What are Insurers really covering?

Rick Dakin, CEO, Co-founder and Chief Security Strategist

Across the country, executives and their boards saw the data breaches that occurred at large, well-run retailers and immediately began asking the right questions about their own systems and protections. The challenge for the insurance industry is that the plan for many of these companies seems to be transferring as much risk as possible to insurers, who may not have a full and complete understanding of what they are covering.

Cyber insurance has already experienced significant growth. Last year, the take rates on dedicated cyber policies and critical infrastructure policies increased by 20 percent and 40 percent, respectively.  Companies operating in transaction-dependent businesses as well as those providing critical infrastructure understand that a cyber-attack could cause unrecoverable loss unless cyber insurance is obtained.

However, many companies struggle with specifying the types and form of coverage needed and the extent that risk has been mitigated through security programs to help negotiate a justified rate for coverage of the residual risk.

Insurers are writing policies to cover losses due to cybercrime without obtaining full transparency of the cyber risks facing the companies they insure. The lack of risk data provided by insured companies combined with the limited loss expectancy data available to the underwriters creates uncertainty. This is partially reflected in the price spreads between insurers for equivalent policies, but the industry as a whole is operating in an environment of information opacity.

Correctly pricing cyber risk is difficult for a number of reasons.  Two decades ago, the product didn’t even exist. There’s no way to know right now what the cyber equivalent of a 100-year storm will be.
Non-disclosure is another significant challenge. There remains no national standard for data breach notifications. Given the serious public relations and sales repercussions that come with publicly disclosing security issues, many companies won’t mention them unless they are required to do so by state law.

On the auditing side, the lessons from Enron have not yet made it to cyber risk management. The companies assessing compliance with many industry requirements – such as the Payment Card Industry (PCI) Data Security Standard – are the same ones that provide the security services. The level of conflict between the advisors and auditors is high and very little guidance is provided to establish reliable and independent assessments for the governance groups.

As insurance carriers increase their exposure in this area, they should look to their own independent auditors to determine the true risks their customers are facing. With cyber-attacks increasing rapidly in sophistication and intensity, there will be no shortage of companies looking to offload those risks. It will be up to insurance providers to protect themselves when the inevitable “Big One” hits.

Get more information about Coalfire’s security assessment services.

Rick Dakin


Rick Dakin — CEO, Co-founder and Chief Security Strategist

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS