Getting Cybersecurity Insurance After a Breach
Getting cybersecurity insurance after a cybersecurity breach can be a daunting exercise.
The primary underwriter may either drop the entire company for commercial insurance coverage or not offer cybersecurity insurance moving forward, Guy Fogel, agent for Argo Group, said. Rates for post-cybersecurity breach insurance will become cost prohibitive with very high deductibles that can be in the millions of dollars, he said. A company will most likely stack several cybersecurity insurance policies to achieve full coverage due to the higher risk to insurance companies. For instance, in order to have $20 million of cyber insurance protection, a company will need four insurance companies that may have a $1 million deducible for each $5 million policy. When a second breach does occur, the covered company would pay $4 million out of pocket and the four insurance policies would pay out the remaining $16 million, provided the company was in 100- percent compliance of the insurance policy provisions and exclusions. When a past cybersecurity event occurred, it will be part of the exclusion list and will most likely not be covered within the cyber insurance policy, Fogel said. One can think of this as pre-existing conditions just like the medical insurance industry, he noted. And, Fogel said, a company may be required to have a large Self-Insured Retention (SIR) on top of the reduced future coverage.
If a company that experiences a second cybersecurity breach, it is in serious trouble because insurance options will be reduced significantly. Traditional insurance underwriters will not want to provide cybersecurity insurance to the impacted organization because it clearly shows a pattern and history of ignoring cyber risk. There is the Lloyd’s of London (insurance conglomerate) option, which is full of exclusions, reduced coverage, overpriced premiums, and very high deductibles, said Fogel. This will typically force a company to be 100 percent self-insured because using commercial insurance is cost prohibitive. This really hits the bottom-line because now a company must use working capital kept in an escrow account; a third cyber security breach may end the company regardless of size, he said.
Cyber insurance does not replace the need for any of the other tools, people, or processes you need in cybersecurity--but it does mitigate the risk of a large-scale incident driving the company towards bankruptcy, said Chris Taylor director of Incident Response at Intel Security. A midsize retailer, which had just recovered from a similar cybersecurity incident, suffered a second breach, he said. The cost of the previous incident—factoring the total cost including response, remediation, lost revenue, fines, lawsuits, and increases in operating costs, drove the company into bankruptcy. The company had to file Chapter 11 to take the pressure off so it could rebuild. It came out of Chapter 11, but in just over a year the company was hit by a similar second incident. "The first thing the CEO told me was that they were not in a financially strong enough position to survive this second security breach without cyber insurance," said Taylor. "The CEO said having a strong cyber insurance policy in force provided them the critical and financial assurance that they could survive the second incident since they were able to have the costs of the response, remediation, and other unplanned costs covered realizing a future third breach would close the doors."
A big misconception about general commercial insurance is assuming cyber incidents are covered. A security breach is not covered and it can be financially devastating for a company. When this occurs, some companies in the past have taken their insurance underwriter to court. When the insurance underwriter denies a claim, it can expect the client to file a formal complaint with a state insurance board. When a claim does reach a court, the insurance underwriter can quickly claim insurance fraud because the security breach was not covered and this is a case closed, said Fogel. No C-suite executive wants to be affiliated with the prospect of insurance fraud, he said.
Given the complexities of cyber insurance, a plug-in tool like Progressive Insurance Snapshot that sets rates based on drivers' habits would help both insurers and enterprises, suggested Jeff Tutton, president of Intersec Worldwide, during a cybersecurity insurance presentation. In fact, some insurance companies use online service BitSight to determine a company’s security posture, risk profile, and whether it has experienced any type of cyber incidents that will determine underwriting cyber insurance rates. BitSight provides ratings for cyber insurance underwriting to assess the security performance of insured companies to reduce underwriting risk. Think of it as a credit score just like in a credit report. There are many factors that can affect the security risk of an organization, said Tutton.
"Some of these factors can be controlled and others must be continually monitored as they change," he said. "Just as we have financial credit rating systems today, which is an indication of financial risk, I think we are looking to understand, monitor and report this on other business risks today."
For its part Security Scorecard uses an A to F grading system to monitor companies' security postures.
Cybersecurity insurance policies have come a long way, said Dan Lohrmann, former chief security officer for State of Michigan. "The cyber insurance policies I saw were new, untested, usually unclear as to what was covered and full of holes. The question was: would they even pay when the time came? Over time, I started to see the cybersecurity insurance industry mature and insurance companies spoke a risk language that COO’s and business areas understood. Furthermore, I noticed first-hand that cyber insurance was helping many public and private organizations assess and quantify their risk and overall security posture. It helped in the risk assessment exercises."
Companies must implement cybersecurity controls because they will not be covered with a cybersecurity insurance policy if they don't meet a policy's provisions. You can never outsource the responsibility when it comes to cybersecurity insurance, Lohrmann said. Organizations should take the following actions, he said:
- CxO’s become more educated on available cyber-insurance options available
- Don’t fight cyber insurance – talk to colleagues that have found policies to help
- Examine industry best-practice options from neutral organizations
- Determine if cyber insurance should be on your roadmap or part of your holistic strategy.
Learn more about this topic in Bell's earlier article: "The Truth About Cybersecurity Insurance."
About the Author:
Todd Bell is an international cybersecurity & technology executive that has served as a CISO, CIO, Board of Advisors, and Board of Directors for the Fortune 500 to small companies. See his LinkedIn profile.