Insurance and Cyber Security Risk

Transcription

1 Helping clients build operational capability in cyber security. A DELTA RISK VIEWPOINT Insurance and Cyber Security Risk Bringing cyber security under the umbrella

2 About Delta Risk is a global provider of cyber security and risk management services to commercial and government clients. We believe that an organization s approach to cyber security should be planned, managed, and executed within a tailored and organization-specific program. We help guide organizations to succeed in today s cyber environment by building on the people, processes, and technology they already have All rights reserved.

3 Insuring against cyber security risks is an idea whose time has come. How far can it go? T he use of insurance policies for managing cyber security risks is common today and demand is escalating rapidly. Business leaders want options for transferring cyber risk to insurance carriers. Insurance brokers and carriers want to broaden the range of profitable products they can offer to customers. Cyber professionals want more insurance choices because they know they cannot mitigate every risk. Although cyber insurance only emerged as a salable product on a large scale in the first years of the 2000 s, it is available today in many forms and through many providers. Annual premiums industry-wide have topped $2 billion with year-over-year growth of more than 20%. With the insurance industry overall growing at annual rates in the low single digits, the high rate of growth in cyber premiums is remarkable. And most observers agree that cyber insurance has yet to achieve its full potential for carriers, brokers, and customers alike. However, this industry is still at an early stage of development. Despite its rapid advance there remain undercurrents of uncertainty about the economics, about what insurance products would be the most successful, and about how cyber insurance should fit into a broad enterprise risk management agenda. Intrusions, data breaches, denial of service, and other cyber attacks threaten every business and institution in cyberspace. Major breaches have sent shockwaves through multiple industries and cyber incidents are in the headlines regularly. Risk management has never been more important. With complete prevention of cyber attacks being unrealistic, the idea of insuring against potential losses in cyberspace is very appealing. This Delta Risk Viewpoint advances the idea that there are four communities that have a vested interest in developing cyber insurance as a vital risk management resource. The four communities insureds (and potential insureds); carriers; brokers; and cyber security professionals all have different perspectives but share a common desire for more robust cyber insurance offerings. This Viewpoint recommends actions for each of these four communities to position cyber security insurance to help deal with the ever-present risks in cyberspace. Page 1

4 Cyber Insurance Today Cyber insurance can be a risk management option for any organization that operates on the Internet forprofits, nonprofits, colleges and universities, healthcare institutions, charities, associations, and others. 1 If the operation depends on cyberspace, the inherent risks must be faced. Many carriers today offer insurance policies for cyber risks under names such as network security liability insurance, privacy liability coverage, and technology liability insurance. Sometimes cyber coverage is within the scope of, or is offered as an option or an enhancement to, an existing policy such as business owner, business interruption, or professional liability. Additionally, some cyber coverage may already exist in the personal injury portion of an existing general liability policy, although it is probably limited. The types of cyber coverage most commonly available today are outlined in the inset box. Insurance coverage by itself is not a cure-all for cyber security risks. First and foremost, preventive measures are needed in the form of security controls management, operational, and technical. Such controls can address some but not all of the risk. The potential costs due to the Losses Often Addressable by Cyber Risk Insurance Policies Data breach-related liabilities Breach remediation costs such as the costs of: Crisis management Forensic investigation costs incurred to determine the existence or cause of a breach Public relations Customer notification Customer credit monitoring Data restoration Coverage for Identity Theft Resolution Services Defending lawsuits Judgments and settlements Responding to regulatory investigations Network extortion threat and reward payments Regulatory fines, penalties, and associated costs Claim expenses or legal expenses incurred in the defense of a claim Reputational losses, including damaged relationships and opportunities, both consumer and business Business interruption income loss remaining (or residual ) risk are among those that may be addressable by insurance. And while a deliberate decision not to insure against these costs may be appropriate, ignoring the residual risk is to tacitly self-insure a dangerous approach. Impediments to growth Several factors are currently moderating the growth of cyber security insurance. Although some of these factors may fall away with time, others are fundamental and will continue to influence growth for the long term. These factors include: Economics. In general, insurance is a highly competitive regulated industry with a high-volume, lowmargin business model. With any new product the first question for sellers is, Can we sell it profitably? and for buyers, Is it worth the money? Both of these questions can be answered with a cautious yes in cyber today. The newness of both the risks of cyberspace and the idea of providing insurance for them present initial uncertainties that will only be dispelled with market experience. The insurance industry depends on reliable actuarial data for profitability. Such data is lacking in cyber, which introduces uncertainty into the design and pricing of coverage options. The challenge of setting rates for cyber insurance products is compounded because the field is so dynamic. To date, competitive 1 Small and mid-size businesses, which frequently do not have the resources to invest in robust security controls, should carefully consider cyber insurance as a way to reduce their exposure to cyber attacks that could seriously damage their viability. Page 2

