Cybersecurity insurance does mitigate some financial damage should you suffer an attack, but it's not a complete solution. Here are five things CIOs need to know.
1. It's a risk-management strategy. Cybersecurity insurance transfers some of the financial risk of a security breach to the insurer. First-party insurance typically covers damage to digital assets, business interruptions and, sometimes, reputational harm.
Third-party insurance covers liability and the costs of forensic investigations, customer notification, credit monitoring, public relations, legal defense, compensation and regulatory fines. Cyberthreats are so broad that the cost of protecting against them all would be prohibitive. The best approach is to identify and secure the company's digital crown jewels, then quantify and insure the remaining risk, says Daljitt Barn, director of cybersecurity at PricewaterhouseCoopers.
2. American and European markets differ. The cybersecurity insurance market is more mature in the U.S. than in the E.U., primarily because of U.S. states' mandatory data-breach-notification laws. Third-party insurance is more common in the U.S., and first-party is more popular in Europe, but that may change if the E.U. starts requiring breach notifications, Barn says.
The U.S. market is growing about 30 percent per year, says Richard Betterley, president of Betterley Risk Consultants. Some surveys estimate that 30 percent of large U.S. companies have cybersecurity insurance, but among companies of all sizes, Betterley says, the number is probably under 10 percent.
3. Clear wording is essential. Before you buy, investigate what risks are covered by existing insurance packages, because there may be overlaps with a cyber insurance policy. "Make sure the cyber policy wording covers your true cyber exposure," Barn says. "Challenge your corporate insurance broker to find a policy that provides a multifaceted response, including legal, PR, notification, forensics and cyber incident response."
4. Coverage is inadequate in some areas. Cybersecurity insurance doesn't do a good job of covering intellectual property theft or the reputational damage and business downturn that can be caused by a security breach, Betterley says. Meanwhile, the industry is debating whether state-sponsored cyberattacks, to the extent they can be identified as such, are covered by cybersecurity insurance policies.
5. There's room for improvement. Ideally cybersecurity insurance should encourage companies to improve security so they can negotiate lower premiums. However, insurers don't have enough actuarial data to adjust premiums based on what security controls and products are most effective, says Andrew Braunberg, research director at NSS Labs.