Insurance is a fundamental aspect of business risk management used to spread or mitigate financial risk by transferring it to a third party. Since business is now urged to take a risk management approach to cyber security, it is natural and inevitable that cyber insurance should be considered as part of the mix. Cyber insurance is set to grow, in size as an industry, and in importance as a service.
But there are issues -- not least because there is comparatively little actuarial history on which the industry can base its premiums. While there is a century of auto insurance and many centuries of shipping insurance, there is little more than two decades of cyber insurance history. As a result, both insurers and insureds are still unsure about what it is, what it should or can cover, and how much it should cost.
To the insurers, cyber insurance is primarily a gap filler. Cyber has emerged as a new risk that is not specifically covered by other policies, and cyber insurance is designed to fill that gap. But immediately there's a problem, because aspects of existing policies may cover aspects of cyber risk. The principle of 'silent cyber' can apply -- that is, if cyber is not specifically excluded from the policy, it is de facto included. Is separate cyber insurance even necessary?
Mondelez and NotPetya (the Act of War exclusion)
Mondelez appears to have believed it was not -- it already had an 'all-risks' property cover with Zurich American Insurance that included "physical loss or damage to electronic data, programs, or software, including physical loss or damage caused by the malicious introduction of a machine code or instruction..." Following damage from NotPetya, it filed a claim for $100 million. Zurich American Insurance eventually declined the claim, and cited the 'war exclusion' clause of the policy, sending ripples of concern through business. If NotPetya can be defined under this exclusion, what cyber-attack cannot?
But it's not that simple. War exclusion is a standard and accepted clause in all property insurance. NotPetya was declared to be an act of Russian aggression. It was first directed at Ukraine, and there is effectively a war between Russia and Ukraine. So, both Mondelez and Zurich have a case -- one that is now to be decided by the courts.
We do not know the reasoning behind Zurich's position. However, if it simply pays the claim, it will weaken the need for separate cyber insurance, and weaken the nascent cyber insurance market. The suggestion is that if Mondelez had separate specific cyber insurance, Zurich would likely have paid the claim.
In defense of this view, Robert Wice, a focus group leader for U.S. cyber and technology at Beazley (an insurance firm that operates in Europe, the U.S, Canada, Latin America and Asia, and manages six Lloyds syndicates) comments, "There is a lack of clarity around silent cyber on property insurance. In pure cyber policies, war is still an exclusion, but cyber terrorism is more likely to be covered. I don't know of any pure cyber policy that refused to pay out for WannaCry or NotPetya -- so the proof is in the pudding."
There is a distinct possibility that the Mondelez/Zurich issue is being used as a test case to provide clarity. If Zurich is forced to pay out, this will weaken the argument for separate cyber insurance. Conversely, if the war exclusion clause in its current form holds, then the argument for a separate cyber policy that will include cover for 'cyber terrorism' (although still not actual war) gains strength.
Corporate insurance should be treated as catastrophe mitigation. Attempts to cover every single dropped or broken piece of equipment will simply increase premiums and introduce additional management costs. The best function of insurance is to protect the organization from the financial effects of situation-changing events.
In cyber, such events are usually triggered by a major breach and the associated costs. Over the last year, however, a new financial threat has emerged: regulatory fines. In the U.S., Facebook has been fined $5 billion by the FTC. In Europe, Marriott has been fined $124 million and British Airways has been fined $230 million by the UK’s Information Commissioner’s Office (ICO).
It isn’t clear whether regulatory penalties can be insured. It’s a question of ‘moral hazard’: should an organization be legally allowed to transfer the risk of illegal activity to a third party? For now, the majority opinion seems to be ‘no’. But it is far from settled. Under English law, what this principle “is really looking at,” explains Greig Anderson, a partner specializing in dispute resolution with professional services firm Herbert Smith Freehills, “is criminal or quasi-criminal conduct. Under English law, the issue is whether an insurer can rely on a defense of illegality and refuse cover in response to an insured's claim for indemnity for a fine. This defense prevents the courts enforcing a claim when it is founded on 'immoral or illegal' conduct. On the one hand, there is some suggestion in case law that this debars recovery of all fines which are of a penal character for breach of laws enacted for the protection of the public interest. On the other hand, the courts must consider whether upholding the defense would be a proportionate response to the illegality, bearing in mind the seriousness of the conduct and whether it was intentional.”
But there’s a mismatch between this and the EU General Data Protection Regulation (GDPR). “Under GDPR, unlike some other statutes, the kinds of conduct that might underlie a breach of GDPR can be entirely innocent. It might be, for example, that a company buys Grade A security as opposed to Grade A+ security,” Anderson added.
This might have been a realistic strategic business decision – but if the GDPR regulator believes that the company should have bought the Grade A+ product, it can still levy a potentially very heavy fine if a breach of personal data occurs. “The courts may have some discomfort in suggesting that a fine in those circumstances is the kind of criminal or quasi criminal conduct that should not be covered by insurance -- and they have considerable latitude in relation to how they approach this. I don't think there is an easy answer.”
While war exclusion and regulatory penalty cover are subjects yet to be decided, cyber insurance is building its presence in incident response.
When an organization considers cyber insurance, “One of the first things they want to know,” commented Wice, “is, when something bad happens, how much say do I have in controlling and understanding what happens?” He suggested it was a collaborative approach between the insured and insurer, but made it clear that the insurer will expect to ‘quarterback’ the process.
There is value in this. Each victim company has only its own experience to draw on – the insurer has far more. “Ultimately there is a tried and true practice of responding to a breach,” he continued, “where the insured will certainly benefit from literally thousands of other breaches that our team has already handled. You get this expertise in a box.”
