This special report provides an overview of the dynamic trends underway in the cyber insurance market, including actionable information that executives can put to use right now in determining the right approach to using cyber insurance to transfer risks. The report also provides insights which can be of use to any tech firm seeking to partner with insurance companies to enhance services to the market.

OODA principals and our Network Experts have been tracking trends of cyber related insurance for over two decades. We have noted that the more visionary and optimistic thought leaders in both the insurance community and the cybersecurity community have always had hopeful views of the positive impact that insurance could have on the state of enterprise cybersecurity. We are now seeing indications that positive impacts of insurance on the state of cybersecurity are on the offing.

Early theories were that as insurance companies began to offer policies that covered losses due to cyber crime, they would start insisting on the use of best practices and lessons learned before writing policies and that this would kick off a virtuous cycle of companies wanting to be more secure because they would then be able to get cyber insurance or perhaps get it at a discounted rate. We have also long tracked optimistic models that hypothesized that insurance companies may begin to provide discounted access to cybersecurity services to companies to help their clients avoid breach so they are not at as much risk. We have also seen other concepts like insurance companies offering discounted rates to services after breach so insurance companies would not have to pay full incident response costs.

These and many other concepts are still at play in the insurance market. However, true cyber insurance is still relatively new. We see this as a huge growth area as cyber risks will continue to grow.

The Bottom Line Up Front:

Am Best is a global credit rating agency with a unique focus on the insurance industry. They provide data, analysis and opinion on the sector. Their overall view on the market is very consistent with our observations. They assess that:

“The cyber insurance market continues to grow and underwriting performance in this sector remains strong. As well as things are going, there are challenges, with uncertainty around pricing being just one. Underwriting business interruption remains difficult. Also, the threat that insurers are most worried about remains a systemic event that could cause extensive losses and jeopardize a cyber insurers solvency.”

OODA Assesses that:

• Cyber risk insurance is becoming more critical to managing downside risk and will be of growing importance to all business sectors. Today less than 1% of business insurance premiums are for cyber risk insurance yet many companies acknowledge that cyber presents the single greatest risk to their organization.  Industry momentum informs that this insurance disparity dynamic will change.
• The insurance industry is transitioning in its approach to cyber risk insurance. Currently the industry seems driven to write as many policies as possible with little being done to assess the risk of future payout. As a result, the exclusionary aspect of these policies substantially reduces their value in the market.  This rush to write with so little concern over security controls is not sustainable.
• Although the insurance industry is only lightly reviewing security controls and standards before writing policies, the trend is unmistakable. Over time the insurance industry will begin to play a key role in setting standards for controls around data that is protected by policies.
• Over the next five years, cyber risk insurance will grow to the point where it is on par with all other insured risks. From today’s base of 1% of business insurance premiums, we expect growth to 10% of business premiums in five years and eventually cyber risk insurance will be the dominant risk in need of mitigation.
• Taking a longer term view, in the last century, the dominant driver of insured loss was fire. In the modern age, the dominant driver of insured loss will be cyber breaches and business interruption due to cyber attack.
• Although we see the growth of cyber insurance coming, there are headwinds, including perceptions by enterprise leaders that they are covered by existing insurance or have good enough controls in place to not need insurance.

The basic business need of cyber insurance is the fact that effective security programs cost a great deal and yet enterprises can still be compromised. Since cyber liability insurance is cheaper than trying to field a true defense in depth architecture, cyber insurance will continue to be a growth industry.

The Black Hat Cyber Insurance Micro Summit included three hours of presentations from experts and thought leaders in cyber insurance. The summit provided a good update on the continued evolution of cyber liability insurance as a way to transfer some of the risk of breach that will always be present. The summit was widely attended by information security professionals from enterprises who know they need to make insurance part of their risk mitigation strategies. It was also attended by security professionals from services providers (many service providers there have been exploring ways to partner with insurance companies, more on ways that is done is provided below).

Attendees at the event were provided with a basic understanding of cyber insurance policies, including standard terms and conditions found in cyber insurance policies. An overview of typical services which may come with a cyber insurance policy were also provided.

The current data breach landscape as seen from cyber insurance professionals was also a key topic, which provided useful context for how enterprise security professionals will want to integrate cyber insurance into a full spectrum risk management program.

Today’s value proposition for cyber insurance includes not only transfer of risk, but in many cases a means to provide an external perspective on some key risks that may improve overall security posture. Many cyber insurance providers will also enable discounted access to security industry partners of use before a breach to mitigate issues and after breach to speed recovery. For example, cyber insurance providers will sometimes offer access to vetted legal, forensics, compliance and other professionals.

