latest updates from easySERVICE™
When it comes to cyber insurance, there are numerous variables involved, but having the right cyber risk intelligence information is an important starting point for stakeholders to make more risk-informed decisions. Looking at cyber risk from a business intelligence perspective will help you understand what’s going on in the cyber world around your business, identify your potential short-term and long-term risks and balance them against the cost and value of the insurance policy.
Without correct information and analysis it can be challenging for a business to determine what to cover, how much cyber insurance to buy, which companies provide the necessary coverage, and how to help limit an organization’s risk. There is no 100% right approach, when it comes to cyber liability insurance, but you can make it easier to identify the best plan for your business.
There are four main types of cyber liability insurance coverage.
Of course, each of these types of insurance have significant benefits depending on a business’s size, organization, and industry. Identifying risks particular to your business is important when selecting cyber insurance. An important step is to identify sensitive, potentially targetable data so you can classify and cordon off from a risk perspective. Another step is to analyze cybercrime in your sector in order to select the appropriate cyber insurance coverage.
Examining the Evolving and Confusing Cyber Insurance Market
There are a variety of policies available, but companies find difficulty in identifying the correct policy for their business; and this can have dire consequences. Part of the challenge is understanding the impact of cyber risks on an organization ─ there are costs associated with incident response, customer notifications, possible non-compliance fees, legal costs, etc., as well as costs in terms of customer loss, damage to the brand, and decreases in stock price and bottom line finances.
It is important not only to identify the short and long term risks of your business, but also the policy most adapted to your business operations and sector. Incorrect assessments of either of these factors could leave firms vulnerable. Despite all of this, cyber insurance is a product still in its infancy. While there is a wide array of cyber insurance coverage options available, they can be very limited because a standardized assessment of cyber risk does not yet exist.
This is where having the right cyber risk intelligence information can help you make more informed decisions around your organization’s unique cyber risks, the potential impact and where to focus your security efforts and budget when it comes to selecting the proper cyber liability insurance.
The reasons for the current expansion of the cyber liability insurance market are well documented. When conducting business online, no organization is immune. A list of short-term consequences from a security breach include:
When looking at the Target breach, beyond the estimated 40 million credit and debit card numbers and 70 million customer records that were stolen, are costs that numerous public sources have reported as:
Commercial giants are not the only ones susceptible to large-scale cyber-attacks. Maricopa County Community College, a small community college in Arizona, was the victim of a 2011 breach, which was not properly dealt with, leading directly to another, more costly breach in 2013.
Over 2.5 million records were stolen. In addition to dealing with the data breach itself, a class action suit was filed against the University for not correcting the problem which caused the 2011 breach. Between lawyers’ fees, records management, consulting, repairs, and credit monitoring, the university has spent nearly $20 million as a result of the data breach.
While these are some extreme cases, they are certainly neither isolated nor uncommon. Targets can range from large governmental organizations to online businesses to local car washes — nearly every organization is at risk. And in each case, the immediate effects range from painful to catastrophic.
One of the most important of these is damage to the brand. It is difficult, yet important, to differentiate naturally evolving consumer preferences from damage caused by a cyber-attack itself. Comparing annual profits or other financial metrics may provide insight, yet there are many other contributing factors. Businesses may lose their customers’ trust in the long term, some may switch providers, and these concerns are difficult to quantify. The inability to quantify this aspect makes it difficult to insure, yet no less important to the company itself.
Evaluating Cyber Insurance: Long-term Risks to Guard Agains. A list of long-term consequences from a security breach include:
Data breach investigations may last years, as seen with the previously mentioned Maricopa County Community College, which has spent nearly $20 million since 2013. This is a long-term concern that should be included in the decision to obtain cyber insurance; however, it is not frequently discussed as it is seen as exceptional.
