Why security leaders need to partner with their insurance companies

What comes to mind when you read or hear the phrase “cyber insurance?”

Most focus on the “liability” part of cyber insurance, the protection companies seek in the event of a security breach. Then they form opinions based on whether they view that coverage as a valuable tool to reduce risk or a copout instead of developing a security program.

Here’s the reality: cyber insurance is much, much broader than just liability coverage after a cyber incident. Security has an impact on everything, including insurance. And that’s a good thing.

In this continued Leading Security Change on Cyber Insurance series, we learn from an experienced insurance underwriter, Garin Pace.

Garin Pace is the Cyber Product Leader – Financial Lines & Property for AIG. First and foremost, he’s an insurance underwriter. His experience includes underwriting professional liability insurance for technology companies and cyber insurance for over a decade. And he’s a technologist at heart. It’s clear from our conversation that he’s trying to merge the worlds of actuarial science, risk management, and insurance with information security.

Our conversation was energetic and packed with information. Garin’s passion shines through (as you’ll read below) – and his knowledge of the industry really helped me get a better sense of how security leaders can partner with insurance carriers to improve security for everyone.

Insurance is a valuable control to transfer risk, but you suggest cyber insurance is more. How so?

Insurance can play a key role in offsetting costs when a breach happens. We can help companies by identifying and encouraging best practices through data analytics, and also help companies respond accordingly when cybersecurity fails. Once you do the basics, insurance can be the best risk reduction for the investment – insurance provides three other material benefits:  1) risk assessment & validation, 2) loss prevention consulting, and 3) help managing the incident.

There is a danger that insurers who are not underwriting appropriately might miss this opportunity, and somewhat reduce the value of insurance turning risk management into a crude hedge. When both the insurer and the applicant engage correctly, the underwriting process presents an opportunity for the applicant to get feedback from the insurer about the type of risk it sees. This information can be used to verify the applicant’s own findings, and gain the benefits of the insurer’s experience (with thousands of clients, many insurers will be able to share actionable information about what they’re seeing in the marketplace).  

Even after identifying opportunities for better risk management, the benefits insurance can provide don’t stop: many carriers provide services to clients to help them make better risks.  With the economies of scale of some insurers, these “loss prevention services” allow insureds access to subject matter expertise, sometimes top-tier vendors; other times services internal to the insurer.

Finally, in the event of a loss, insurance is more than just a check: insurers’ claims professionals handle dozens of such incidents per year, and can help guide insureds through the loss process, recommending counsel and other vendors, and alerting the insured to what to expect from litigation.

What might security leaders be surprised to learn about the process to underwrite cyber security risk?

I think security leaders would be surprised to learn how insurers treat the information they are presented during the underwriting process, and how that information does, and does not, affect claims. While there is some variation, most cyber insurers view the information presented to them – such as controls the applicant has – as representative of the applicant’s posture, but not a promise there will never be a mistake in execution. Insurance is for mistakes; most cyber insurers will pay claims where a mistake was a key event in the chain of events which resulted in the loss, even if that mistake was in not executing on a control the insured said they had.

For example, if an applicant tells the insurer they use full disk encryption on laptops, but one laptop – because of a unique set of circumstances – happens to not be encrypted and be the subject of a claim, most cyber insurers will pay the claim. That said, the information does have to be representative; if an applicant only encrypts laptops in one of their two business divisions, they are misrepresenting the risk if they tell the insurer they are “encrypting all laptops”.

Seems a lot of people equate cyber insurance to breach liability. What other perils need to be considered?

Cyber insurance is so much more than data breaches! Truthfully, even “cyber” is a poor moniker: most “cyber insurance” policies respond to a “failure to protect the confidentiality of information” as well a “failure of security”, and thus would respond even to a non-electronic breach, such as disposing of medical records in a dumpster. Beyond that, these policies cover a variety of impacts – failures of availability and integrity as well as confidentiality – from a variety of possible cyber perils:  they respond to lost business (a possible outcome of a DoS attack), will pay to restore data from backups or even pay a ransom (ransomware), and are even starting to cover systems failures (not arising out cyber attacks).

Increasingly – as the number of cyber-physical interfaces continues to grow – cyber insurance policies will need to evolve to cover bodily injury and real property damage arising out of a cyber peril. With systemic-cyber attacks, for example, we have to think about what happens if a cyber-criminal accesses operational controls of a refinery or a train? Disruptions to the flow and security of data can have cascading effects and negatively impact institutions that rely on such data. Today’s cyber insurance policies do a good job of responding to the most common cyber attacks, but most exclude bodily injury and real property damage; a few cyber insurers like AIG are remedying that limitation, and traditional insurers are starting to amend their policies to address the need as well.

Do insurance companies actually pay claims?

Categorically yes! There is a stigma that insurers take in premium but don’t pay claims; this is not a viable business strategy for insurers. Not paying a claim sends a strong signal to the marketplace, and that insurer will quickly find their business is impacted as insureds shift their business to other insurers. Insurance products that do not address a real exposure – or are priced unattractively – will not be purchased by insureds. You can see larger limits taking hold in the industry, and towers of coverage purchased by sophisticated companies. This would not be happening if industries thought insurers were not paying claims.

Insurers of course fear changes in loss development. They write policies to provide certain coverages, and price them with certain expectations for loss. If the way the policies are written lead to ambiguity, or the way they are priced does not reflect the loss environment, then the insurer runs the risk of not only sacrificing their profits, but of sacrificing their capital. But overall, claims are a good thing; insurers just need to make sure their underwriting and pricing keeps up with claims activity.

How can a security leader better approach the cyber insurance process in their organization?

Companies have to evaluate their cyber risk management needs and understand how cyber coverage fits into their holistic enterprise and technology controls. I think security leaders and their organizations would benefit from security leaders being part of the decision to buy cyber insurance, not just a source of the information required.  Security leaders should not see insurance premiums as a loss of budget for either people or technology, but instead as another security tool they are purchasing (though it works a bit differently). Like any tool, they should be sure to ask if the tool meets their needs (“does it cover this scenario?”), get training on its use (“if we have an incident, how do we engage with the insurer; can we use the vendors we already have on retainer?”), and how to get the most use out of it (“what are our biggest risks? what could we do to reduce the premium/increase the coverage?”).

If risk managers and security leaders engage together in the discussion of purchasing insurance, I think organizations will realize improved risk awareness and assessment, be more prepared should a significant cyber incident – one that requires action beyond just remediation, such as alerting customers and/or regulators – occur, get more value from both their insurance and their information security program, and feel confident representing to management they’ve taken reasonable steps to manage the exposure.