Key concepts:

• Insurance Contract: This provides risk mitigation via either a stand-alone policy or endorsed to other business insurance policies such as property, medical malpractice and crime.
• Distribution: Cyber insurance policies are distributed via property and casualty insurance agents and brokers
• Warranties as a Channel for insurance: Insurance policies can be used to back security vendor warranties and MSSP offerings.

Types of Cyber Insurance Offerings:

• First party coverage: This protects your organization. It pays to fix the things we own when damaged.
• Second party coverage: There is no such thing! This would be nuts. This is protecting the party that attacked you.
• Third Party Coverage: This provides coverage of liability claims brought by a third-party. It pays others when they are harmed by a security breach of the first party (you).
• Services: Increasingly insurance companies will include access to vetted vendors and security services.

Organizations looking to mitigate first party expenses from cyber incidents will have many options to choose from since the industry is far from having standard policies. Topics covered by policies for first party coverage include:

• Breach Response: cost of incident response, legal expenses, notification costs, forensics costs, public relations expenses, credit monitoring expenses, post breach remediation costs.
• Cyber Crime: Costs due to funds transfer fraud, extortion, phishing, telecom fraud.
• Business Interruption: Cost due to system interruption, reputational damage, data recovery costs.
• Other Coverages: Damaged hardware, court attendance, reward expenses, cryptojacking, claims preparation.

Organizations looking to mitigate third-party expenses from cyber incidents should consider coverage of:

• Security and Privacy: Expenses due to defense and damages, expenses assumed under contract, expense of cleanup due to malware transmission, unauthorized release of private info/PII
• Regulatory Defense: Costs due to regulatory defense can be broad including compensatory awards, fines, penalties and other related expenses.
• PCI-DSS Liabilities: Can include costs of defense and damages, assessments, fines, penalties.
• Multimedia liabilities: Can include expenses due to libel, slander and disparagement laws, infringement laws, copyright, domain name, trademark, plagiarism.

Cyber Insurance Services provided by insurance companies can include vetted response and recovery services such as:

• Legal services
• Incident response and forensics
• Notification and credit monitoring
• Forensic accounting
  Public Relations

A key topic to understand in the domain of cyber insurance is coverage limitations. Coverage limitations include policy exclusions that are clear and widely understood, but will also very likely include exclusions buried in the terms and conditions of the insurance policy.

For example, a policy will very likely include some time bounding for breach notification. Failure to promptly notify may cause an exclusion of coverage.

Typical exclusions include:

• Insured Elsewhere: The incident may be covered under anti-trust, bodily injury, property damage, IP/Patent Infringement or management liability insurance.
• Uninsurable: Nuclear incident, war, terrorism, core internet failure, utility power failure, domain revocation.  For example, Zurich Insurance has invoked the “act of war” clause to prevent payout to Mondelez for over $100m in cyber attack losses.
• Against public policy: Intentional acts of senior executives, sanctions, criminal acts, fines and penalties not insurable by law
• Failure to apply best practices (this is a very broad and not commonly accepted exclusion). May include failure to encrypt data, failure to maintain or take reasonable steps to maintain security, failure to comply with PCI standards.

The cyber insurance field is still relatively new and it can be hard for companies to assess how much coverage they need. There are helpful tools available online that can help estimate how much various types of breach scenarios will cost a business, a very good one is provided by At-Bay insurance at https://www.at-bay.com/data-breach-calculator/

By working through estimates of the cost of breach scenarios firms can estimate the amount and types of coverages that will be required.

As a very rough estimate, a small company that needs $1M in cyber insurance coverage can get a policy that will cost $1,000 per year. Pricing varies of course, but this is an approximate order of magnitude.

A rough estimate for a larger more complex business seeking $1M in cyber insurance may cost $100k per year. Or $2M in coverage can cost a larger business $200k per year.

Questions the board should consider that will help assess the right way to approach cyber insurance:

• What insurance coverages are triggered by cyber attacks
• How many customers are potentially impacted by an event
• How do we model costs:
  • What will the cost of fines be?
  • What will the cost of business interruption be?
  • What will the cost of recovery be?
• What is our risk appetite for losses arising from cyber risks
• What is the appropriate policy language to address cyber risks
• What catastrophe models should we put in place to assess possible damages?