5 pressures have been exerting downward influence on rates while the shortage of empirical data and claims history has tended to push them up. Another fundamental challenge in cyber is the question of the insurability of cyber risks. Cyber insurance comes perilously close to violating some of the traditional tenets of insurable risk. For example: Are the losses calculable? In cyber, some potential losses are fairly easy to estimate (e.g., breach notification costs) and others nearly unobtainable (e.g., costs of reputational damage). Are the probabilities of loss calculable? Current statistical models are not as sophisticated in cyber as they are for other insurance products. Cyber breaches in many respects are all but inevitable, but a better mathematical understanding of the actual probabilities will increase the insurability margin. Are the losses accidental? The most pressing cyber risks are caused by human threat actors. Attacks generally follow certain patterns but are not accidental. Many insurance products in other domains that are successful today began similarly at the edge of insurability. The industry is now grappling with how to expand the envelope of insurability of cyber risks, both in the field as a whole as well as in the enterprises of their individual customers. The key to success is in the precision of the statistical model. Understanding risk exposures. Insurance is designed to cover the losses (i.e., costs) of adverse incidents. Developing a crystallized understanding of potential losses due to cyber risk exposures is difficult for insureds and insurers alike. Ascertaining the cyber risk profile of an enterprise is traditionally done through a risk assessment. However, there are many forms of assessment in use for different purposes in cyber security and not all provide the information that underwriters need to write policies. For example, quantifying potential losses in financial terms is often overlooked in many cyber risk assessments. Even so, a detailed assessment of an organization s cyber security posture is generally not cost-effective for making an underwriting decision. Economics demands that this decision be made reliably but inexpensively, and both carriers and brokers are developing innovative approaches for achieving this. Today questionnaires are often a central part of cyber insurance applications with the applicant selfreporting the data requested. The questions are designed to capture the indicators that support underwriting. It is not necessary that they be comprehensive or to the depth that may be needed for other purposes. Whether through a full assessment or a questionnaire, any such data capture is but a snapshot in time. In cyber, the rate of change of key parameters is very high compared with other risk areas. Besides the change associated with its newness, the cyber environment is inherently dynamic due to the high rates of change in the tactics of threat actors, regular and routine changes in network configuration and the patch status of systems, and technology changes, as well as the level of expertise of the security operations staff and those who monitor network security. This rate of change is one reason that management of cyber risks is difficult and it also complicates underwriting. Insufficient actuarial data that correlates cyber events with cyber controls. Risk exposure notwithstanding, underwriters ultimately rely on statistical analysis of actuarial data built up over many years from large populations to be able to target insurance products and set rates. Of prime importance is empirical data that links the robustness of risk management measures with outcomes. With life insurance, for example, a vast amount of actuarial data enables the use of easily measured parameters such as age, gender, weight, blood pressure, and tobacco and alcohol usage as decisive attributes for insurance eligibility up to certain Page 3

6 levels. This degree of precision is not yet possible in cyber. The issue is not that actuarial scientists are lost when it comes to cyberspace. Rather, the issue is that more complete data would allow them to improve their statistical models and sharpen product offerings with more precise rate structures. There is plenty of room for innovation and companies today are experimenting with different approaches. Limited cyber talent focused on the insurance issue. Enterprises of all kinds are realizing that qualified cyber security practitioners are in high demand and that finding the right talent in the right location is difficult. Of great importance is the fact that the cyber security workforce is not monolithic: there are many specialties across the spectrum from policy to operations, and shortages of talent exist in all of them. A particular shortage in the cyber field is of those who can effectively integrate cyber security risk with the enterprise-level management of risk, which is central to the insurance value proposition. Four Players There are four players who have a stake in cyber security insurance, each with a different vantage point: insureds, insurance brokers, insurance carriers, and the cyber security professional community. All are learning about applying insurance to cyber risk. All need each other. The urgency felt in these communities for expanded applications of insurance is further fueled by the relentless threat, the drive for adoption of new technologies that often increase risk exposure, and competitive pressures on all sides. See Figure 1. Offer Market demand Knowledge of specific business environment and internal operations and priorities Internal perspective on cyber risk management Insureds Need Expanded risk management solutions Figure 1. Relationships in Cyber Insurance How Four Communities Can Help Each Other Interaction drives improved cyber security insurance solutions Offer Understanding of client needs Relationships with carriers and clients Knowledge of cyber insurance policy options Pre- and postbreach risk management services Brokers Need Increased understanding of cyber security Knowledge of constantly evolving policy options Cyber Security Professionals Offer Understanding of cyber security Knowledge of cyber threats and mitigation approaches Need Greater understanding of insurance as an instrument of risk management Interactions of four communities Insureds, Brokers, Carriers, and Cyber Security Professionals will help bring about their common desire for more robust cyber insurance options. Offer Cyber insurance products Relationships with brokers and clients Cyber posture data of current insureds Carriers Need More comprehensive empirical data relating security controls with outcomes Notes:! Offer and Need refer to the two ends of the value exchange for each of the four communities.! The value exchange occurs over time through business interactions in the market and through deliberate consultative initiatives, publications, presentations, and other dialog. Legend Involved community Flow of value Insureds. The insureds are those who have cyber security insurance or wish to obtain it to help manage their cyber risks. To make good decisions about insurance, insureds and potential insureds must be smart shoppers. They should: Page 4