Companies that are large enough to withstand the initial financial burden of a data breach may not have high enough levels of concern to acquire cyber-insurance, which may explain the slow uptake. After the Target breach, after stock prices initially plummeted, they had recovered within six weeks. Similarly, T.J. Maxx saw its stock price drop after a data breach in 2007, but it recovered within a couple of months. While stock prices may eventually recover, the other long term consequences discussed should be considered by large and small businesses alike when assessing need for cyber insurance.
On the other hand, some businesses may not be large enough to rely on investors or to take large temporary hits. While larger businesses may be able to lay off employees or withstand temporary drops in profits, small and medium sized businesses do not have the same luxury. For these businesses, cyber insurance is extremely important, because significant costs in the short-term may lead to eventual closure.
Limitations on Coverage
Though Target had around $100 million in coverage, this will certainly not begin to cover the estimated $1 billion in damages caused by their data breach. In fact, it is estimated the maximum amount of coverage one company can possess is around $300 million, even when policies are taken out from multiple insurers. In some cases, there is a large gap between the effects cyber-attacks can have and what cyber liability insurance covers.
Additionally, cyber liability insurance focuses upon the immediate effects of cyber-attacks. Though long-term investment seems to be largely unaffected by data breaches, there are many other long-term consequences which a business must negotiate in the aftermath of a data breach, as mentioned above. If a company is not sufficiently large to maintain investment, the gap in coverage and immediate expenses could be enough to drive it out of business.
Finally, one type of cyber-attack that remains uncovered by cyber liability insurance is state sponsored cyber-attacks. According to a transparency report published by Verizon, this type of attack tripled between 2012 and 2013. State-sponsored attacks from China are evidence of this trend. The companies who suffered data breaches and intellectual data theft in these attacks would have no coverage available.
Unstandardized Risk Evaluation
The limitations upon cyber liability insurance do not rest solely in execution. Problems in analysis of risk in setting insurance premiums have plagued the industry since its inception. Questionnaires are frequently used to evaluate the cybersecurity of a company. However, there is no standard metric for these questionnaires. Between insurance companies, the questions and outcomes can vary significantly. Additionally, the questions may not provide an accurate measure of the actual state of a company’s cybersecurity.
Lacking in data, the cyber insurance market is plagued by uncertainty. With the passage of HIPAA (Health Insurance Portability and Accountability Act) in 1996, data on cyber activity from the healthcare industry is being amassed and is now becoming useful. However, this provides merely a part of the picture.
Additionally, the interconnected nature of cyber presents problems insurers do not face in other industries. The more networks with which a single business interacts, the more risk it is subjected to. In order to get a clear picture of this risk, each third-party network must be assessed. This proves a daunting task for insurance providers ─ in particular because there remains no standard, quantifiable metric for cyber risk assessment. Deciding when a company is liable and when it is not is also tricky, considering the variety of third-party interactions undertaken daily.
The market for cyber liability insurance has been around for over a decade, but only recently has it experienced a spike in demand. The variety of recent high-profile data breaches have cast light on the importance of having coverage should a cyber-attack strike a business. No business is immune to a cyber-attack, which can wreak havoc not only on the IT environment, but also on the bottom line.
While the short-term consequences of a security breach are clear, the long-term repercussions are not quite so. 60 percent of small businesses close their doors within half a year of being victimized by cybercrime. Between the costs of updating systems, finding and fixing vulnerabilities, legal fees, and downturns in business, cyber-attacks are enough to drive many small and medium businesses under. Among these costs are other long term effects, which can be equally as significant, yet more difficult to quantify — causing difficulties in the assessment of risk and insurance.
easySERVICE Data Solutions now have right resources to delivers cyber risk intelligence solutions that help organizations understand the potential for cyber-attacks, determine the impact to their business and proactively address threats head on. Our experienced analysts go beyond the low-level threat intelligence approach that can drown organizations in data. We enables organizations to zero in on their unique cyber risk profile and ensure the most effective risk management strategies are identified and implemented. With easySERVICE as a risk analysis partner, organizations can immediately understand and act on their cyber risk