Cyber insurance and its place in business security strategy [Q&A]
Data breaches and cyberattacks can be costly for businesses, not just in financial terms but also in damage to reputation.
It's not surprising then that more and more companies are looking to offset these costs by taking out cyber insurance policies, We spoke to Chris Kennedy, CISO and VP of customer success at AttackIQ to find out more about cyber insurance and the potential pitfalls.
BN: What types of incidents do cyber insurance policies cover?
CK: Cyber insurance policies are intended to offset costs that emerge from: incident containment and attack eradication, third-party help, public relations and disaster communications plans, reparations to customers, regulatory fines and the costs of ransoms.
Unfortunately, there is no cyber insurance premium that will help recover the costs associated with the loss of intellectual property (IP), third-party support, or the loss of market share due to diminished customer trust in a company's brand.
BN: What should a business consider before investing in a cyber insurance policy?
CK: Businesses must first understand their critical digital assets and risks, and if a cyber insurance policy would actually help. The truth is that there are cyber insurance policy limitations, constraints and requirements that organizations must acknowledge. This means that certain security capabilities may be required before even obtaining a cyber insurance policy, and organizations must ensure that the proper controls are in place.
As a next step, companies must be able to ensure that necessary security tools they have are configured correctly. Emerging, automated technologies are able to test security controls against real-world attacker tactics, techniques and procedures (TTPs) to determine if they are working as intended and to ensure that there are no weak spots in the organizations cybersecurity program.
BN: What are some of the main motives businesses have for investing in cyber insurance?
CK: Security failures are beginning to affect the bottom line and organizations are taking notice. Even if companies are compliant, this is not a get out of jail free card. Compliance with data privacy regulations does not mean that a company is secure, and a compliant business that is breached will still be fined under the corresponding law, such as GDPR.
On top of this, incident response (IT) activities are not cheap, and the clean-up costs can be quite costly. Companies have been seeking out cyber insurance as a means to offset these costs.
BN: Why are cyber insurance claims sometimes declined?
CK: Suffering a breach is bad news, but then learning that you are not covered for the incident by your insurer can be worse. Cyber insurance policies can include limitations and hidden language that allow carriers to decline coverage, and organizations must be aware.
First, some insurers will deny coverage if the insured business fails to maintain adequate security standards. Even if companies have security tools in place, they may not be configured properly, and as such it is imperative to test them on a continuous basis to ensure security.
Second, cyber insurance providers have been denying or restricting coverage for payment card information (PCI) related fines and assessments. Policyholders must pay attention to the language contained in the policy itself, as there may be exclusions for PCI or self-regulatory fines, and there may be contractual liability exclusions that allow insurers to avoid paying premiums.
Third, the discrepancy between the value of ransom amounts, lost potential revenue and asset restoration costs that arise from ransomware attacks are a hot topic. Insurers may reimburse organizations for a specific percentage of the ransom amount demanded by ransomware, however, the damages that arise due to lost income are not always covered.
Next, pre-breach-related lawsuits that arise from zero-day type vulnerabilities being discovered in an insured organization's network are not always covered. Cyber insurance policies tend to have language included that only allows the insured organization to claim coverage for unauthorized intrusions and other security events, so the discovery of a flaw that has not been proven to actually cause a breach may be outside the scope of what is covered.
Finally, social engineering attacks may not always be covered since there is the argument that the success of these attacks are caused by the insured company’s negligence. For example, a phishing attack that asks an organization's financial department to wire funds to an unrecognized account would not be covered since there was no intrusion, and the event was caused by an employee’s own authority.
BN: What are common myths and misconceptions about cyber insurance?
CK: Cyber insurance policies continue to be underwritten with more sophistication, and insurers have been raising the bar in terms of insured organizations' security maturity. Additionally, enterprises that over-rely on their cyber insurance policy will be disappointed when it suffers a security incident and learns that not every cost will be offset by the insurer.
BN: How does cyber insurance fit into a holistic cybersecurity strategy?
CK: Cyber insurance is a post-fail risk offset, and a policy should never be seen as a substitute for a proper cybersecurity program. But the truth is that an effective cybersecurity program can help a business obtain a cyber insurance policy in the first place, and insurance can be a good supplement for a security strategy.
At the end of the day, companies must understand that it is possible to remain secure. There are emerging, automated technologies out there that allow companies to use the latest attacker TTPs in order to test and ensure that its security controls are configured appropriately, and that there are no gaps in the company’s security program. Additionally, this method will allow organizations to improve the return on investment (ROI) of their security spending by identifying and removing tools that overlap in coverage with each other.