By Jon Munshaw and Joe Marshall.
It’s no longer a question of “if” any given company or organization is going to be hit with a cyber attack — it’s when. And when that attack comes, who is willing to take on that risk?
For some groups, it may be that they feel they are fully prepared to take on the challenge of defending against an attack or potentially recover from one. But cyber security insurance offers the ability to transfer that risk to an insurance company that can help you with everything from covering lost revenue to providing incident response as soon as you detect an attack.
Even back in 2016, Cisco Talos called the realm of cyber insurance “new and immature.” But since then, the market has changed drastically, and these kinds of policies are becoming more popular. Still, some businesses have been slow to adopt these policies. According to a study by J.D. Power & Associates and the Insurance Information Institute released in October 2018, 59 percent of businesses still do not have any form of cyber insurance.
But a recent wave of attacks — including the takedown of computer systems in Baltimore, a multi-million-dollar settlement from Equifax over a 2016 data breach, and the recent theft of millions of Captial One customers’ information — shows why it’s important to remain prepared for these kinds of scenarios.
Equifax is still recovering from a massive data breach in 2016 that cost the company hundreds of millions of dollars. A cyber policy the company had covered $125 million in costs associated with the attack, though Equifax admittedly could have used a bigger policy considering the breach cost a total of $1.4 billion.
Is cyber insurance the right choice for your company or organization? We spoke to two cyber insurance experts to get answers to the questions we had around cyber insurance to help you make an informed decision.
How similar is cyber insurance to the insurance we’re all used to (health, car, etc.)? Turns out, not very. Catherine Rudo, the vice president of cyber insurance at Nationwide, said handing out cyber insurance policies is nothing like other, more conventional policies. Rudo agreed to speak with Talos regarding security policies across the board and said her comments do not reflect the traditional Nationwide policy.
“If you compare cyber to property [insurance], I don’t think there’s a direct comparison,” she said. “Cyber stands on its own. It’s something that’s closer to a liability policy … not everyone needs it in the same way, but everyone needs it.” Rather than the plug-in and play model of other policies like car insurance, where you’d put in the specific make, model, year and amount of coverage needed for your car, and the insurer spits out a quote, each cyber policy is going to be different.
Rudo said each policy must be assessed and written on a case-by-case basis. There’s a wide variety of factors that need to be considered, including intellectual property, potential extortion payments, liability coverage, etc.
For example, the risks inherent with a cyber policy for an electric company would be entirely different than a clothing store that collects point-of-sale payments.
What do insurers do to calculate initial risk in these policies? For an insurance company to underwrite a policy for a company, organization or even government entity, the insurer must evaluate several different areas of security risk.
For example, Rudo said that on most cyber insurance applications, the potential insured must answer questions about patching cadence, the number of endpoints that access their network, what (if any) firewalls are in place and what third-party vendors the company works with.
Leslie Lamb, Cisco’s head of risk management, knows firsthand what the application process is like.
Lamb has been a part of every cyber insurance policy Cisco has ever purchased, and said every year, they reassess the policy and always try to get additional coverage in some form or another. She said Cisco’s CISO, Steve Martino, has met with insurance underwriters every year to discuss what Cisco does to limit exposure to attackers, what new intelligence partnerships are in place and how the company mitigates risk.
“We essentially do a roadshow for them,” Lamb said, adding that the process usually starts about 120 days prior to the expiration of Cisco’s current policy.
There’s also the inherent risk that comes with certain industries. For example, public institutions may have a more expensive policy because they handle a large amount of intellectual property, making them a more enticing target.
There’s also the issue of the size of the business — obviously, larger companies are going to be targeted more often than a mom-and-pop corner store.
Rudo said that the premiums may even increase if the potential insured has a higher appetite for risk than another company or organization.
How long have cyber policies been around? Lamb says a common misconception is that cyber insurance policies have only been around for a few years, when in fact, they’ve existed for about 15 years, even dating back to the Y2K scare.