What this means is that the insurer will want to hear from the insured “as soon as there is a problem, a suspected breach of security, because we have a panel of experts on the legal side, on the crisis management side, credit monitoring if that is involved, and we have relationships with forensics firms that have very favorable experiences with us in terms of managing through the process, working with the insurer and the insured to adequately respond to a breach.”
To a very large extent, the insurer expects to run the show with its own preferred team of experts. This will work well with simple breach response – but what if that response requires an early decision on whether to pay an extortion demand? The answer here, said Wice, “is that some insureds will want to pay, depending on the circumstances, and some will not.”
Again, the insurer will effectively quarterback the decision. It may not insist on its own advice, but will be able to exert hidden and unhidden pressure in terms of future premiums and coverage to ensure adherence to that advice.
This is where the future of cyber insurance gets a bit murky. Breach costs and extortion demands are increasing rapidly, and the industry simply does not have the actuarial history (and given the speed with which cyber changes, possibly never could have) to be able to pitch the premiums at the right level to cover costs and still make a profit.
Under such circumstances, one must wonder whether the insurance industry will start imposing security conditions on the insured; that is, follow our recommendations and you’ll get a reduced premium.
Insurer Influence on Corporate Security
This is a difficult area. Taken to extremes, it could imply that, ‘you must include these controls’ could expand to become ‘you must use these specific products’.
Opinions are divided on whether this could happen. From within the security industry, Akshay Bhargava, SVP of cybersecurity at Malwarebytes, told SecurityWeek, “Insurance providers do not need to specify security controls, rather they should rely on industry standards that have been defined to detect, prevent, and respond to cyber-attacks.” In other words, independent auditing to, say the NIST Security Framework, should be enough for the insurer.
Kris Lahiri, co-founder and DPO at Egnyte, is equally doubtful. “The insurance industry will always keep some distance from the actions of its insureds – among other things, it’s the only way it can retain the ability to point to the small print and potentially avoid liability. That’s not to say it will not publicize best practices and possibly impose minimum security requirements for Cyber coverage to remain effective, but I do not see that as leading to micro-management of a whole industry.”
It may be that the industry is too young to know how things will develop. But the potential is there. Greig Anderson told SecurityWeek, “Insurers are interested in understanding the cyber security measures employed by businesses. In fact, insurers are developing additional services where they assist businesses in improving their security measures. This both assists the business and lowers premiums because the better a business is at mitigating its cyber security risk, the less insurers need to charge because the risk for them is less.”
It is the extent and nature of that assistance that is still unknown. Andrew Barratt, managing principal at Coalfire, is optimistic. “Where cyber insurers are in place, they can and often do call the shots – but usually in a fairly ‘light-touch’ way.”
Jack Kudale, founder and CEO of Cowbell Cyber, sees the solution to getting the right premium versus cover balance coming from ‘inside out’ continuous risk assessment. “Measuring and weighing insurable threats is a far better approach than grading cybersecurity products. The best underwritten cyber policy incorporates decision based on inside-out exposure assessment, out-side view, loss cost analysis, business interruption forecast and dark web scores.”
Peter Halprin, an insurance attorney and arbitrator at Pasich LLP, comments, “I am not aware of a situation where the insurers have gone in to dictate the security architecture a company should have in place. I am aware of situations where, when the policyholder is putting together its application, there is a phone call and/or meeting or series of meetings between the policyholder and its IT team and security team and the insurers -- and the insurers usually bring along a consultant to help them evaluate what systems the policyholder has in place. That is the underwriting process. That helps them determine the level of the risk and the associated premium and the exposure and limits.”
But at the same time, he also adds, “my understanding from industry experts is that MFA can drastically reduce premiums.”
Does business need cyber insurance?
Nobody needs insurance. It is just one option in risk management. Nevertheless, insurance is so deeply embedded in business risk management, that cyber insurance becomes an obvious extension. The difficulty is this is a new development with little more than a decade of serious existence.
The insurance industry is still learning what premiums should be applied, and the insured is still learning what cover is needed. It is almost certain that the insurer will seek influence in the insured’s security posture, if only to minimize its payouts and protect its profits.
The consensus opinion, however, is that for at least the foreseeable future, it will not be too heavy-handed– if only because there is high capacity within the insurance market, and competition between the different insurers.
Two aspects stand out. Cyber insurance is fundamentally a gap filler between other existing insurances. Security is well-aware that gaps and different products lead to weaknesses. The danger here is the insured might feel, incorrectly, that it is already covered by existing policies, leaving a gap in coverage. The Mondelez/Zurich situation is a case in point. It is vital, therefore, that all insurances are examined in detail and at great depth.
The precise wording and the correct policy are important. For example, cyber insurance will not normally cover the cost of broken contracts (SLAs) even if the cause is cyber ransomware. Broken contracts can be covered, but by a pre-existing separate policy.
Similarly, it is also important that the policy accurately reflects the insured’s security posture. If a firm has a preferred third-party incident response firm, that incident responder should be explicit on the policy. If a security product is changed during the life of the policy, the new product should be named on the policy.
This requires good and continuous communication between the CISO and the risk manager (or other executive handling the firm's insurances), and between the risk manager and the insurer. Failure in this may not necessarily be problematic in the event of a claim, but fulfillment will guarantee that it is not.
The second aspect is the potential size of the cyber insurance marketplace. Kudale comments, “I anticipate that cyber insurance premiums over next decade will surpass the total cybersecurity spend globally. We will see more focus following cyber-attacks and cyber insurance will be core to mitigate financial losses in the aftermath of these global attacks.”
The extent to which a big industry will allow a smaller industry to influence its payouts remains to be seen. In the meantime, it is probably fair to say that business will benefit from cyber insurance – but that RTFM applies to policies even more than it ever applied to software.