Cyber Insurance has begun to take root in recent years, and while many industries have yet to invest in a cyber insurance policy, other industries are starting to question if cyber insurance might just be the missing tool in the organization’s security toolbelt. A recent survey found that 70 percent of healthcare organizations lacked cyber insurance and another study reported that a mere five percent of manufacturing companies in the U.S. had a cyber insurance policy. Given the repeated headlines highlighting healthcare as the industry hardest hit by cyberattacks and data breaches, one might be inclined to think that cyber insurance might not be a bad investment.
I recently explored the concept of cyber insurance in an article titled “Should Cyber Insurance be a Line Item in your Security Budget?” published by Bloomberg BNA. The bottom line is that cyber insurance doesn’t stop the bad guys and it should not be viewed as an adequate replacement for cyber best practices and effective security controls. What I found is that cyber insurance is still a very young and immature concept. Compared to other types of insurance, such as home, auto and life, for example, it’s only been around a fraction of the time. And, after looking at the supporting statistics, it became clear that traditional forms of insurance are fundamentally different from cyber insurance. With traditional insurance the insurer is betting—albeit with an actuarial algorithm—that the person they are insuring will be involved in an accident. With cyber insurance, that same probability principle just doesn’t apply—there’s a wealth of statistics across every industry that demonstrate the high probability of a material breach or cyberattack.
Aside from that, cyber insurance never covers everything—there are almost always exceptions and exclusions.
Cyber insurance is sometimes touted as a solution to inevitable cyberattack or data breach. But, cyber insurance isn’t a solution—it’s not a tool developed by a cybersecurity company that organizations purchase and have installed on their networks and devices. It doesn’t provide anti-virus protection, it doesn’t help with vendor patches and updates, it doesn’t provide continuous monitoring and it doesn’t provide device visibility and control. Cyber insurance is simply another facet of risk management; specifically, mitigating the financial risks associated with cyber incidents. As noted in an official statement from members of the Federal Financial Institutions Examination Council (FFIEC), “Purchasing cyber insurance does not remove the need for a sound control environment. Rather, cyber insurance may be a component of a broader risk management strategy that includes identifying, measuring, mitigating, and monitoring cyber risk exposure. An effective system of controls remains the primary defense against cyber threats.”
The International Organization for Standardization (ISO) 27000 family of standards is one such system of controls and focuses on the final step in the risk management process—risk treatment. At a high-level, ISO/IEC 27001 is the best-known standard for an information security management system (ISMS), a systemic approach to managing and securing sensitive data. Using this guidance, organizations can address risk in the following six ways: avoid, accept, retain, remove, change or share. In the ISO 27k model, the risk transfer provided by cyber insurance is considered a form of risk ‘sharing’. It’s critical that any organization considering cyber insurance understand that risk ownership cannot be fully transferred and organizations need to complete a thorough risk assessment and evaluation to understand their risk profile.
For example, healthcare organizations will typically prioritize system availability over integrity and confidentiality because the healthcare mission is centered on patient safety. In that case, even if the risk is shared, the insurer cannot guarantee patient safety with an insurance policy. In other industries, such as retail, availability often takes a backseat to confidentiality. Retailers are concerned about secure transactions and protecting customer payment information. Again, it’s important to realize that sharing the risk—a hacked retailer point of sale (POS) system, for example—can’t turn back the clock. Even if an insurer can cover the costs of fines, legal fees, and getting back online, retailers still have to deal with reputational damages and customers have to deal with potential identity theft. Lastly, consider manufacturing, an industry that often prioritizes data integrity over confidentiality and availability. Should a bad actor gain access to the controls of a production line and change only a single line of code, the manufacturer could produce an altered or dysfunctional product, resulting in profit loss, reputational damage, and—depending on the type of product produced—even injury. Yet again, cyber insurance doesn’t prevent the initial event, and it is only helpful to a certain extent in dealing with the aftermath because the risks can never be fully transferred to the insurer.
I’ve heard risk talked about before as if it were a liquid or gas—something that can either be washed down the drain or left to evaporate in the sun (after all, in the words of Justice Louis D. Brandeis, “sunlight is said to be the best of disinfectants.”). The reality is that risk is a very dense solid, and the longer you avoid it, the bigger shovel you’re going to need to handle it. Organizations should really focus on the six best practice methods of addressing risk—and ‘ignore’ isn’t an option.