7 Understand risk and exposure. The most important step for potential insureds to take before shopping for cyber insurance is to develop a good understanding of their organizations risk exposures and the potential costs associated with them. Transferring residual risk to an insurer only makes sense when there is already a broad understanding of the risk posture. The insured should deepen its understanding of risk in terms of potential losses as well as the probability of their occurrence. If the potential loss is high and the probability is also high, it is generally premature for the organization to be seeking insurance. The first priority would be to implement additional security controls to bring the likelihood of loss down. What Insureds Should Do Understand cyber risk and exposure Integrate cyber security with enterprise risk management Develop cyber resilience being able to continue or resume operations in the aftermath of a breach Engage a specialist broker who is knowledgeable in cyber and can identify policies that align with your specific needs Understand policy terms, limits, and exclusions Not all cyber risk assessments are alike. Analyses performed under the title of cyber risk assessment can be designed for a range of important purposes. Objectives may include, for example, understanding the effectiveness of security controls; identifying weaknesses in operational processes; identifying training gaps. These types of assessment, while needed by the organization, do not typically quantify potential losses and their likelihood, which reduces their utility for making insurance decisions. Integrate cyber security with enterprise risk management. Business leaders recognize the impact that a cyber attack can have on the operations of the organization as well as on the bottom line. However, cyber security risk management often does not have a seat at the Enterprise Risk Management table. If an organization is ready to consider cyber insurance, it should do so in the broad risk management context that only exists at executive levels. Cyber insurance should be addresses at this level as an integral part of the overall management of cyber security risks. 2 Develop cyber resilience. Potential insureds should realize that the tradespace for defending against cyber attack is broader than just implementing protective measures. Detection, Response, and Recovery are key because cyber defenses can never be foolproof. 3 Resilience is the ability to continue or recover operations in the aftermath of a breach. By focusing on resilience, insureds can greatly improve their risk posture as well as the insurability of those risks. Thorough planning and preparedness efforts for post-breach actions can help control costs and hasten recovery in the usually chaotic post-breach environment. Engage a knowledgeable broker. Acquiring cyber insurance is an important enterprise move that should be done systematically. To identify the best policy options there is no substitute for the experience and knowledge of a qualified insurance broker. With an increasing number of carriers and expanding policy options, potential insureds should not go it alone. A knowledgeable broker can help in many ways, such as engineering risk, identifying coverage needs, researching and advising on policy choices, and negotiating with carriers for customized coverage. Many brokers also offer advisory and assistance services for the management of risk before a breach and for response and recovery afterwards, which can be very valuable for the insured. 2 See the Delta Risk Viewpoint, The Elephant in the ORM Room: Cyber Security and Operational Risk Management in Financial Services 3 The NIST Cybersecurity Framework published in 2015 by the National Institute of Standards and Technology (NIST) sets forth an organizing concept for cyber security consisting of five elements: Identify, Protect, Detect, Respond, Recover. This framework is useful for understanding security strengths and weaknesses, structuring investments, and communicating risk posture internally and externally. Page 5

