Win Some, Lose Some.

by Hank Berkley
Contributing editor

The term “risk” as it applies to information security is a bit amorphous and because of that it may lead one to make some wrong assumptions. One such misconception has to do with the purchasing of cyber insurance. While insurance is considered to be a tool for “risk transfer”, in the case of cyber coverage it really doesn’t do that.

What insurance really does is reduce the risk of an unanticipated financial loss. For most companies this means property loss, theft or significant injuries. What it does NOT do is make you whole in terms of your business. This is also true for information security insurance. A paid claim can help defer the costs of financial damages including legal expenses and data recovery, but it does nothing to eliminate damage to your business itself. Even more serious is the fact that cyber insurance is likely over-priced.

Before looking at any details there are a few basics of insurance that are important to understand. The first is that insurance companies typically pay out for claims only 60% of what they collect in premiums. To put that in perspective, a slot machine pays out better at 80% and it is considered the worst bet you can make in a casino. The other 40% of the premium you pay goes to cover salaries, overhead, marketing, legal costs, sales commissions and profit. By almost any measure insurance is an inefficient tool.

While the 60% is a target for payouts, information security insurance policies differ from other lines of insurance in that there is very little historical data and the risks are changing constantly. Therefore, predicting losses is, well, a crap shoot. Not only don’t they have historical data with which to set actuarially-based rates, but they don’t have agreed upon standards to use to come up with adequate premiums. For example, when you insure your home, there are standard questions used by most carriers about how far it is to a fire hydrant or the type of building materials that were used. With cyber coverage each insurance company has its own factors that it believes will help to obtain the most appropriate premium.

Without the ability to accurately predict losses, insurance companies generally add in a little extra premium to cover the unknown risk they are taking. They may also seek some stability through terms and conditions in the policy that reduces their exposure. Without common contract terms it is up to the customer to evaluate each policy carefully, comparing it to others and assessing the value in their particular situation. This is not to say that you shouldn’t consider buying cyber insurance. It simply means that it is not necessarily the simple panacea it is purported to be.

As mentioned, a primary purpose of cyber insurance is to remove the potential of a large financial swing in your company’s results. Business interruption coverage under a cyber insurance policy is expensive, but it can also be the difference between a bankruptcy filing and survival. (Because it is expensive, you should consider as high a deductible as can be reasonably tolerated in order to try to reduce the cost a bit.)

In fairness, financial protection is not the only benefit of cyber coverage. As a way to differentiate themselves some insurance carriers that sell cyber insurance offer additional free or discounted services that could help to justify buying a policy. Some offer independent audits of your IT security. The idea is that both you and the carrier benefit when you have improved security, but they could also exclude losses caused by things found in the audit that you fail to correct.

Other carriers have contracts to provide discounted recovery services in case you do have a loss. They may also provide you with guidance about how to handle a breach should one occur. With the regulatory environment being what it is today, having some experienced guidance could be quite valuable.

For smaller businesses cyber insurance policies are generally simple and defined by the insurance companies. For larger organizations the terms and conditions offered can often be negotiated. Of course, the opportunity (and responsibility) to review any insurance contract requires legal expertise as well as a deep understanding of your business; but reviewing a cyber insurance policy also requires technical expertise and understanding of IT risk. Considering the huge variation in policies today, a detailed review of the terms and conditions is a must. Caveat emptor!

One advantage that you do have over the insurance company is that you (hopefully) understand your company’s cyber security risks better than anyone. If you believe you have a higher than average risk, buying cyber insurance may be a more reasonable decision. To be clear, insurance is NOT an alternative to having good information security, but it can help to reduce the financial risk during a period while you work to mitigate your technology threats. Remember that insurance does not fix data breaches or repair your reputation. It is a financial offering.

At the end of the day, cyber insurance can be an important part of an information security plan, but it isn’t for everyone, can be very expensive, and certainly isn’t a substitute for good IT policies and practices. Over the next decade cyber insurance will evolve significantly, but at this time it is a challenge to do the analysis of so many varied offerings. A challenge that may or may not be right for your circumstances.