Tag Archives: dave wasson

New Approach to Cyber Insurance

The most active players in the fledgling but fast-growing cyber insurance market are hustling to differentiate themselves.

The early adopters and innovators are doing so by accelerating the promotion of value-added services—tools and systems that can help companies improve their security postures and thus reduce the likelihood of ever filing a cyber damages claim.

As more businesses look to purchase cyber liability policies, insurance sellers are striving to dial up the right mix of such services, a blend that can help them profitably meet this pent-up demand without taking on too much risk.

The incentive is compelling: Consultancy PricewaterhouseCoopers estimates that the cyber insurance market will grow from about $2.5 billion in 2014 to $7.5 billion by 2020. European financial services giant Allianz goes a step further with its prediction that cyber insurance sales will top $20 billion by 2025.

This anticipated growth in demand for cyber liability coverage—coupled with the comparatively low level of loss claims—has created strong competition in this nascent market.

The Insurance Information Institute estimated last year that about 60 companies offered standalone cyber liability policies. In total, more than 500 insurers provide some form of cyber risk coverage, according to a recent analysis by the National Association of Insurance Commissioners.

“There are quite a few players, so they are looking for ways to differentiate themselves and find competitive edges,” says David K. Bradford, co-founder and chief strategy officer for Advisen, an insurance research and analysis company.

Insurance companies make adjustments

Insurance carriers hot after a piece of this burgeoning market are beginning to offer value-added services to make their cyber offerings stand out.

See also: 8 Points to Consider on Cyber Insurance  

Rather than growing these services in-house, most are partnering with vendors and consultants that specialize in awareness training, network security and data protection. Services that boost the value of cyber policies are being supplied for free, or offered at a discount.  Typical cyber insurance valued-added services include:

  • Phishing and cyber hygiene awareness training
  • Incidence response planning
  • Security risk assessments
  • Best practices web portals and software-as-a-service tools
  • Threat detection services
  • Employee and customer identity theft coverage
  • Breach response services

One measure of value-added services gaining traction comes from the Betterley Report, which recently surveyed 31 carriers that offer cyber policies. Betterley found that about half offered “active avoidance services,” while nearly all offered some sort of pre-breach planning tools.

Rick Betterley, president of Betterley Risk Consultants, which publishes the Betterley Report, says there is still a long way to go. “There’s much more that can be done to help the insureds be better protected,” he says.

Betterley is a big proponent of adding risk-management services to cyber policies. He calls the approach Cyber 3.0, adding that it’s akin to the notion of insuring a highly protected risk in a property insurance policy. Cyber value-added services, he says, are the equivalent of fire insurance companies requiring sprinklers.

“It’s not required that insurance companies provide the services, but it’s required that they help insureds identify what services are likely to generate a reduction in premiums,” Betterley says.

Sector faces new challenges

That said, the cyber insurance sector is still finding its way. With auto crashes, fire or natural disasters, losses are well defined and fully understood. Cyber exposures, by contrast, are hard to pin down. Network vulnerabilities are extremely complex and continually evolving. And historic data on insurance claims related to data breaches remains, at least for the moment, in short supply.

An added challenge, Betterley says, is that insurance companies are unable to satisfactorily measure the effectiveness of security technologies and services in preventing a data breach.

Advisen’s Bradford agrees. “It’s a rapidly evolving area that changes day to day, and underwriters are definitely wary of recommending a particular vendor or approach,” he says.

Eventually, the insurance industry will figure out how to make meaningful correlations and separate the wheat from the chaff.

“In bringing in these value-added services, we can help shore up some of those areas where we’re seeing human error,” observes Dave Wasson, cyber liability practice leader at Hays Cos., a commercial insurance brokerage and risk management consultancy. “We’ll be at a point where we’ll know what makes a difference, and we can put our money, time and efforts into those solutions.”

