The relative merits of cyber insurance have been bandied about in articles and blogs of late. In some ways, this focus on cyber insurance is a bit puzzling; there are many flavors of risk, such as those to our health, lives, homes, automobiles, and organizations (among others). Except for some lines of coverage, insurance is optional; yet people weigh the risks, assess the consequences should a worst-case scenario strike, and decide if purchasing a policy is in their own best interest.
In a fundamental way, cyber insurance is no different at its core. In increasing numbers, organizations purchase policies to hedge their bets against the possibility of a significant cybersecurity incident, so they have the financial and logistical means to regain operational efficiency and recover quickly.
Looking at the numbers, it’s relatively clear to see that, for a growing number of organizations, cyber insurance is proving to be one answer to a very complex set of problems. More and more organizations are accepting cyber insurance’s critical role in transferring risk in the event of a major incident. Perhaps this is due to the soaring costs of cybercrime: the annual costs of worldwide data breaches are expected to surpass $5 trillion by 2024, with North American businesses taking the main force of the hit, according to recent studies. When balancing risk and expense, many companies are likely to conclude that (as with other lines of insurance) having a policy is an essential safeguard against what could be a business-ending event.
Cybersecurity services providers involved in incident response typically have an end-to-end view of breaches and their aftermath. We see a full range of organizations, types and severities of incidents, as well as their consequences. The costs of cybersecurity incidents are real and tangible, and they go beyond the here and now – the damage to brand and customer confidence can linger, hitting the bottom line, for years to come. In the case of ransomware, business or municipal operational downtime can have severe outcomes on customers and citizens. At the end of the day, many companies must focus on the needs of their own businesses, employees, customers, and shareholders. From our experience as an incident response company, our clients covered by cyber insurance policies are quite often better equipped with the needed digital, physical, and financial resources to respond, recover, and resume normal operations than those without.
Cyber Insurance and Risk Transference
Among many things that concern business leaders, cybersecurity continues to hit the top of the list of business-related concerns. According to Travelers’ 2019 Risk Index survey published in late September, cyber risks are the top concern across all businesses for the first time since the survey began in 2014. It beats such significant concerns as medical cost inflation, employee benefit costs, the ability to attract and retain talent, and legal liability. Insurance continues to be a vital mechanism for transferring risks that can’t otherwise be managed or avoided by an individual or organization.
In the field of cybersecurity, no level of effort or expenditure will ever fully eliminate the risk of a breach. Insurance becomes necessary to protect the organization against those risks that can’t ever be fully mitigated, particularly in catastrophic scenarios where a breach leaves a widespread wake of damage, long disruptions of business activity, and a worrying stain on brand image.
No industry vertical is exempt from risk and thus potential value from the safety net cyber insurance provides. Early on, financial services and healthcare were the largest consumers of cyber insurance. However, other verticals are catching up and adopting insurance in greater numbers. We support this trend; malicious actors target every sector for the intellectual property or data they control, and in certain critical infrastructure sectors such as manufacturing, any interruption in operations can send waves of destruction through the supply chain. According to Risk Based Security’s 2019 MidYear Data Breach QuickView Report, the top eight industries reporting breaches in 2019 at the mid-year point were:
- Healthcare
- Retail
- Finance and Insurance
- Public Administration
- Information
- Professional/Scientific
- Education
- Manufacturing
Each of these sectors processes manages, stores, and/or transmits data that can be monetized by malicious actors and which is vital to the ongoing operations of the organizations. Business interruption and the costs of downtime can be extraordinarily high: A significant cyber event could have effects to customers, citizens, business competitive advantage, national security, public safety, and more. Quickly containing, understanding the extent of, and recovering from such events is paramount.
How Cyber Insurance Assists in Incident Response
Many clients we have worked with would have been unlikely to regain operational efficiency without cyber insurance. Many companies lack experienced staff, incident response processes, and preparedness to act quickly following a business-impacting event. Cyber insurers assist their policyholders by quickly bringing the right team of experts to the table to help resolve the incident, including legal and technical aspects. Companies without cyber insurance experience far greater financial and logistical stress, which can challenge clear decision making and make resolving the incident harder.
Organizations with more mature staff and processes often field several security incidents on a regular basis. However, catastrophic events that linger in the news cycle are often beyond any organization’s ability to handle internally, both from a financial and logistical perspective. Many companies purchase coverage to provide them with peace of mind in these catastrophic scenarios.
Cases such as ransomware may create difficult decisions, such as whether to pay a ransom vs. rebuilding affected systems and suffering resulting data loss. Insurance carriers and their partners help companies sort through the options financially and operationally. No one in the process wants to reward malicious actors by paying them what they ask; but victims of cybercrime, working with their support partners, will wade through the choices to arrive at the best path for the continued health of their organizations. The impact of this decision cannot be underestimated as it can be the difference between getting back up and running in a matter of days vs. potential layoffs or even shutting the doors.
Insurance Alone Isn’t the Answer
As with any other form of risk, all companies adhere to their own set of best practices to avoid, mitigate, or transfer risk. Just as a driver would (in an ideal world) not drive 120 miles per hour, ignoring all traffic laws, on the promise he or she has an auto insurance policy, adhering to cybersecurity best practices is the first step to avoiding incidents. Both public and private-sector organizations should have in-depth security plans, processes, and practices in place, guided by governance policies, to reduce the chances of a security event. Insurance in all cases is designed not as a promise against risk, but rather, one important level of assurance that victims may be better able to recover in case disaster strikes.
The Time-tested Model of Insurance and the Cyber Necessity
Insurance is a very old and time-tested model. Individuals and organizations continue to opt for insurance because catastrophic risk – of any variety – can and has left a wake of tangible destruction on businesses, municipalities, and lives. Cyber threats continue to evolve and persist, and no amount of effort is likely to ever fully mitigate it. Cyber insurance not only provides valuable resources to victim organizations, but it also helps to facilitate a smooth response and recovery process by transferring the victim’s financial burden, which is, unfortunately, characteristic of catastrophic cybersecurity incidents.
About the Author:
Bret Padres is the CEO of Crypsis Group and has more than 25 years of experience in information security, digital forensics, law enforcement, electronic discovery, and counterintelligence. He has worked on some of history’s most notorious retail and state-sponsored data breaches. As a Special Agent in the U.S. Air Force Office of Special Investigations, he was the lead agent on numerous national and international computer intrusion investigations.
He has also served as Chief of Research and Development in the Computer Crimes Unit for the U.S. Postal Service Office of the Inspector General, where he conducted investigations and implemented new computer crime analysis and prevention technologies. In the private sector, Bret was most recently a managing director at Stroz Friedberg, a leading global risk management firm, where he ran its cyber resilience practice.
Bret was also the Director of Incident Response for Mandiant, where he responded to and resolved high-risk intrusions for government agencies and Fortune 500 companies, and he served as the Director of Cyber Operations at Athena Innovative Solutions, where he ran network surveillance and intrusion detection counterintelligence operations for the company’s U.S. government clients.