What are Insurers really covering?

May 27, 2014, Rick Dakin, CEO, Co-founder and Chief Security Strategist

Across the country, executives and their boards saw the data breaches that occurred at large, well-run retailers and immediately began asking the right questions about their own systems and protections. The challenge for the insurance industry is that the plan for many of these companies seems to be transferring as much risk as possible to insurers, who may not have a full and complete understanding of what they are covering.

Cyber insurance has already experienced significant growth. Last year, the take rates on dedicated cyber policies and critical infrastructure policies increased by 20 percent and 40 percent, respectively.  Companies operating in transaction-dependent businesses as well as those providing critical infrastructure understand that a cyber-attack could cause unrecoverable loss unless cyber insurance is obtained.

However, many companies struggle with specifying the types and form of coverage needed and the extent that risk has been mitigated through security programs to help negotiate a justified rate for coverage of the residual risk.

Insurers are writing policies to cover losses due to cybercrime without obtaining full transparency of the cyber risks facing the companies they insure. The lack of risk data provided by insured companies combined with the limited loss expectancy data available to the underwriters creates uncertainty. This is partially reflected in the price spreads between insurers for equivalent policies, but the industry as a whole is operating in an environment of information opacity.

Correctly pricing cyber risk is difficult for a number of reasons.  Two decades ago, the product didn’t even exist. There’s no way to know right now what the cyber equivalent of a 100-year storm will be.
Non-disclosure is another significant challenge. There remains no national standard for data breach notifications. Given the serious public relations and sales repercussions that come with publicly disclosing security issues, many companies won’t mention them unless they are required to do so by state law.

On the auditing side, the lessons from Enron have not yet made it to cyber risk management. The companies assessing compliance with many industry requirements – such as the Payment Card Industry (PCI) Data Security Standard – are the same ones that provide the security services. The level of conflict between the advisors and auditors is high and very little guidance is provided to establish reliable and independent assessments for the governance groups.

As insurance carriers increase their exposure in this area, they should look to their own independent auditors to determine the true risks their customers are facing. With cyber-attacks increasing rapidly in sophistication and intensity, there will be no shortage of companies looking to offload those risks. It will be up to insurance providers to protect themselves when the inevitable “Big One” hits.

Get more information about Coalfire’s security assessment services.

Rick Dakin

Author

Rick Dakin — CEO, Co-founder and Chief Security Strategist

Recent Posts

Post Topics

Archives

Tags