Eric Hodge, director of consulting at IDT911 Consulting, part of IDT911, which underwrites ThirdCertainty.com, concurs. One ironic result of the recent spike of ransomware attacks aimed at businesses, Hodge says, is that more hard data is getting generated that is useful for calculating loss profiles.

See also: Another Reason to Consider Cyber Insurance  

Along the same lines, settlements of class-action lawsuits related to breaches of high-profile retailers, such as Target and Sony, is helping amass data that will help the industry flesh out evolving actuarial tables.

“Losses from cyber attacks and data breaches are becoming easier to quantify,” Hodge says. “And market forces are absolutely lining up to reward the wider use of these activities. It’s harder to ignore the fiscal argument for an insurer to go the extra mile in helping the insured organizations make sure that a costly breach doesn’t occur.”

AIG blazes trail

One notable proponent leading the way is multinational insurance giant AIG, which is nurturing partnerships with about a half-dozen cybersecurity vendors.

AIG services—some of which are offered to policyholders at no cost—range from threat intelligence and cyber risk maturity assessments to active detection and vulnerabilities assessments.

RiskAnalytics, one of AIG’s partner vendors, provides threat intelligence services, including a service that detects and shuns blacklisted IP addresses. Any AIG insured with a minimum $5,000 policy can participate at no additional cost.

The company’s partnership is exclusive to AIG, and appears to be very popular.

“We’re bringing in multiyear contracts, and the average sales price is on an impressive trajectory,” says RiskAnalytics Chief Operative Officer Kurt Lee. “It’s all born out of (customers) using that (introductory) service through the policy.”

Recognizing the trend, more vendors are seizing the opportunity to market their services to insurance carriers.

Vendors are willing to jump through the many hoops because a partnership with an insurance company is an opportunity to get a soft introduction to a potential client, says Mike Patterson, vice president of strategy at Rook Security, a managed security services provider (MSSP) that is reaching out to carriers.

Dismantling roadblocks

As with any new approach, broad adoption of cyber insurance value-added services isn’t without hurdles. One major obstacle is the “’this-isn’t-how-we’ve-always-done-it’ way of thinking,” says IDT911’s Hodge. “It’s like trying to change our election processes—people resist altering a system that has been in place for a couple hundred years.”

Another barrier is cost. Insurance companies tend to reserve free or discounted added services for heavyweight clients that spend small fortunes on annual premiums, says John Farley, vice president and cyber risk practice leader at insurance brokerage HUB International.

“Carriers can’t give away a lot of resources, so the smaller premium payers are not getting a lot of these services,” Farley says. “But if they can streamline and automate resources and figure out how to get customizable, usable information to the insurance buyer, that insurance carrier will probably stand out.”

Brian Branner, RiskAnalytics’ executive vice president, says that’s exactly one of the benefits that AIG derives from their partnership.

“If we can get the insureds to use the services we provide, we should lower AIG’s loss ratio because they’ll be safer organizations, and AIG should receive less claims,” he says.

Hidden costs of a breach can affect a large enterprise for years, and prove catastrophic to a small business. So insurance companies in the vanguard are looking to find business clients that are taking information security seriously.

See also: The State of Cyber Insurance  

As more companies buy cyber policies, and use any attendant services, the result could be a halo effect, says IDT911’s Hodge.

“This is certainly something that the insurers are counting on,” Hodge says. “A more secure buyer is a lower actuarial risk to the insurer.”

Meanwhile, policyholders should steadily become better equipped to securely do business in an internet-centric economy riddled with evolving exposures.

Hodge says: “In my experience, the buyer is often pleasantly surprised by the improvement that can come about quickly in terms of knowing their risk, being compliant with their industry standards and being able to indicate to the marketplace that they are taking good care of their customer’s information.”

This post originally appeared on ThirdCertainty. It was written by Rodika Tollefson.

Understand the Nuts and Bolts of Cyber

Answering the growing demand for cyber risk insurance, many carriers have joined the market. But buying a policy for an organization, especially for the first time, can be a confusing process.

