Bloomberg Law
April 18, 2019, 8:01 AM

INSIGHT: Should Cyber Insurance Be a Line Item in Your Security Budget?

Colby Proffitt
Colby Proffitt
Cyber Strategist

Cyber Insurance has emerged in recent years as another must-have risk management and security tool—but is it really a solution chief information security officers (CISOs) and chief risk officers (CROs) should consider for their enterprise security arsenal?

Cyber insurance was first introduced in the 1990s as a means to transfer IT security risks. But at a very high level, if you consider the fundamental difference in mindset between the insured and the insurer across other types of insurance coverage offerings, such as health, fire, personal liability, and auto, the idea of insurance really comes down to a very simple bet.

The insured is betting that an event (such as an auto accident) will not happen and the insurer is betting the same event will inevitably happen. Decades of experience and data have resulted in complex algorithms to determine the appropriate rates for coverage per individual.

That’s why, to follow the auto insurance example, if you have a poor driving record and you drive regularly, you’ll likely pay a high premium for coverage, while someone who drives only a few hundred miles a year is likely to pay a fraction of the price.

Cyber Insurance Is Unique

Here’s what many fail to realize though: cyber insurance and other forms of insurance are very, very different. For starters, auto insurance has been around in the U.S. since as early as 1897 according to the Ohio Historical Society and fire insurance has existed since 1752. Globally, similar forms of insurance date back to 3000 B.C. amongst Chinese merchants.

Although there’s some debate as to who actually wrote the first cybersecurity policy, many credit the first cyber policy to AIG. Age isn’t always an accurate measure of wisdom, but when it comes to years of experience, it’s hard to expect the same maturity from centuries as opposed to mere decades.

Secondly, the odds just aren’t the same when you compare cyber events to any other event category. Let’s take fire claims as an example. According to the Information Insurance Agency, between 2012 and 2016, about one in 325 insured homes—or 0.31 percent—had a property damage claim related to fire and lightning.

With respect to auto insurance, in 2016 there were roughly 218 million licensed drivers in the U.S. and approximately 6.3 million fatal, injury, and property damage crashes reported, which theoretically equates to 2.89 percent of U.S. drivers being involved in a reported accident.

When you compare those statistics to the staggering 27.9 percent global probability of a material breach, as reported by Ponemon in 2018, buying cyber insurance may seem like the obvious solution. Attacks, breaches, data and revenue loss and reputational damages are highly likely in today’s connected world, so isn’t cyber insurance the obvious solution to offset those costs and risks?

No, it’s not—and here’s why:

Insurance Doesn’t Recover Everything

Automobiles, houses and other tangible assets can be replaced. In no way should the emotional and personal detriment of such losses be diminished, but generally speaking, most physical assets can be replaced with the same, or even a newer model. Cyber insurance simply doesn’t work that way.

If you’re a major business, insurance doesn’t except you from reporting and notification requirements, nor does it deflect reputational damages. It may provide compensation so that you can manage your legal fees, repair your computers and networks (and implement security best practices you should have invested in previously) and potentially help recover your data, but it doesn’t guarantee that your data isn’t up for grabs on the dark web.

It’s Expensive

There’s a growing number of cyber insurance coverage types and options, ranging from data compromise protection and identity recovery to customer notification plans and cyber extortion protection.

Each additional option, of course, comes at an added cost. Basic cyber insurance costs are often advertised as low as $1,000-7,000 annually for small businesses with an annual revenue of $500,000 or less, but premiums can exceed $40,000 and the coverage limits often top out at a mere $1 million, far less than the nearly $8 million average cost of a data breach for U.S. businesses in 2018—and that’s for a single breach.

There Are Always Coverage Exclusions

Unencrypted data, vicarious liability and breaches of protected information in paper files are just a few of the more common exclusions businesses are likely to see in the fine print. In many cases, claims are denied on account of exclusions and the blurry lines that distinguish cyber insurance from other forms of insurance and liability riders, which is why there’s been an increase in controversial lawsuits such as the one between National Bank and Everest.

To make matters worse, newer “act of war” exclusions are leaving companies entangled in costly legal battles with insurance companies—and consequently, spending more on legal costs than actual security tools and best practice safeguards.

Cyber insurance may sound like a straightforward—even essential—solution to treat the growing likelihood of a cyber attack or data breach. But currently, insurance providers lack a mature, robust model to predict and singularize cyber events. And, much like businesses seeking to offset risks, insurance companies also have to offset their own risks of losing profitability in a world of growing, unrestrained cyberattacks.

Regardless of business size or network complexity, there are budget friendly and industry agnostic alternatives to cyber insurance. Every organization requires a unique cocktail of security best practices, processes and advanced security tools; however, cybersecurity isn’t free.

While cyber insurance may be viewed as a cheaper alternative, every business and enterprise should be prepared to make a thoughtful and strategic investment for modernized, long-term protection to defend against threats. Cyber insurance shouldn’t be thought of as a security solution; however, when a risk is unacceptable and you can’t effectively avoid or control it, then cyber insurance may be the only remaining option.

This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.

Author Information

Colby Proffitt is a cyber strategist at Forescout with more than eight years of experience in the federal IT and cybersecurity space. Proffitt drives initiatives at Forescout to promote cyber awareness for its customers and propel industry cyber innovation.