The millions companies spend on R&D is a positive investment that’s going into the future of the company. Buying cyber insurance is a negative investment, a necessary expense to compensate and brace for the necessary evils out there. But while a company welcomes a certain amount of security a big cyber insurance policy brings, it can never compensate if hackers break into and steal your intellectual property. It's meant to cover a range of incidents from hacks to breaches to insider leaks, fraud, cryptolocker recovery and so on. But it’s an “after the fact” recourse that was never meant to replace the “before the fact” planning.
A company’s cyber insurance policy and premium should be in keeping with their assets. If a company’s insurance policy is more elaborate than their security plan, that could be a signal they anticipate getting hacked, or perhaps are taking a lazy approach to security. Neither is good. A healthy respect for the possibility of a breach is wise, given the crazy high rate at which they are occurring. The year over year increase in breaches, including massive attacks, is staggering. That, combined with increasingly steep fines from privacy laws like Europe’s GDPR and California’s Consumer Privacy Act going into effect January 1, 2020, should motivate any company to be prepared. (See our blog, Less Than 100 Days Till A New California Privacy Law Goes into Effect)
Insurance companies can thank hackers for their rising profits. It’s a young industry that began getting attention in 2005 and has been increasing since. In 2017, its global market size was $3.89 billion, fueled by increasing cyber attacks. That year, the number of data breaches announced publicly worldwide was 1,579, each one costing victims $3.52 million on average.
In the insurance world, cyber threats are ranked in the Top 5 risks by most security professionals. It’s a worthy threat to fear and a viable income earner for insurance companies, which they recognize.
Adroit Market Research is predicting in their recent report that the market will take off like a rocket, from its current $4 billion in premiums globally this year (2019) to over $23 billion by 2025, just 5 years away.
One prediction that has certainly come true is the biting teeth behind the GDPR. The law went into affect in May 2018 and it took some time to ramp up but now more than a few companies have experienced those teeth sinking into their budgets. Last July, British Airways was handed a $230 million fine for its data breach of 500,000 customers. It was the largest GDPR fine at that time. Marriott was also fined the same month $123 million for its breach of 3 billion accounts. In 2019, GDPR fines came to nearly $479 million given to 27 companies, including Uber in the Netherlands in November and 1and1 Telecom in December.
Continued and constant cloud migration is fueling companies to sign up for cyber insurance. Companies desire the convenience, capabilities and flexibility of the cloud but they are demonstrating a superb lack of knowledge in how to manage it securely. Or, even if they themselves understand, the third parties they work with often do not follow strong security principles. Numerous – and enormous – breaches this year have occurred due to configuration error or simply leaving servers exposed. (See our article 1.2 Billion Records Exposed in the Biggest Data Leak in a Decade.)
When any insurance company pays out on a claim, they aren’t doing it out of benevolence and cyber breach claims are no exception. The insurer's objectives are to provide a good product and make money doing it. This means before paying they will always ensure there aren’t any reasons why they shouldn’t pay. Indeed, a couple of infamous cases have shown when a company has not paid. Sometimes the reasons for non payment have not sat well with clients and lawsuits ensued. A famous case was Sony’s data breach of 77 million users’ PII (personally identifiable information) in 2011. Their insurer refused to cover Sony’s $2billion in losses. The case went to court and in 2014, the insurer prevailed based on a clause that the coverage didn’t cover third-party hacking incidents. This was a failure of Sony’s policy to cover breaches like the one they experienced. Today, most companies with cyber insurance do have policies that cover hacking events.
The same insurer is involved in another lawsuit with a client. The client was impacted by the massive NotPetya virus and experienced extensive damage. The US and UK have deemed that NotPetya originated from a nation state, Russia, and Zurich has classified it as an act of war. And you guessed it, acts of war are not covered by the policy. The policy does cover cyber breaches which is what happened. So it's a conundrum and many are waiting with baited breath to see how the court rules on this one. It's already been tangled up for a long while.
The above cases should serve as re-enforcement and even greater motivation in the stance that avoiding a breach in the first place is the best policy of all. You’ll never be happier to have a paid premium go to waste due to non use.
This requires adequate security programs be in place. The process of evaluating security to improve its effectiveness itself is valuable. It can reveal vulnerabilities and provide critical knowledge that will better your layered defenses. A cyber security plan that’s robust and runs efficiently by reducing overlaps and redundancies, protects networks and applications and also satisfies stockholders is far preferred over having to face the damage a breach causes.
When organizations apply for a policy, cyber insurance providers look at the state of a company’s security program. Kind of like having a health exam for the network. This summer, Congress completed an investigation of the Equifax breach and determined their security practices (or lack thereof) were at fault for the breach. (See our article, Congressional investigation into Equifax breach finds multiple security failures). Not long after, the FTC fined them $700 million for the breach and likely additional amounts will follow from other parties. (FTC Fines Equifax up to $700M for 2017 Data Breach.)
This evaluation process may increase in intensity and strictness as massive breaches continue to happen due to sloppy practices and careless oversights. It’s no skin off an insuring company’s teeth to take a claim to court and meanwhile, the injured party may wait years and years for a settlement, even if they eventually win.
On the other hand, a business that demonstrates proactive planning in its security investments and implementation, as well as an educated workforce, may well avoid a breach, and could possibly see a more favorable terms in their premiums. Those premiums that hopefully will forever go to waste. Just saying.
Have any experience or thoughts with this? We invite your comments below.
Further resources:
Zurich lawsuit – cyberinsurance fm prediction series
Congressional investigation into Equifax breach finds multiple security failures
FTC Fines Equifax up to $700M for 2017 Data Breach
1.2 Billion Records Exposed in the Biggest Data Leak in a Decade
It's official: North Korea is behind Wannacry
British Airways breach will show us the first serious GPDR penalty
Marriott reports massive data breach of 500 million of its Starwood guest records
Less Than 100 Days Till A New California Privacy Law Goes into Effect
Sources:
https://www.darkreading.com/risk/the-cold-truth-about-cyber-insurance/a/d-id/1336234
https://www.adroitmarketresearch.com/industry-reports/cyber-security-insurance-market
https://alpin.io/blog/gdpr-fines-list/