But Lamb said the popularity of the market has increased dramatically over the past five years.
“It has grown exponentially because of the things that have been happening,” she said. “People are aware of what’s going on...no one is immune to having a cyber incident.”
Lamb said many multi-national companies have had cyber insurance policies as long as they’ve been around, but middle-market companies are just starting to pick up on the trend now.
Are there limits to how much a policy may pay out for one attack alone? This will vary from policy to policy, but most of the time, yes.
Rudo said companies seeking out cyber insurance policies will shop around between companies looking for which insurer can offer them a larger “policy aggregate,” meaning the total amount the policy will cover.
Another option could be to take out a policy covering a certain number of records that could be stolen in an attack.
“There are some policies that have a limit for how much they’ll spend, but they’ll have a number of records,” she said. “Some policies will say they’ll give ‘X’ million for your data breach, and another may say they’ll cover ‘X’ number of records. These policies don’t tabulate the amount, just the number of records taken.”
What happens after you’re attacked? Bad news — you’ve been attacked and are now infected with ransomware. Good news, you purchased a cyber insurance policy.
This varies from policy to policy, but some insurance companies will even go as far to provide boots-on-the-ground incident response and forensic assistance to help you recover your data and restore operations as quickly as possible.
Here’s why that makes sense for the insurer: If they can help you recover your data, the damages realized will not be as severe and thus reducing the monetary amount of claim and the restoration of activity to the victim as quickly as possible.
In some cases, the insurer will act as an intermediary between the attacker and the victim to help pay the ransom if that’s the route the victim wants to take.
“If a customer chooses to pay the ransomware, the insurance company will pay it, and the insurance company will sometimes facilitate [the payment],” Rudo said. “They can access a vendor to help with the ransomware payment. An insurance company will also respect the wish of the client if they choose not to pay the ransom.”
For example, an insurance company can even assist the victim in converting traditional currency into cryptocurrency, which the attacker may request as payment.
To hear Talos’ take on whether to pay the ransom in these kinds of attacks, you can check out our roundtable here.
Once the insured has completely recovered from an attack, the insurer will usually re-evaluate the policy and premium. The insurance company will look at things like if the initial attack vector was remediated, if the attacker was completely eradicated from the system and what new protections may be in place post-infection.
What is the timeframe for which the policy will cover an attack? For example, what would happen if an attacker had been in a victim’s system for a year, but the insured only took out a policy six months ago? These policies pay out on discovery. So, for example, if a retailer had a card-skimming malware sitting on their system since January, but the company only took out a policy in October, the attack would still be covered if they discovered the breach in November of that same year.
“These policies are on a discovery basis,” Rudo said. “The policy begins when the buyer has discovered the loss. The only way there might be an exclusion is if there’s a retroactive date [on the policy].”
What is Cisco’s role in all of this? Last year, Cisco, Aon, Apple and insurance company Allianz collaborated to launch the industry’s first cyber risk management solution.
The solution combines cyber resilience evaluation services from Aon, technology from Cisco and Apple, and options for enhanced cyber insurance coverage from Allianz. “Enhancements” to the traditional insurance policy that this program offers, may include severance pay for CISO’s in the event of a termination after a breach, special support agreements if the insured uses a certain percentage of Apple products and a shorter waiting time for coverage to kick in, according to Lamb.
Organizations using Cisco Ransomware Defense are eligible for such enhancements from Allianz.
Other considerations
- Rudo said intellectual property is generally not covered by security policies because it is too difficult to quantify.
- There are other liability policies that may be available to cover attacks that cause harm to a third party. For example, if an internet-of-things device was hacked in a way that it malfunctioned and injured a user, a cyber insurance policy would generally not cover that, but a separate liability policy would.
- Many insurance companies will have “cyber security panels” that step in during some attacks to aid and provide advice to the victim. Lamb said Cisco is currently part of a few of these types of panels, and is looking to join more.