The cyber insurance market is still trying to work out what it is actually offering. Not so long ago, it was a simple product, available at a reasonable price under simple, easily comprehensible conditions. Now, in the wake of increasing ransomware attacks and astronomically expensive collateral damage, the market has hardened.
Denials are common. Litigation is increasing. And clients are taking a gimlet-eyed look at their budgets. Is cyber insurance actually even worth it?
To make that determination, it's a good idea to take a look at what exactly your insurer is offering, aside from limited coverage in the event of an attack. Are they providing expert advice? Penetration testing? Tabletop exercises that expose your vulnerabilities? And if they aren’t, what should you do about it?
Experts weigh in on how to navigate the market -- and how make up for its shortcomings.
Cyber Insurance Partnerships
In human partnerships, there is a fine line between being possessive and being attentive. The same is true of the relationship between insurer and insured. In the cyber insurance market, that negotiation remains a tenuous one. Some insurers are remote -- they do the bare minimum when a crisis arises. Others are more demanding, requiring extensive audits before providing coverage.
Do you want the frosty friend-with-benefits or the jealous boyfriend? Neither probably. You want your calls returned, but you don’t want your phone ringing off the hook. The trend is toward the latter -- so it’s becoming a matter of just how clingy you want your partner to be.
“Carriers have become a bit more savvy when it comes to cyber risk and loss management, fueled by an almost seemingly endless portfolio of claims underwritten over the last few years -- many of which have involved significant dollar payouts,” observes Kevin Novak, managing director of cybersecurity at risk management firm Breakwater Solutions. “As such, you can expect carriers to demand considerably more information about your company’s cyber programs; particularly to those areas that have proven to contribute most significantly to recent large-scale breach events, such as multi-factor authentication, end-point security, and privileged access management.”
“Policyholders should take advantage of all resources their cyber insurance provider offers -- cyber training to tools, services, and partnerships with cybersecurity vendors,” says Isabelle Dumont, senior vice president of marketing and technology partners for insurer Cowbell Cyber. “For example, Cowbell’s risk engineering team works live with policyholders to guide them on implementing security best practices and an incident response plan.”
“While this can prove a bit intrusive, companies and their respective CISOs should take advantage of these assessments of their security programs,” Novak adds. “While they won’t eliminate the need for security teams to do their own program assessments, an additional set of eyes is always beneficial. As an additional benefit, these assessments often provide additional support when it comes time to request budgets for remediating vulnerability findings.”
In Case of Fire, Break Glass
“Many companies find value in the incident response panel of vendors using the ‘in case of fire, break glass’ approach. Organizations that do not have the human capital or financial resources to build out the robust response capability required during an incident can rely upon their insurance company’s offering to ‘outsource’ this,” claims Anthony Dagostino, CEO of cyber insurance company Converge. “The services provided commonly include law firms (aka breach coaches), forensics firms, notification and credit monitoring companies, and PR firms. It’s critical for companies to understand how their insurance coverage works in the heat of an incident and who those vendors are to ensure there is familiarity and a comfort level.”
“The insurer should also have a dedicated team of cyber security experts who can provide guidance and support in the event of an attack. By working with their insurer, customers can ensure that they are as prepared as possible for a cyber-attack,” exhorts Oberon Copeland, owner and CEO of Veryinformed.com.
Though not always contractually mandatory within a cyber policy, carriers often provide expert support to clients who suffer a cyber event, according to Breakwater Solutions’ Novak. “So, while it’s always recommended that a company integrate involvement of their insurance company into their cyber incident response plans, carriers have a vested interest in making sure that a client manages cyber events rapidly and holistically; else they risk higher payouts. As such, carriers often have dedicated cyber response teams or have vetted and partnered with cyber consulting firms that can help a company respond to cyber events.”
When and how to leverage these resources can be crucial, according to Jennifer Mulvihill, business development head of cyber insurance and legal at cyber defense company BlueVoyant. “Notification and reporting of a claim, as well as how or when to contact partners to assist in an investigation -- such as a forensic firm or breach coach -- can influence a coverage determination negatively or positively,” she says.
Your Responsibility as Insuree?
Plenty of insurers expect their clients to form their own partnerships. Even if that is not the case, it is advisable to form relationships with security and incident response firms and establish a solid perimeter from the outset. This is particularly true for smaller companies who do not have the resources to support dedicated internal staff. Doing so may even reduce insurance premiums.
“It should start at the company level,” suggests Pankaj Goyal, senior vice president of data science and cyber insurance for cyber security firm Safe Security. “How do you think about cyber risks? What are the gaps? What is the financial risk? How much can you mitigate by investing in cyber budgets or cybersecurity products? And then how much risk do you need to transfer?”
“The onus is on the client to make sure that they bring in the right expertise. That expertise can be around assessing the risk itself, understanding the gaps, understanding the risks, and figuring out what improvements can be made,” Goyal maintains.
“Managed security service providers (MSSPs) can be very, very strong technology and advisory partners for the customer -- they can draft out a longer term cyber risk management plan,” he adds. “Incident response companies can help draft and design a business continuity plan. Those are very important drivers for a company to not just defend against cyber-attacks, but also respond and recover quickly with minimal financial impact.”
Ultimately, a satisfactory relationship between insurer and insured relies on healthy dialogue. “There should be a very active and open line of communication between the company and the insured,” says John Eckenrode, director of cybersecurity solutions for consulting firm Guidehouse. “There should be a reassessment every year -- not just saying, hey, cybersecurity expenses went up 10%. Has your revenue changed in the past year? Have you opened new lines of business? Have you made investments in cybersecurity? Have you had any attacks? All those things factor into a healthy relationship with both the insured and the insurer.”
These conversations can have significant impacts on the services you can expect -- and the money you can expect to spend.