Few businesses today would think of operating without liability, property, or workers’ compensation insurance and yet, according to a recent survey by CSO magazine, only
59 percent of organizations have some form of cybersecurity insurance. Part of the problem is that cybersecurity insurance continues to be a maturing market that even the underwriters haven’t completely figured out. The more ominous side of the equation, however, is that depending upon what sector of the economy a business operates in, cybersecurity insurance is becoming more difficult to acquire and costs are skyrocketing.
Data breaches, compromised computing resources, Directed Denial of Service (DDoS) attacks, and website defacements are just some of the kinds of cybersecurity incidents making headlines and creating headaches for companies today. And those companies include everyone, from the Fortune 500 to what I call the Unfortunate 5000, which are the small to medium sized businesses that struggle everyday to find the right resources necessary to protect themselves. Due to the profound lack of experience in understanding the cyber risks associated with these different kinds of security incidents in various broad sectors, the insurance industry is taking an increasingly cautious and some would say, risk-averse, approach to underwriting cybersecurity. Businesses in the retail sector have seen average cybersecurity insurance costs increase by over 30 percent as a result of recent public data breaches. Companies in the health care sector have seen even more dramatic increases of up to 200 percent. Compounding the cost of cybersecurity insurance, there are increasingly limits on how much coverage is available, with $100 million being a common figure.
For cybersecurity professionals working in the corporate trenches, this is incidental good news, because the quest for corporate cybersecurity insurance is becoming a catalyst for companies to get serious about security. Underwriters have come to the conclusion that since there isn’t enough actuarial information to make good risk-based decisions, they are raising the bar and requiring companies to prove that they have taken reasonable steps to protect their IT environments. “Reasonable,” however, is a painfully vague requirement and often construed as a “we’ll know it when we see it” qualification. In the CSO magazine survey, 43 percent of those surveyed found that they had to take additional steps to enhance the organization’s security posture to lower the insurance premium. Those additional steps include everything from enterprise level cyber-risk assessments and upgraded security technologies, to the requirement for more qualified security professionals and more robust security policies.
From a purely technical perspective, there are a couple of global transformations occurring that are impacting both security and insurance: the Internet of Things (IoT) and the Cloud. There are many definitions of the IoT, but I think of it as, “anything that can be connected, will be connected.” This includes everything from wearable devices, medical monitoring and home appliances, to manufacturing machinery, jet engines and railroad cars. There are an almost infinite number of security and privacy implications associated with the IoT and consequently, vast and largely unknown significance for the insurance market.
With respect to the Cloud, it is rapidly changing corporate economics by providing new opportunities for businesses to decrease their technical footprint and outsource their networking and IT infrastructure resulting in profound efficiencies and cost savings. However, while outsourcing increases the burden on Cloud providers to guarantee their customer-facing security, it does not decrease an individual company’s security responsibilities. So cybersecurity insurance is playing a progressively more important strategic role in organizational risk management.
Sun Tzu wrote over 2500 years ago that, “In the midst of chaos, there is also opportunity.” It’s a crude analogy, but this is where we find ourselves today. The chaos and uncertainty of the cybersecurity insurance market provides great stimulus and incentives for companies across the globe to enhance their cybersecurity posture. This is good for everyone.
