Buying Cyber Insurance Can Strengthen Data Security (With a Caveat)
By Amy Elizabeth Stewart
There was an excellent story in Insurance Law360 (subscription required) about the March 22, 2016 cybersecurity hearing at the U.S. House of Representatives' Homeland Security Committee. The hearing was a Cyber Insurance 101 for committee members, with cybersecurity and cyber insurance experts from various companies helping to get members up to speed on the growing risk of data breaches.
One of the main lessons from the hearing was that the mere presence of cyber insurance policies has strengthened data security because they promote “discussions about data security measures across a company's departments.”
As Tom Finan, chief strategy officer at Ark Network Security Solutions and a former leader of the Department of Homeland Security's cyber incident data and analysis working group, says, "I see insurance as a vehicle to make cyber risk more of an enterprise risk management problem."
Certainly, making corporate executives stop and examine what their company is doing to safeguard its data is a healthy exercise. But in our work with businesses that are negotiating their own cyber policies, we caution against making the process all about corporate policies.
Many cyber policies include exclusions that effectively shift the risk back to the insured, e.g. requiring that the company follow certain protocols, etc. But because, according to a recent report in Business Insurance, more than 70 percent of data breaches are attributed to “credentialed insiders,” any policy that puts all the risk back on the insured is effectively a worthless policy.
A few other highlights from the Law360 story:
1) The main obstacle for standardization of cyber policies is a lack of data about cyber risks and incidents. Consequently, DHS is considering a “unified cyber incident data repository” that would collect (possibly anonymously) information about corporate cyberattacks. Such a repository could “bolster insurers' ability to model the likelihood and severity of cyber incidents,” says Matt McCabe, a senior advisory specialist at insurance brokerage Marsh USA.
2) Because there is so little data, underwriters have been pricing policies based on assessments of prospective insureds, which means cyber products are both more customized and more expensive, according to North Dakota Insurance Commissioner Adam Hamm, who chairs the National Association of Insurance Commissioners' cybersecurity task force.