Y2K is known for being one of the most widespread times of panic in IT. It was generally thought that on Dec. 31, 1999, computers across the globe would shut down when they would fail to properly process that it would become the year 2000 the next day.
It made headlines across the globe, sent everyone with a computer into a panic and even led to the creation of several U.S. government task forces to prepare for the problem.
But what you may not know is that Y2K spawned the birth of cyber security insurance.
In the buildup of panic, companies became worried that they would lose all their information stored on computers or would lose all ability to operate come Jan. 1, 2000. It was around this time that companies and organizations started to consider mitigating the risk regarding computers and digital storage.
Leslie Lamb was actually one of the first people to even negotiate for a security insurance policy on Cisco’s behalf. Today, the popularity of cyber insurance has exploded as government agencies, small cities, companies and non-profits worry about the rise in ransomware attacks.
Recent studies suggest having a cyber insurance policy could actually be more attractive to attackers, but companies like to have the policies to cover them if they lose substantial revenue, data or operating time as the result of a cyber attack. Many security experts consider it to be one of the tools that should be considered to mitigate an organization’s risk.
So what, exactly, goes into these policies? And how have they changed over time? To get a better idea of how cyber insurance works, and what, exactly, it covers, we sat down with Lamb, Cisco’s director of global risk and resiliency management. Below, we have edited our Q&A for brevity and clarity.
Why do you think cyber insurance has become such a popular trend recently?
Well, cyber insurance is not actually new. That is a misconception that a lot of people hold.
It’s been around for at least 10-15 years. It has just recently taken off.
Over the past five years, it has grown exponentially because of the high profile nature of some cyber incidents. People are aware of what’s going on … no one is immune to having a cyber incident. It’s becoming one of the largest areas for companies to focus on. I’ve been paying attention to cyber for a long time. People thought there’d be major impacts, but there haven’t been……until about 6 or 7 years ago, when we started to see large companies, government entities and even our infrastructure attacked and at risk. Now, people are really starting to look at it.
How have these policies changed since Y2K, then?
They’ve changed dramatically over the past five years.
That whole space has completely blossomed. I would say 6 - 7 years ago … there were a lot of gaps in the coverage. For example, it was very difficult to find Business Interruption coverage, which would cover costs for loss of revenue. Companies were submitting claims to their insurance carriers and were finding that they were not covered. Insurance companies started to realize there were gaps in coverage, and they started to make these policies much broader and much more meaningful to their customers’ specific risks.
Most cyber policies have deductibles; both monetary and time bound deductibles or waiting periods. Most people are familiar with monetary deductibles, but may not be familiar with time bound deductibles. An example of a time bound or waiting period would be when a company has a network outage, they may have to wait for 24 or 48 hours before their coverage would kick in. The larger the company or exposure, typically the larger the monetary and/or longer the time bound deductibles might be.
Are there any aspects of these policies that you feel people wouldn’t normally think about?
A few examples of coverage that are currently found in the market place and that some people may not know about is coverage for physical damage to hardware or business interruption to help pay for the loss of revenue while the impacted operation is down.
What are some things that stand out to you when you consider what goes into buying Cisco’s cyber insurance policies?
I purchased the first cyber insurance policy that Cisco had, and I purchased it ahead of the curve or before many companies were even considering the purchase.
Generally, we start 120 days out [from when the policy expires]. We essentially do a roadshow for the insurers and present to them what we do as a company. We bring in [Cisco’s CISO] and other internal experts to showcase our mitigation strategies, how we would manage any issue and we discuss our overall governance and internal policies.
We also talk about all of the different partnerships across the enterprise that help mitigate the risk. This is about education and awareness. This isn’t about just IT, it’s about forming internal partnerships to manage the risk. There’s legal, there’s HR, there’s risk management and others all at the table.
What are some of the things companies can do to help mitigate risk ahead of time to temper the cost of their policies?
Making sure their network is safe, providing education and awareness to employees ... having a good business resiliency program in place, doing tabletop exercises to ensure everyone knows their role and everyone knows what to do or not do if they have cyber insurance. Many policies have certain requirements in place, so if you want coverage, you should definitely read the policy ahead of time and know what’s included, what’s not included and what the insurer requires. Many insurers have a panel of experts included in the policy that insured entity can access. People should know about these experts ahead of time and how they might use them.
We don’t live in a world anymore where it’s just four walls and a router. Everything is interconnected.
How can insurance policies address that?
That’s a really complex question, but it depends. … Let’s just say for example [a contract manufacturer], because of the way they put together our gear, causes a cyber problem for one of our customers. We would have a contract that requires the contracted manufacturer to have “network security liability” to cover the costs.
Our philosophy is … that if Cisco caused it, we’re going to pay for it. Whether we pay for it financially or our insurance policies, it’s our responsibility to pay for it. But if a third party causes it, we need them to pay for it, which is why we get involved in requiring our third party vendors to have certain types of insurance.