“I could tolerate any insurance seminar. For days, I could sit there and listen to them go on and on with a big smile on my face. They’d say, ‘How can you stand it?’ And I’d say, ‘Because I’ve been with Del Griffith. I can take anything!’” ~Steve Martin as Neal Page in Plains, Trains and Automobiles
That’s one of the many memorable moments from one of my all-time favorite movies, “Planes, Trains and Automobiles.” While the scene is both funny and poignant as the camera moves back-and-forth from a ranting Neal (Steve Martin) to a crestfallen Del (John Candy), it also illustrates the pessimism we tend to associate with insurance. Not only is the subject matter tedious, but we’ve all either experienced first-hand or heard stories about insurance companies managing to pay out as little as possible – if at all – on a claim due to obscure or ambiguous exclusionary language in the policy.
Despite being a relative newcomer* to the industry, cybersecurity insurance is getting the same bad rap. High-profile pay out denials, such as Zurich’s refusal to cover the losses Mondelez suffered from 2017’s NotPetya ransomware attack (currently in litigation), have helped to support this negative view. In fact, a recent CPO Magazine article suggested that many cyber policies are “worthless.”
However, cyber policies pay claims at rates comparable to other types of insurance. But, it’s the big-dollar cyber claim disputes that get attention and skew perceptions. Many are the result of poorly negotiated policies, or even more to be claims that are filed against a non-cyber policy, such as claim against a general liability policy.
The financial fallout from a cyber event can be staggering, so relying on a non-cyber policy to cover losses related to a cyber-attack is perilous at best as these policies don’t address specific cyber-related losses. What’s more, loss exposure is hard enough to quantify in a cyber policy, because in the end many factors will be weighed regarding the company, the type of attack, the motivation for the attack, and the value of data and information.
Even historical cyber-attack data will factor in loss valuations that are all over the board (see Notes). The wide disparity in these loss calculations is attributable to the absence of a standard for assessing risk among insurers. Further, cyber-insurance models aren’t consistent across carriers and rely on limited actuarial data that has been insufficient for accurate premium pricing. This lack of transparency is another blemish for cyber insurers, which makes it difficult for companies to compare coverages and inherently exposes carriers to extreme losses and systemic risks that is nearly impossible to predict.
Fortunately, the industry is evolving. As more data is collected, insurers are discovering trends and learning what coverages are needed. Underwriters are going onsite to inspect a company’s infrastructure and network, as well as their security protocols to develop a risk profile from which a premium can be determined. While premium pricing challenges lessen for carriers, most companies remain unqualified to assess their own security posture and are not aware of the factors that impact premium pricing. Before contacting a cyber insurance company, it would be wise to engage a cybersecurity expert to perform a cyber risk assessment. The expert will identify threats and vulnerabilities and make detailed recommendations for improving the company’s cyber risk profile.
Insurance carriers award cheaper premiums to companies with the appropriate cyber tools in place, written plans for incident response and disaster recovery, least privilege policies and encrypting sensitive data, among other things.
But, don’t wait for a cyber incident to happen before exploring cyber insurance. That loss event, even if it’s small, already means a higher premium.
*Cybersecurity insurance has been around for about 20 years. Initially, it was mostly used by large companies in technology, financial services, and health care and only provided third-party coverage.
The 2019 Hiscox Cyber Readiness Report indicates the average cyber incident loss over a 12-month period is $369,000 with large companies averaging $395,000 and small companies at $9,000 (globally). The per incident average is $34,000.
A survey by Kapersky’s Lab conducted with over 6,000 employees around the world from March 2017 to February 2018 found the average cost of a cyber incident was $1.23 million. The average for small and medium businesses (SMBs) was $120,000. In North America, the average cost of a data breach was $1.6M with SMBs averaging $149K.
With regard to data breaches, the 2018 Cost of a Data Breach Study by the Ponemon Institute, indicates that the average total cost of a breach in the United States is just shy of $9 million with an average cost per lost or stolen record of $233. Globally, the average total cost is $3.86 million and $148 per record.