I just returned from the RIMS2020 conference in San Francisco and while the newly built façade of Moscone Center was impressive, COVID protocols were dialed in and many friendly faces were happy to be in a communal business setting again, there remains a pervasive cloud of confusion around the accessibility and efficacy of cyber insurance.
Make no mistake, a growing number of organizations understand the need for cyber insurance. After all, it could be the difference between winning or losing a large contract for your organization or acquiring that next round of investment your board is advocating. Most importantly, it could be the assurance you need for the longevity of your business in the face of cyber-attack.
But cyber insurance alone is not a panacea and even firms that have cyber insurance may not be as protected as they think. In speaking with several insurance companies, I’ve learned that unlike traditional lines of business such as private auto insurance, where standard policies provide liability or collision coverage, cyber insurance policy language is not standardized. The types of risks covered under cyber insurance vary significantly across policies and businesses and insurers don’t always agree on what loss events are covered under those policies, which make collecting on a claim challenging.
Due to limited loss history and lack of legal precedent, cyber insurers, operating in a fast-developing market, instead must rely on several indirect factors to set policy pricing appropriately. These factors include market estimates of the cost of cyberattacks, risk assessments to determine the riskiness of the insured, the industry sector of the insured, their own underwriting experience and comparative pricing by other insurance companies.
And because cyberattacks are constantly evolving as both private and state-sponsored hackers develop new methods to infiltrate networks, underwriters are chasing a moving target. The rapid evolution of hacking capabilities and the frequency of attacks, both driving rising costs, make it difficult for insurers, who have historically relied on clients having relatively consistent risk profiles (such as decades of driving risk data).
Yesterday’s attacks do not necessarily inform us about tomorrow’s risks. As a result, the cyber insurance market only covers a small percentage of the overall losses caused by cyberattacks.
We are seeing the insurance market evolve, however, insurance companies are beginning to write cyber insurance contracts that more explicitly define inclusions and exclusions, and this trend should help limit disputes over cyber coverage. Also, insurers recognize that in order to accurately price future cyber risks, predictive cyber-risk models are crucial. Additionally, insurers are even taking steps to develop and offer advisory services to help their clients with improved cybersecurity standards adherence and development of practices which will help businesses avoid catastrophic attacks to begin with.
Shopping for cyber insurance can be daunting and overwhelming. Below lists a few points to consider when you're on the hunt for coverage.
In summary, the cybersecurity insurance industry is flush with varying types of coverage and cyber liability products. Ask the right questions during the buying process and remember that for the greatest business preservation, your cyber insurance strategy should coalesce with your risk management program.
Just getting started in your GRC journey? How about a whistle-stop tour with one of our 6clicks maestros?
Easy - just click the button below and let the good times roll.
All we want to do, every day, is make the world of GRC easier to manage. We can't do that without you, so we hope to hear from you real soon!
Fast, clear, smart, agile. #NoSpreadsheets 🚫