Israel Martinez | April 6th, 2016 | MMG
The net increase in corporate costs related to cybercrime is more than 80 percent over the last six years, according to the Ponemon Institute, a leader in cybercrime statistics. The study also reports a mean annualized cost of $15 million per year for 85 benchmarked organizations, up 19 percent from 2014.
My experience with Fortune 500 companies demonstrates that when a company’s valuation and reputation impact are factored in, the cost of cybercrime is an order of magnitude higher.
There are more than 50 companies in today’s marketplace selling some facet of cybersecurity insurance. Unlike other types of property and casualty insurance, cyberpolicies are new to the industry. These new products are without the years of meaningful quantitative data, and the actuarial analysis necessary for balanced pricing and coverage. You will find that the cost of premiums, coverage, exclusions and even prerequisites for qualification vary dramatically.
Fundamentally, cybersecurity insurance is designed to help businesses cover legal expenses, public relations, notification, forensic discovery, incident response and/or remediation, as well as other costs due to an unauthorized cybercompromise or breach.
Be careful not let your broker sweet-talk you into a false sense of security. Some policies provide only “data breach insurance,” excluding anything not related to theft of personal information (e.g., intellectual property theft, valuation impact, etc.) Often, definitions of simple terms such as “breach” are conflicting, unclear or incomplete when compared with federal, state and industry definitions. Do your homework and compare definitions for your industry and state. Attorneys representing companies vs. shareholders in breach scenarios can have sound but opposing definitions of important terms because there isn’t enough case precedent in this complex field. Additionally, most policies do a poor job of covering the majority of costs in a breach, including reputation damage, valuation impact or loss of intellectual property.
Range of Coverage
Policies are often broken down by industry, revenue, limits of payout per incident and premiums per year. As an example, an article from Cyber Data Risk Managers, a cyberinsurance broker, does a good job of demonstrating the wide disparity between industries, policies and costs for simple data breach insurance. Even within financial services, costs vary greatly. Recently, I have seen insurance companies asking what risk categories the customer wants covered and then pricing the policy accordingly. Increasingly, pricing is becoming either prohibitive or laden with exceptions that are difficult for customers to avoid.
Be aware that sublimits for each potential claim category can be capped (e.g., legal expenses or hiring a forensics company for analysis of damage) and will often have a limit well below the maximum payout. As an example, a $3 million policy may offer only $500,000 of coverage in six claim categories. So take time to run through the cybercrime scenarios most relevant to your industry and company type.
Most providers offering cyberpolicies between 2013 and 2015 were quite helpful and eager to help cover costs after a breach. However, the recent increase in cybercrime has led to policy renewals fraught with exclusions, such as for cybercrime ransom scenarios. Become familiar with the fine-print limitations and exceptions that surprise customers when they need coverage most—during or after the breach. In the case of ransom scenarios, if you have a policy exclusion, find multiple ways to mitigate ransomware cybercrime specifically, because data show this trend increasing.
In this regard, I recently had a conversation with a thought leader on the cyberwar-front, Stuart Tryon, special agent in charge of the U.S. Secret Service Criminal Investigative Division. He gave a sobering assessment: “Ransomware’s prevalence and persistent availability makes it a threat that all should consider in their business continuity planning. This threat will remain part of the landscape for the foreseeable future, and most IT professionals should continue to adhere to strict protocols and countermeasures, with the understanding that no industry or line of business is immune.”
Getting the Most Out of Your Policy
I’ve put together a few helpful tips for you to consider about your company’s cybercoverage:
- Beware of exclusions that result in non-payment. For example, if you have anti-virus or anti-malware software that was “recording and alarming” but no one saw it, or if you happened not to have effectively updated software or firmware in your organization, you may have a disqualifying event.
- Know your definitions, such as “incident” versus “breach,” and how those are defined for your industry, as well as federal, state and local regulators; then make sure your policy integrates these. “Cyberincidents” usually refer to a broader range of attacks and compromises versus “breaches,” which are usually specific to theft of personal information.
- Be diligent about notification requirements to your insurance company. Some insurance companies require you to report cybercompromises and/or cyberincidents even when there was no breach of data. If you neglect to report such incidents and they’re discovered after reporting a legitimate breach event, you could be disqualified.
- Take time to see if the policy covers regulatory fines. These are sure to mount even if you’ve met compliance standards yet still experience a breach.
- Beware of deadlines from the time you discover a breach to the time you report to your insurance company. These may also be mandatory.
- Be careful how you conduct discovery during a cyberincident. Many inexperienced cybersecurity companies inadvertently report incidents, compromises or breaches to management in a way that, unbeknownst to them, invalidates or limits the policy coverage. Make sure you have a reputable and experienced company working cyberincidents.
- Ensure the cybersecurity insurance decision is made as part of the organization’s enterprise risk management program. It should be a board-level or C-suite decision, independent of IT.
- Do not believe, because you have met regulatory compliance standards, that you’re safe from cybercrime or policy coverage exclusions. Many large retailers were compliant with retail industry cybersecurity requirements and were not only breached but also disqualified for policy coverage in the category of “regulatory investigation costs or fines.”
- Try negotiating discounts for things you’re doing well today, such as mitigating the SANS Institute’s 20 Critical Security Controls, encrypting data, implementing the DHS NIST framework, or demonstrating how your board has received cyber-enterprise risk management training. Be prepared to show documentation. A past MMG article, “In the Real-World Game of Cybersecurity, the Best Defense Is a Good Offense” addressed this issue.
- Pay attention to your software-/infrastructure-/other-as-a-service contracts. Outsourcing your business process or data management will not absolve you from fiduciary and other responsibilities in the event of a breach of your third-party provider.
- Consider leveraging a third-party company to discover if your firm has been unknowingly compromised in the form of cyberthreat intelligence. Don’t trust your internal IT department to have this capability, and don’t use a penetration test or vulnerability assessment as a substitute here. You need an independent assessment of what the bad guys may be exploiting today. //
Israel Martinez is president and CEO of Axon Global, a cyber-counterintelligence company recognized by the Department of Homeland Security as a leader in its field. Martinez is certified by the DHS in cyber-counterterrorism and defense, and has more than 20 years of experience in cyber-enterprise risk management and governance.