Implementing a successful cyber insurance program: Key steps and considerations

In a first, a Black Hat micro summit explains how insurers assess risk to write cyber insurance policies as more organizations seek to indemnify themselves against potential breach losses.

Cyber insurance  >  Umbrella hub protecting connected devices + online activities in binary world.
Bubaone / Simon2579 / Getty Images

As IT security incursions mount quickly, more public and private organizations are getting cyber insurance policies to mitigate the impact of the breaches, which are becoming more of a “when” than an “if”. According to AM Best’s Market Segment Report, direct premiums written by cyber insurers have risen from $996 million in 2015 to $2 billion in 2018, a twofold increase.

Indeed, cyber insurance – also known as cyber liability insurance or cyber risk insurance – has become more popular as organizations big and small have been hit with a growing tide of data theft, ransomware attacks and other assorted incursions. Cyber insurance has become such a hot topic that the Black Hat cybersecurity conference last month in Las Vegas dedicated a three-and-a-half-hour “micro summit” to the topic. The summit speakers discussed how to implement a successful cyber insurance program and integrate it with an organization’s risk management program, how to make claims, and what security controls may help.

“The cybersecurity community is recognizing more of the risk management side of this [issue],” said Matt Prevost, national product line manager for Chubb’s cyber products, in his Black Hat summit speech. “So, it’s really that enterprise risk management function that’s starting to resonate with the cybersecurity community.”

Views toward cyber insurance are changing

Within the past two years, visibility within organizations has improved and organizations now more clearly understand that cybersecurity and risk management are much more than “a technology problem within large companies and small companies,” Prevost adds in an interview.

PwC estimates only about three out of ten companies have cyber risk insurance coverage. However, in its recent report Insurance 2020 & beyond: Reaping the dividends of cyber resilience, PwC forecasted that annual gross premiums will reach $7.5 billion by the end of the decade.

Jeffrey Smith, managing partner with Cyber Risk Underwriters (CRU), another presenter at the Black Hat summit, is seeing a close rate as high as 60% (depending on the industry and organization size) among the small- to medium-sized enterprises (SMEs) for which CRU writes cyber insurance policies. “Much like the early information security market, the earliest products were not always very good,” Smith said in his speech. “As threats have evolved, coverage has also evolved.” Companies in highly regulated industries such as healthcare, financial services, law and real estate have been the most eager to embrace cyber insurance, given the amount of compliance cost they bear in breaches, Smith adds in an interview.

Fellow speaker and long-time risk management evangelist Jake Kouns admitted that for many years “cyber insurance was just not considered very sexy … and the cyber market itself was immature.” Now, “There’s a lot more insurance talk,” said Kouns, CISO for Risk Based Security, a cyber risk consultancy that has briefed the Department of Homeland Security and the Pentagon on cyber insurance issues.

Integrating cyber insurance with risk management

Instituting a cyber insurance policy involves more than talk, especially if an organization wants to obtain the best financial deal, make sure that their policy covers the areas of actual security risk, and make their cyber insurance support their overall security plan. For example, by going through the initial underwriting process insurers use to determine policy parameters, organizations can learn much about how to mitigate potential risk and integrate their policies with their risk management program, according to Prevost.

This process can range from the insurer asking four or five questions of a very small organization, to spending three days inside the business of a larger potential customer. “Large organizations and small organizations need the inquisitive underwriting process to start to question their previously held assumptions about cybersecurity,” says Prevost.

In many if not most cases, strengthening a company’s risk position and lowering its premiums has much less to do with implementing any specific technology and more with how the company strategically handles risk management and how the various departments collaborate – from IT security to legal to the finance office and even the C-suite. Insurers will want to see a thorough incident response plan in place for what each stakeholder or unit will do in the case of a ransomware incident or a CEO wire fraud or a massive data breach. Being able to show the organization regularly runs tabletop exercises, for example, mitigates risk and shows their preparedness to an insurer. To further support their readiness, organizations want to be aware of not only the “monetary impact but also just on a day-to-day getting back and recovering from the event itself,” Prevost says.

Sharing information and experiences among peer companies in a forum like an industry association or a sector’s Information Sharing and Analysis Center (ISAC) can also help bigger enterprises better prepare for an underwriting process and get a better deal on insurance. Greater understanding of risk management and strategy developments can help them build a stronger program, Prevost shared.

Educating small organizations on risk management

Smith, who typically underwrites SMEs, commented that middle-market agents often do not “understand cyber coverage,” and sometimes the company being insured itself does not have a full-time CISO. Hence, there can be a great deal of variance of the relative risk sophistication of the company in question. “We’ve written [policies] for small physician practices using a firewall and cloud services,” Smith said. In the case of smaller organizations, which may not have much of an internal IT security group to speak of, underwriters and insurers are increasingly stepping up to educate policy holders about how to improve their risk management.

In an effort to extend known factors that drive cyber insurance premiums and policies, “the cyber insurance industry is starting to share a lot more visibility into claims and what went wrong to help organizations that do not already understand this to truly understand what is happening,” Prevost added. Chubb has created a “Cyber Index” to that end.

The Chubb Cyber Index is a free real-time set of proprietary data regarding current cyber threats, culled by Chubb over the past 20 years that the insurer has offered cyber coverage. Users can view online claims by industry, company revenue or date; look at what percentage of incidents came from internal or external actors or partners; and see what corporate assets were affected by these breaches over the past decade. By reviewing this data, organizations can get a better handle on not only where they need coverage the most, but where they might need to shore up potential gaps in their own risk management.

Understanding the cyber insurance underwriting process

Cyber insurance providers can influence the security policies and procedures of their corporate policy holders for the better by offering better terms or lower premiums for the organizations that can mitigate their risk not only through technology, but through employee education, team collaboration and other positive risk management steps. As the industry experts pointed out, the underwriting process itself tends to provide a feedback loop where companies can learn more about ways to improve their risk management, and even what risk they bear.

Organizations seeking cyber coverage should be able to demonstrate to themselves and their insurer that they are doing as much as they can to avoid incidents, or they not only face potentially higher premiums, but may also find certain important areas excluded. For example, some policies may exclude coverage for monetary losses if a company does not take so-called “reasonable” steps to maintain security, or more specifically if they fail to encrypt mobile data.

Also, as Prevost points out, policy holders will not get the best deal or the best coverage for their organization if they are not forthcoming during underwriting about their systems and potential liabilities, which in turn can lead to exclusions in the case of an incident. “We've had some customers who are extremely hesitant to provide any information about any technology that they use outside of their walls,” he says. “There's an element there where some customers will refuse to answer any question and that makes the underwriting process extremely difficult, if not impossible.”

“There are high-risk companies [that] may not recognize that they are a truly high-risk companies,” Prevost said. “And that’s where there's the underwriting questions and an extremely intense underwriting process come in....Very difficult risks should be carefully underwritten.”


Copyright © 2019 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)