In part one of this series, we explored the expanding threat landscape of cybersecurity, and the apparent disconnect between global increases in both the frequency and severity of data breaches and IT security spending.
With data breaches and cyber-attacks on the rise, many victims are finding themselves battling it out with cyber insurance companies over protection from the damage realized by security breaches.
The Financial Times reports that not only have the sales of cyber insurance policies been growing by some 25% per year but so too has the number of disputes between organizations and their insurers.
Case Study: National Bank of Blacksburg
After the National Bank of Blacksburg in Virginia suffered two data breaches, one in 2016 and the other in 2017, well-to-do executives may have found themselves quite pleased that they had the foresight to purchase cyber insurance to cover these exact types of occurrences.
However, Everest National Insurance Co. refused to pay out a significant portion of the bank’s claimed losses of $2.4 million, offering only $50,000 instead, on the grounds that the data breaches were not covered by National Bank’s computer and electronic crime insurance rider. Following the incident, National Bank then sued Everest for breach of contract and a larger portion of the data breach costs in a lawsuit that essentially highlights just how vague and contrary cyber insurance policies can really be, and further, just how little insureds really understand about the coverages they are purchasing with such policies.
The Concerns with Cyber Insurance
1. Although it is growing rapidly, it is a relatively small market and many insurers are quite keen to sell cyber policies in order to grow their business. 2. Because it is such a relatively new risk to manage, the actuarial data is lacking and, as can be expected, many insurers simply lack the confidence in their predictability models to allow them to accurately assess each individual risk. 3. There is a significant degree of overlap between cyber-related incidents and the types of events that are covered by other insurance coverages. In particular. One example may be the fine line between where a property insurance policy ends, and where the cyber insurance policy takes over. (For this reason, it would be strongly advised to keep your policies with the same insurer, to avoid further potential for dispute, amongst insurers.)
In the instance of National Bank, the main issue is whether the breaches are covered under the computer and electronic crime rider of their insurance, which as a loss of liability limit of $8 million, and a deductible of $125,000, or under their debit card rider, which has a much lower single loss limit of $50,000, and a $25,000 deductible. Without getting into the specificity within the wordings themselves, it’s easy to see from the names of these coverages themselves, that there is significant room for confusion and overlap.
Cyber Insurance and Cyber Security
If there are two topics of present-day relevancy that could not be further misunderstood, cyber security and cyber insurance may well be at the top of the list. While every organization needs to be aware and prepared for a cybersecurity incident, the truth is that the large majority will not be.
"Cyber is uncharted territory. It’s going to get worse, not better."
Warren Buffet, Chairman and CEO of Berkshire Hathaway
Business magnate, investor and CEO of Berkshire Hathaway, Warren Buffet warns that cybersecurity incidents will continue to rise and with it the potential to significantly harm businesses, including the insurance industry.
Buffet further illustrates the concern noting that while Berkshire Hathaway has a “pretty good idea” on how to accurately assess the probabilities for earthquakes in California, and hurricanes in Florida, however, the same cannot be said for predicting cybersecurity events.
The investor expressed his skepticism that any insurance company can accurately asses the risk for cybersecurity events.
"We (Berkshire Hathaway) don’t want to be a pioneer on this. I think anybody that tells you they think they know, in some actuarial way, either what general experience is like in the future, or what the worst case can be, is kidding themselves."
Warren Buffet, Chairman and CEO of Berkshire Hathaway
The language of Cybersecurity and Insurance – Brokers and Penetration Testers
If Warren Buffet, arguably the most successful investor of all time, has his concerns about the effectiveness of the current state of cyber insurance and an insurance companies’ ability to not only predict the probability of but also their ability to mitigate the risk itself; there should be no question that it is not a topic that should be considered lightly.
Much of the core issues surrounding the subject comes from sheer negligence on the topic of cybersecurity and insurance. This concern can be carefully and strategically mitigated through the proper use of insurance brokers and penetration testers.
The fact of the matter is, both insurance and cyber security come with their own particular languages and jargon that are, for the most part, privy to only those experts in their relative fields.
Necessarily, in order for any business or organization to protect themselves against the damage of a data breach, it is imperative that a certain level of understanding is in place. While it does help, that knowledge does not necessarily have to be leveraged by an internal component of the organization, and in some cases, it’s ideal that it is not.
"If I should really WANT to answer the foolish question you have just asked, or any of the other questions you have been asking me, let me remind you that I have a row of electric push-buttons on my desk, and by pushing the right button, I can summon to my aid men who can answer ANY question I desire concerning the business to which I am devoting most of my efforts. Now, will you kindly tell me, WHY I should clutter up my mind with general knowledge, for the purpose of being able to answer questions, when I have men around me who can supply any knowledge I require?"
In reality, there are two ways any organization can approach the situation. The first is trial and error, and the second is to borrow experiences. For every problem out there, cybersecurity included, one can muddle around in trial an error, wasting valuable resources and taking unnecessary risks, or one can call on the experts.
Where insurance is concerned, brokers are the experts. While cyber insurance is still in its infancy and actuarial data is lacking, a qualified broker will not only be able to guide your business to the optimal fit insurer but should also have some leverage with insurers concerning coverages in the event of a loss. Broker-Insurer Relationships are number one in the insurance world.
As already discussed, based on the reasoning that cyber insurance is so new and the market, equally unpredictable; it cannot and should not be relied upon as a sole source of risk management where information security is concerned. Without the actuarial data, many insurers are having a very hard time establishing, with any degree of confidence, adequate rates and coverages for the threats seen in cybersecurity. This is not to say cyber insurance should not be purchased, quite the opposite, it absolutely should, however, there needs to be some “homework” done in order to properly assess a given organizations risk level. This is where penetration testing comes in.
A Penetration Test, also known as a Pen Test, is an authorized, simulated attack on a computer system, performed with the goal of evaluating the security of the system. The test is performed to identify vulnerabilities, in order of priority and severity.
A quality penetration testing firm will have the unique ability to translate security into a language that is understandable across all levels of an organization. Reports generated through penetration testing can serve to provide the valuable feedback that an organization requires to prioritize future security investments in insurance, as well as the mitigation of vulnerabilities.
When performed by a qualified Penetration Testing company, a pen test will not only help to prioritize your organization’s security efforts but also mitigate the overall risk and severity of a data breach if one does occur.
For more information, please review our website and contact us for in-depth information on any of the items discussed here.
Our mission to continually stay on top of current threats and vulnerabilities has helped distinguish our testing from our competitors. Often times, firms will try to commoditize security testing by performing automated testing (VA scans) with little benefit to the client. Our methodology only begins with automated testing. Thereafter, our extensive experience allows us to manually uncover high-risk vulnerabilities which are often missed by conventional testing methodologies.
We mandate training and continually learn and adopt new attack techniques for our clients. We are always digging deeper to uncover vulnerabilities that may have been overlooked. Our mission is to maintain the fact that not one of our clients have been breached by a vulnerability we’ve missed; we take this very seriously.