Buying cyber insurance? Prepare to be confused by a marketplace too new to have standardized policies. Your best strategy is to get a firm grip on what your company has at risk, and read the fine print to find an insurance plan that meets your specific needs.
That’s the advice from Chip Block, VP at Evolver Inc., a company based in Reston, VA, that runs large scale security operations centers for government and financial organizations and provides full cyber assessment and technology services for corporations—including running risk assessments to help companies buy cyber policies (using, we might add, the RiskLens application powered by the FAIR model).
Chip is a long-time researcher on cyber risk and cyber insurance, a certified FAIR analyst and leader of the Washington, DC area chapter of the FAIR Institute. Here’s what he has to say about smart cyber policy shopping.
What services do you provide to clients related to cyber insurance?
The primary thing is to do a FAIR quantification of risk so that the clients understand what their monetary risk is and where that risk lies.
Most people, when they think of insurance, think of the top level number but that’s not as important as understanding where is the risk to the company so they can be sure their policy covers that.
Why the concern about tailoring a policy to fit top risks. Isn’t coverage standardized?
That hasn’t quite happened yet in cyber insurance. Every policy is different, every company is dealing with this differently. You need to understand the nature of the threat and monetary loss to your business. And if either the threat or the monetary limit is excluded, that’s not a good policy for you.
Is it a question of paying higher premiums for a better policy then?
In that case, I’d call a different insurance company. Where we are in the market right now, policies are very broad and in some cases, it may take just asking the insurer for specific language in the policy that covers your greatest risks. This is where working with a good broker who understands the variations in the policies is important.
What’s the trade-off between buying cyber insurance or spending on better cyber defenses?
It’s not that type of tradeoff. You don’t want to be in a situation where you’ve got insurance and you’re hoping nothing bad happens. That’s no way to run a business.
But there are situations—to use the language of the FAIR model—when the likelihood of something happening is low but the impact is very high, that’s when you want to have insurance. On the other hand, if the likelihood of something happening is higher and the cost manageable, that’s when you should put technology and resources against the impact.
That’s one of the powers of doing quantification with the FAIR model: It will tell you those things. We also offer a service that is designed to address that question: What do I fix vs. what do I insure?
Why buy separate cyber coverage at all?
Because the insurance industry, in most cases, has excluded cyber actions in other policies. That’s been going on for awhile, mainly because the insurance industry is still trying to figure out how to address cyber.
You often hear from a quantification perspective that there’s not enough data for cyber insurance to work. But that’s the insurance companies’ situation, looking at it from an actuarial perspective. For individual clients who are buying the insurance, there’s plenty of data because we’re talking about their specific risk.
Let’s get down to cases. What advice would you give to companies seeking insurance to cover a data breach of customer personally identifiable information?
The majority of the policies today are focused around confidentiality, which is data breach -- loss of PII or health records, for instance. The insurance industry is very well suited for that. All your first-party costs such as credit monitoring services, the cost of forensics or PR, are pretty well covered. In fact, many of the insurance companies also provide breach response services as part of your policy.
What about ransomware insurance?
This is by far the fastest growing cyber insurance market. Ransomware is a systems availability situation in which you can’t conduct business. And the insurance right now in that is very inconsistent, particularly for quantification of loss of revenue or business continuity loss.
For instance, a law firm in Providence, RI, had ransomware for three months but their insurance company denied payment for loss of billable hours. The law firm is now suing the company.
[According to reporting by the ABA Journal the insurer did pay $20,000 for computer virus coverage under the law firm’s business owner policy but would not pay on a claim for $700,000 in lost revenue because, the insurer argued, “the policy coverage for lost business income applies only when there is physical loss or damage to property at the business premises".]
That’s one of those areas again where you need to quantify. Think about, what would be the loss of revenue if critical systems were down, and would my insurance cover it?
So to sum up, what’s your bottom line recommendation on cyber risk insurance?
We suggest five questions that clients should be able to answer for their cyber coverage:
- What are my critical assets and how much are they worth?
- What are the retroactive dates of the policy?
- What threat actors and threat actions are covered?
- How does the cyber policy cross with other insurance?
- What should I insure and what should I fix?