those large companies who have invested in the technology and resources to combat the risk understand well that there is no guarantee of protection.
Today, cyber risk touches every business, large and small, that has data or utilizes computer systems. The risks range from breaches of personal information to compromise of computer systems that might result in property damage, lost revenue from business interruption or even bodily injury. These risks are not covered at all, or not covered very well, in many standard commercial property and casualty policies. Additionally, insuring cyber risks is made even more difficult by the fact that the risks are constantly changing.
Attacks are becoming much more sophisticated and targeted. Additionally, the volume, magnitude and sophistication of these attacks will no doubt continue to increase. Information technology professionals are overwhelmed. Single-approach solutions often do not work.
A Change in Approach
Using a prevention-only strategy is outdated. It is wise to expect that your network has already been compromised and best to build resilience to minimize the size of the impact. Additionally, cyber risk no longer sits only with the information technology department, but instead is considered an enterprise risk with the board now a major stakeholder. Cyber insurance should be considered.
Ten Reasons to Consider Investing in Cyber Insurance
- Advanced Persistent Threats
Targeted attacks, known as APTs, have become increasingly difficult to detect, let alone stop. The emergence of the nation-state as an adversary leaves the majority of organizations vulnerable, regardless of the resources committed to defense.
- Governance and an Enterprise-Wide Risk Management Strategy
The emergence of cybersecurity as a governance issue that must be addressed by the board of directors is redefining the role of cyber insurance as purely a financial instrument to transfer risk. Cybersecurity involves the entire enterprise, with numerous stakeholders, and is no longer only the domain of the information technology department. Driving a culture of collaboration between these stakeholders is challenging for many organizations, but cyber insurance and, more importantly, the underwriting process can be catalysts.
- Increasing Regulatory Risk
Liability to boards of directors is expected to increase and give added weight to a focus on governance. SEC guidance published in 2011 highlights how regulators see cyber insurance as part of a strong enterprise risk management strategy. Many in the legal community see the launch in February 2014 of a federal cybersecurity framework (known as the NIST framework) as creating a standard of care to be used by plaintiff attorneys to allege negligence or worse.
- A Financial Incentive
Legislators are giving greater prominence to the role of cyber insurance. The failure to pass laws to drive stronger enterprise security has demonstrated the challenge of trying to enforce minimum standards. There is growing support for market-based incentives such as insurance that can reward strong cybersecurity through discounted premiums or broader coverage.
- Vicarious Risk to Vendors and Business Associates
Adversaries are focusing increasingly on third parties that have access to sensitive information and other critical assets of the target enterprise. Professional service firms or cloud-based solution providers are examples of business associates whose security may be weaker than that of their client and, consequently, provide an easier back door for the attacker. Liability for a breach of PII (personally identifiable information) or PHI (protected health information) typically still rests with the enterprise data owner, even though a breach of the vendor’s network may have occurred. Cyber insurance addresses the costs of responding to a breach and possible privacy regulatory action or civil litigation.
- Insider Threat
Attacks from the inside continue to be hard to prevent. Cyber insurance covers the employee as predator as well as an attack by a third party. This will not extend to an act involving the board of directors or executive team.
- Security Is Not About Compliance
Treating security as a compliance exercise only will result in failure. For example, many organizations that are compliant with payment card industry data security standards have been breached.
- Monetizing the Cost of Cybersecurity
One of the biggest challenges to the CISO (Chief Information Security Officer) is to quantify cybersecurity risk in dollar terms to the executive team. The premium charged by an insurance company can help solve this problem.
- Merger and Acquisition Activity
The difficulty in evaluating the cybersecurity posture in any acquisition target leaves the acquirer vulnerable.
- Operational Technology
Industry sectors dependent on operational technology and industrial control systems are particularly vulnerable. Built primarily to be available 24/7 and to operate in insolation, these devices are increasingly being connected to the corporate information technology network and the internet.