What cyberinsurance gotchas companies must be ready for

Insurance challenges Businesses shelled out $2 billion in cyber insurance premiums in 2015 but current projections show that astronomical growth rates will result in a market of over $20 billion by 2025. The single biggest challenge faced by insurance companies today is the lack of actuarial data on cyber attacks which makes pricing these cyber insurance policies very difficult. As a result, insurance companies are increasingly resorting to other methods to assist them in more accurately pricing these policies which is good news for them but which will result in a number of challenges for businesses.

CipherLoc Vice President Mike Salas details six challenges companies will face as the insurance industry begins to expand its presence in the cybersecurity industry.

Assessments will become standard Unlike the auto, home, and life insurance markets, highly accurate actuarial data on cyber attacks do not exist. To address this shortcoming, insurance companies will increasingly rely on “security readiness” assessments to determine the amount of potential risk a company carries. These assessments, typically performed by independent third parties, will evaluate a variety of factors including the amount of data at risk, the value of that data, the various locations where this information resides, as well as the security products and tools in place to protect that information. This assessment will then be measured against a “best practices” list that will evolve and change as new tools and techniques are introduced into the market.

Incident response plans will become a requirement To minimize potential risk, insurers will demand that companies develop and document incident response plans. These plans are designed to spell out the exact steps a company must follow in the aftermath of an attack or data breach. These steps help ensure that the incident is handled in a manner that helps limit the damage caused and reduces recovery time and costs.

According to the SANS Institute, there are six key parts to an incident response plan: preparation, identification, containment, eradication, recovery, and lessons learned. Companies will be required to not only come up with plans for each of these areas, they will also be required to identify the specific team that will be responsible for managing and executing the plan.

Security “FICO scores” will emerge Just as credit scores have become the industry norm for measuring the credit worthiness of consumers, the continued maturation of the cyber insurance market is leading to the emergence of security “FICO” scores for businesses. Firms developing these scores will not need company permission – they will instead use proprietary algorithms that will grade a company’s security posture based on publicly available information combined with ongoing analysis of externally visible behavior. Cyber insurance companies will in turn have licenses with score providers for use during the underwriting process.

As a result, companies will be forced to continually monitor their scores – not unlike how a consumer needs to keep tabs on their credit score. Furthermore, companies will also need to alter their behavior to ensure that their rating does not get negatively impacted.

Monitoring tools will be installed by cyber insurance companies To reduce the volatility that will likely occur in premiums due to fluctuating security scores, companies will be offered the ability to add monitoring tools to their network. These monitoring tools will provide insurers a way to reduce their risk through the real-time collection and analysis of data.  

In exchange for allowing the use of these tools, companies will be offered a discount on their cyber insurance premiums. In more extreme cases, cyber insurance providers may make this a mandatory requirement to obtain a policy. Since there may be resistance to allowing an external party access to an organization’s internal network, companies will need to carefully weigh the cost-benefit tradeoff of whether to accept the installation of these monitoring devices.

Information sharing will become the norm Due to the lack of historical data on which to accurately price policies, cyber insurers will be actively working together to share information so long-term profiles can be created. One leading effort called the Cyber Exposure Data Schema seeks to provide the insurance industry with a systematic and uniform way to capture cyber data and manage risk. Developed with support from eight leading insurance companies, this data standard provides firms with a standardized approach to identifying, quantifying and reporting cyber insurance exposure.

For companies, this ultimately means that information related to their cyber security readiness and exposure will no longer be kept out of view. Since information sharing will become the industry norm, companies should proactively take steps to work with their cyber insurance providers to better understand the type of information that will be collected.

Disclosure mandates will be implemented Since data breaches are inevitable, cyber insurers will increasingly force companies to find ways of mitigating the impact of these breaches. Some of these efforts will be the voluntary implementation of best practices. For example, companies would be well advised to protect their most sensitive data with advanced encryption technology which can safeguard any data stolen or compromised in a breach by rendering it unusable to the attacker.

However, companies will increasingly face legal mandates to formalize their responses to data breaches. Already, 47 states have enacted legislation requiring companies to notify individuals of security breaches of information involving personally identifiable information. The federal government has also recently introduced legislation that would create a national data breach law. With disclosure mandates becoming unavoidable, companies should proactively focus not just on protecting their most critical assets, but also on developing notification protocols that can be rapidly implemented once breaches have been identified.