• United States




Buying cyber insurance: buyer beware

Jul 10, 20175 mins
Risk ManagementSecurity

The good, the bad and the costly.

cyber insurance primary2
Credit: Thinkstock

The recent NotPetya ransomware was a “shot heard around the world.” I have seen reviews to support a range of theories that the code was sloppy to the author(s) significantly had their revenues limited by having the email count taken offline. Regardless of your position, there was considerable damage and as these types of attacks become more pervasive, business owners will likely look to the insurance markets to provide some option for offsetting financial losses in response to a crisis event.

In the case of NotPetya, it is not simply a matter of many individual enterprises being hit but rather entire supply chains being hit as well. Reckitt Benckiser Group just announced they will likely have issues hitting their quarterly numbers because they could not invoice for millions of dollars because production lines were impacted. While you may have heard about FedEx being hit, Moller-Maersk (the world’s largest sea logistics operations) will also have their top and bottom lines take a sizeable toll as thousands of shipping containers could not be off loaded due to system failures/compromises of sea ports. Understanding cyber risk is a core element of understanding today’s business risk.

You have a number of instances where those that sell cyber coverage cannot adequately speak to its value proposition because they are not cyber risk experts.  Conversely, those that generally buy insurance are also not cyber risk experts.

With cyber insurance, there appears to be a school of thought where having insurance translates to having protections in place when a cybersecurity event evolves into an actual cybersecurity incident. I have seen online applications that allow for coverage by only answering ten questions. So the first question that should be running through your mind is, “How can ten questions determine an applicant’s cyber risk profile.” The short answer, “It can’t.”

So why do insurance carriers take such an approach? It is a numbers game – no pundit intended. Depending on the source used, the cyber insurance market will hit over $7 billion by 2020 or by 2025. Keeping in mind that in 2015, it was around $1 billion. So you have a mad rush for carriers to sell and an uneven balance of those that are looking to buy.

An insurance policy is essentially a contract. You have an agreement between the buyer and seller that in the event of a range of cyber scenarios, the insurance company pays out. Or does it? If you review annual data breach reports where insurance is involved, there are a couple of instances where the insurer declined to pay a claim because of the scope of the policy or “exclusions” within said policy. Perhaps even more problematic is the uptick in rate of the scenario occurring.

In a recent interview with Thomas H. Bentz, Jr. of the law firm Holland and Knight, LLP, Mr. Bentz provided insight about cyber liability insurance policies and how they can protect policyholders. Cyber policies are complicated and need to be negotiated.  Many companies fail to truly understand this coverage until after they have a claim.  Negotiating coverage enhancements upfront can significantly improve the coverage.

Even if you have a CISO reviewing the policy, there is likely a disconnect to what harm triggers are embedded in the policy and what is excluded. Take the case involving P.F. Chang’s. Would a CISO have figured into the equation a penalty for the re-issuance of credit cards? Probably not. Had the CISO done so, would a CEO or CFO agree that this is a business risk exposure, probably not. 

So we are now left with a unique scenario of relying on insurance carriers to pay out on claims in good faith and the carriers are limiting their downside exposure to a claim by carefully crafted language. You cannot fault the insurance carriers for trying to limit their exposure. However, it raises a question on fairness and would a prudent and reasonable person understand not only what the policy covers, but what it does not cover.

It is highly unlikely that P.F. Chang’s obtained a cyber policy by merely answering ten questions. Financial services and retail are common buyers from well-established carriers that have insured their businesses for decades. But as more policies are issued and a large percentage of those issued using such trivial measures to identify the applicant’s cyber risk profile, is there a potential argument that either (1) the issuer of the policy has contributory negligence in the face of a claim or (2) that the use of such techniques are an unfair and deceptive business practice? I interviewed several stakeholders representing regulatory and legal fields and these topics are not at the front and center of concern right now. However, all parties concur that if similar claims against carriers continue to increase, the likelihood that a regulatory body like the NAIC or FTC is high.


Carter Schoenberg is the President and Chief Executive Officer of HEMISPHERE Cyber Risk Management, Inc. Mr. Schoenberg is a certified information system security professional with over 23 years of combined experience in criminal investigations, cyber threat intelligence, cyber security, risk management and cyber law. He is a cybersecurity subject matter expert supporting government and commercial markets to better define how to evaluate a risk profile and defining criteria for brokers and carriers to utilize in their determination on coverage and premium analysis.

HEMISPHERE is working with insurance stakeholders to define appropriate standards and training of brokers and agents in determining coverage requirements, scheduled for release later in 2017. HEMISPHERE is also working with the National Association of Insurance Commissioner’s Cyber Task Force.

Mr. Schoenberg’s expertise has been featured at many events and his background and knowledge in the Latin American markets, specifically in Panama’, has provided him with a unique and detailed view of this market segment.

Mr. Schoenberg is responsible for designing practical solutions to address cyber risk management using his proprietary cost-benefit analysis enabling system owners to make mission and cost justified decisions on cyber risk. Starting his career in law enforcement as a homicide detective, his work products have been actively used by DHS, the ISAC communities, and the Georgia Bar Association for Continuing Learning Educational (CLE) credits on the topic of cybersecurity risk and liability. His expertise is profiled at conferences including ISC2, SecureWorld Expo, ISSA and InfosecWorld.

The opinions expressed in this blog are those of Carter Schoenberg and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.