Not only are insurance carriers inconsistent in the type of coverage they offer, but buying this type of insurance is different than the more common policies, such as general liability.

“Businesses have a difficult time determining the probability of suffering a loss and the potential size of a claim,” says Bill Wagner, a partner in the Indianapolis office of legal firm Taft. “In addition, there are no standard policies.”

One misconception among buyers is risk exposure. For example, who bears the liability if a third party — such as a payroll service, data warehousing or cloud provider — causes the breach?

See also: Promise, Pitfalls of Cyber Insurance  

“A lot of companies assume that by signing a contract with a vendor, they’ve outsourced or got rid of the liability — and that’s almost never the case,” says Dave Wasson, cyber liability practice leader at insurance brokerage Hays Cos.

A common mistake is rushing to buy a policy without assessing the vulnerabilities first, says Christine Marciano, president and CEO at Cyber Data-Risk Managers, which specializes in cyber insurance.

“Companies should know first where their data is residing, what type of data they are holding, and the security around their network and their employees,” Marciano says.

Some of the main categories of cyber insurance coverage are:

  • Security and privacy liability: Damages typically related to data breaches that affect a third party.
  • Regulatory defense: Most policies cover fines and penalties, in addition to defense costs, for an investigation by a regulatory agency.
  • Data recovery: Costs for restoring or recreating data that was damaged or stolen.
  • Crisis services: Services necessary after an actual or suspected data breach; they could include computer forensics, breach notification, credit monitoring and public relations.
  • Business interruption: Typically relates to loss of business income due to a cyber attack.
  • Data extortion: Coverage for incidents such as ransomware attacks if the threat is deemed credible.

Not all insurers include these categories with the core policy. Some offer them as add-on coverage as well as impose smaller coverage limits.

See also: The State of Cyber Insurance  

What you need to know

Based on tips from Wagner, Wasson and Marciano, here are some basic things organizations new to cyber insurance should know:

1. Policy conditions: Carriers may deny a claim if practices or minimum standards that were listed in the coverage application are missing or have changed. Know the conditions you must follow for the coverage to remain in effect.

Wasson strongly cautions against buying the kind of policy that imposes the minimum standards or practices condition. He calls it “essentially a mistakes exclusion” and says it’s not common in other types of insurance.

2. Exclusions: Just as important as what’s covered is what isn’t. The list of exclusions can be extensive and can include such things as network negligence (e.g. unpatched software), chargebacks (such as when credit card numbers are stolen) and failure to upgrade technology.

3. Expert panel: Most plans come with a preapproved panel of crisis-response vendors. If you have an established relationship with your own vendor, the insurance company may be willing to approve that company for the panel.

4. Prior acts: It could take a long time for a breach to be discovered, which means cyber attackers could be lurking in the network for months — and sometimes years. Some carriers offer additional coverage for prior acts, incidents that the policyholder doesn’t know about yet and that happened prior to the retroactive policy date.

5. Jurisdiction: State laws are different and, in the event of a lawsuit, the location of the court will impact the interpretation of the contract and the damages.

Wagner says the state law should be the leading factor in determining the type of policy and that the amount of coverage should be discussed with the insurance broker and legal team.

6. Policy amount: Since there is not enough actuarial data showing how much a loss would cost and the amount of the claim depends on various variables, there’s no golden rule for how much coverage you will need.

Some companies look to research such as Ponemon Institute’s Cost of Data Breach surveys. But Marciano says it often comes down to what the company can afford.

“(The limits) tend to be expensive, and the smaller companies often can’t go for the higher limits,” she says.

See also: Cyber Rules May Be Only Weeks Away  

Wasson says determining the adequate limit is the most difficult part of his job.

“We know what a good policy looks like,” he says, “so sometimes the only question is: Is the insured willing to pay for the best policy, or do they want the cheapest thing that meets contractual obligations?”

This article was first published on ThirdCertainty and was written by Rodika Tollefson.