Regardless of how large your company or respected your brand, the risk of a data breach is ever present and very real. Just ask Yahoo, which experienced the largest breach in history, or Target, which experienced a breach that shook customer confidence in one of America’s most popular superstores, or even Equifax, which had its repository of personal financial data from across the globe compromised. The question isn’t “if” you’ll be breached, but “when.”
Unfortunately, protecting against cyber attacks is extremely difficult, and much different than protecting a business against other types of risk. The threat landscape is constantly evolving, malicious actors are constantly getting more sophisticated and capable, and the ecosystem of network endpoints and devices is constantly expanding – making it harder to protect every part of a network.
The impact of a breach is also extremely difficult for companies to overcome. Often, customer loyalty is impacted, lawsuits are filed and services – such as credit monitoring – need to be offered and paid for to help assuage the damage.
With cyberattacks becoming so commonplace and so costly, you would think that cyber insurance policies would be considered essential for most enterprises. But that’s not really the case. Depending on who you ask, the percentage of companies that have purchased cyber insurance could be well less than half.
To learn more about why cyber insurance isn’t more popular, the challenges companies face when purchasing cyber insurance policies, and the steps companies should take when purchasing a policy, we sat down with Eben Kaplan, a principal consultant at endpoint security solution provider, CrowdStrike. Here is what they had to say:
Insurance Tech Insider (ITI): How important is cyber insurance for companies today, and why?
Eben Kaplan: Cyber insurance is a key ingredient in most mature strategies to manage cyber risk. Prevention and mitigation through swift detection and response are the core pillars of most cybersecurity programs, but there is no such thing as perfect security. Insurance helps transfer some of that residual risk that the security program cannot address; in many cases it’s an extension of a defense-in-depth strategy.
ITI: What are some of the factors keeping cyber insurance from seeing wider adoption?
Eben Kaplan: There are generally two reasons we’ve seen for organizations opting against insurance coverage. The first is that organizations feel they can achieve a greater reduction of risk by investing in other mitigating measures.
For mature organizations, reaching that kind of conclusion requires some pretty detailed analysis of technical capabilities and insurance options. For immature organizations, it can be as simple as recognizing that they have weak defenses that need to be shored up before they should start thinking about risk transfer.
The other reason we see organizations opt against insurance is a lack of confidence in insurance products. Fairly or not, they suspect that the premiums are inflated, the deductibles are too high, or that claims won’t be paid on technicalities.
ITI: What challenges does cybersecurity create for insurers that they don’t experience with other types of insurance? How does this impact the insurance company? How does it impact the policy holder?
Eben Kaplan: There are three key factors that make insuring cyber risk different from insuring other risks. First is the fear of correlated losses. That is, the risk that a single event can result in multiple claims. So many organizations rely on the same software or the same cloud services, so a failure early in the supply chain can result in multiple parties experiencing a loss. Insurers often have little visibility into these dependencies among insured parties.
Second is a shortage of actuarial data. When you look at fire or auto insurance, there are databases going back more than half a century that record losses and the factors that contributed to them. As a result, insurers have a pretty good sense of how likely a loss is to occur and how much it will cost. It’s much more uncertain when it comes to cyber insurance.
The third factor is that cyber risk is constantly evolving. That is to say, even if you did have tons of great actuarial data, past experience is not going to be a great predictor of future occurrence. With auto and fire insurance, the laws of physics and thermodynamics are constant. The laws of cyberspace are dynamic.
What this all means to insurers and policy holders is that it’s very difficult to price policies accurately. Insurers have to guess more with their pricing: if they guess too low, they risk crippling losses, if they guess too high, the customers end up overpaying for coverage.
ITI: CrowdStrike has communicated that there are three steps companies can take to help ensure they’re getting the right policy and that their insurance company gets an accurate assessment of their risk. What are they and why are they important?
Eben Kaplan: The three steps include conducting an assessment of current network and system security to look for any pre-existing conditions, getting full visibility into all network data, including endpoints, and establishing executive-wide buy-in to provide visibility to the insurance organization on a real-time basis.
Network assessments are essential from a security perspective. Companies need to understand what’s in their network and where it’s vulnerable so that they know what they’re protecting. From an insurance perspective, it’s the same question: what are you insuring? If you can’t answer this question, you’re not going to be able to pick coverage that’s right for you. And you run the risk that you will not actually be able to place a claim if an incident begins or affects something that you did not initially disclose as part of your network in the first place.
If the first step was identifying what you’re insuring, the second step – full visibility into network data and endpoints – is about figuring out how the network behaves. Having this view not only helps you get a better sense of the risk profile of the network, but it also increases the likelihood that the organization will be able to detect an incident and that they will have the data they need to effectively investigate and remediate it.
Finally, companies need executives to commit to providing visibility to the insurance organization. If you buy life insurance, most insurers want to give you a physical exam before they’ll sell you the policy. It’s a little invasive, yes, but it gives them a clearer sense of the health of the person they’re insuring and the risk they’re covering. It’s basically the same with cyber insurance, the more that the insurer has to leave up to guesswork, the harder it will be for them to tailor and price the policy properly.
For more information about CrowdStrike and their revolutionary, cloud-delivered endpoint security solution, Falcon, click HERE.