Spurred by the rash of high-profile hacks, companies are purchasing cyber-insurance to protect themselves from the financial liability associated with data loss and business disruption. But the still-maturing market for cyber-insurance remains fraught with loopholes and inconsistencies, and suffers from a shortage of qualified staff who can properly assess cybersecurity profiles, experts and CIOs say.
"The application process is less than what you would think it would be, in terms of the due diligence," says Shawn Wiora, CIO and CISO of Creative Solutions in Healthcare, a nursing care facility provider. "I like to work with strong partners and, at this point, I'm not sure that a lot of [the insurers] know what they're doing."
Shawn Wiora, CIO and CISO at Creative Solutions in Healthcare.
Companies, fearing the deleterious impact of hacks at Target, Anthem, Sony and dozens of other companies, are overhauling IT systems and processes, adding analytics to detect threats, hiring CISOs and implementing programs to better educate employees about dangers. A company's worst nightmare is the loss of customer data to hackers, the costs of which can be financially steep and potentially catastrophic to the brand reputation. Cyber-insurance is intended to hedge against those risks.
Selecting cyber-insurance is its own challenge
According to a survey conducted by Veracode and NYSE, 91 percent of 276 companies said they'd purchased cyber-insurance covering business interruption and data restoration, with 54 percent indicating they had also purchased coverage for expense reimbursement in the case PCI fines, breach remediation and extortion, for example. Some 52 percent of companies are purchasing coverage in the event of data stolen by employees. And 35 percent are seeking coverage against loss of sensitive data caused by software coding and human errors.
While the need for the insurance may be clear, obtaining coverage can be a frustrating experience. It certainly was for Wiora, who is close to picking a new cyber-insurance policy after several months of shopping. He was surprised by the lack of due diligence some insurers exhibit as they evaluate prospective customers for coverage. Cyber insurers typically require potential clients to complete lengthy questionnaires, often ranging from 150 to 300 questions, designed to determine whether they use encryption, as well as how their firewalls and password authentications are set up.
Chris Wysopal, CTO at Veracode.
However, some questionnaires are so spartan as to court risk. Wiora says that one company's questionnaire asked the following: "Do you ensure that all wireless networks have protected access?" He says he could simply write "yes," to satisfy the blanket question. It did not take into account how many locations he had or ask for additional information on the matter. And rather than come to his company to inspect the cyber-set up for themselves, they simply vetted everything with Wiora via the phone.