8 Understand policy terms and exclusions. As with any insurance, cyber insurance policies contain limitations and exclusions that could present unexpected gaps in coverage. Terms and exclusions can vary widely but are of particular importance in cyber insurance because its newness and uncertainties drive carriers to pay extra attention to managing their exposure. Example exclusions include: Data breaches at third-parties. Many enterprises today have extensive network connections with business partners, vendors, suppliers, and others such as cloud service providers and business application hosting services. Are breaches of the insured s data at these entities covered? Geographic limitations. Cyberspace may be borderless in concept, but systems and data reside in physical locations. Is the insured s data covered when it is located or processed in a different country or legal jurisdiction? Retroactive coverage. Many breaches today are not discovered for days, weeks, or months after the actual occurrence. If a pre-existing breach is discovered after a policy is written, is it covered? Ongoing risk management requirements. Policies may specify certain requirements for the maintenance of an acceptable risk posture throughout the period of insurance coverage. Is there a standard-of-due-care requirement that must be met to keep the policy active and how is it measured? Insureds should work with their brokers and legal counsel to understand exclusions and ensure they have the coverage they need. Insurance Brokers. Brokers assist clients not only with the selection of insurance but frequently offer a wide range of related services to help clients manage risks. Brokers also play a key role in advancing insurance as a cyber risk management tool. Insurance brokers should: Increase depth of in-house cyber security expertise. Both cyber risks and cyber insurance are here to stay. Deep knowledge of the challenges and issues in cyber security, the needs of clients, and major trends in the field will enable the broker to provide better and more differentiated service. Provide advisory services to help clients understand, engineer, and manage their cyber risks. Those brokers who already provide advisory services should consider expanding them to help clients with cyber security risk management. Most organizations have difficulty dealing with cyber security as the What Brokers Should Do Increase depth of in-house cyber security expertise Provide advisory services to help clients understand, engineer, and manage their cyber risks Find efficient ways to continuously or regularly measure enterprise cyber risk enterprise risk it is, often seeing it strictly as an IT problem and missing its potential strategic impacts. Considering cyber in an insurance context with the assistance of a knowledgeable broker can help organizations to internalize cyber s enterprise-level implications. Find efficient ways to continuously or regularly measure enterprise cyber risk. Measuring an organization s cyber risk posture so that it can be tightly managed is something that virtually all organizations struggle with today. Cyber security at the enterprise level is complex, multi-faceted, highly dynamic, and difficult to measure. Yet it is in everyone s interest to have the means to continuously monitor risk posture in an automated, repeatable, and dependable manner. This desired state will only be achieved through evolutionary development, and brokers who have cyber expertise are in a strong position to help this evolution along. Page 6

9 Insurance Carriers. Cyber insurance today is a profitable and growing line of business for many carriers. The challenge is to continue and expand this success. Actuarial data accumulates in tandem with market experience with product performance. Carriers should: Continue to innovate. The cyber insurance market is rife with innovation as carriers compete for market share in this new domain. Key areas where innovation can differentiate a carrier include efficiently measuring risk exposure and quality of security controls, defining boundaries of coverage and price point, and refinement of actuarial models. Over time the industry will amass incident data and claims history that will help them evaluate product performance and refine approaches. In the long run more standardization of the cyber security insurance lexicon, policies, and claims practices will emerge, but for the near term innovation will drive the industry. What Insurance Carriers Should Do Examine underwriting and claims management and experiment with innovative products Increase the depth of cyber expertise in the underwriting field Follow industry trends in regulatory compliance for cyber and tailor products to be compatible with these mandates Find efficient ways to continuously or regularly measure enterprise cyber risk Increase the depth of cyber expertise in the underwriting field. Underwriters have deep understanding of risk and are uniquely skilled in data analytics. They know their business. Nonetheless, while cyber security has many similarities to other risk areas, it has some unique features that may call for the use of different statistical analysis techniques. For example, in cyber a single attack could affect a large number of insureds simultaneously. Or a client s risk exposure could change dramatically due to routine network or personnel changes. Or a new threat could appear that increases the insurer s exposure unexpectedly. Or threats could be negated in one enterprise because another enterprise shared threat intelligence data. Actuaries and claims management personnel would benefit from having people with current expertise in cyber security operations as integral members of the team or readily available. Follow regulatory trends. The trend across all industry sectors is towards increasing regulatory requirements for cyber security. Without doubt, regulatory requirements drive priorities and risk management approaches in the affected industry sectors. For industries that are not directly regulated, the Federal Trade Commission has recently assumed an oversight role, and has initiated lawsuits against companies for inadequate cyber security controls. Such actions have been taken pursuant to FTC s authority to police unfair trade practices. These factors and the broader trends they are part of directly inform insurance, both in the design of policies and in the management of claims. Work on finding solutions that continually or regularly evaluate risk exposure. Today s methods of evaluating risk exposure are clumsy and slow when compared with the rates of change in the highly dynamic cyber environment. Developing and widely deploying solutions for the continuous monitoring of cyber security controls is recognized as a grand challenge within the cyber security community. Achieving it would be a boon for enterprises of all kinds as well as their insurers because ideally it would enable risk management to keep pace with the changing risk conditions that are intrinsic to cyberspace. Cyber Security Professionals. Cyber security professionals, whether in industry, professional services, government, or academia, should accept a share of the cyber insurance challenge and become part of the solution. Though not usually thought of in this way by today s cyber security practitioners, cyber insurance is just as much a part of the cyber security field as are traditional topics such as encryption, vulnerability management, access control, and intrusion detection. Cyber security professionals should: Learn about cyber insurance. Cyber people should become knowledgeable and help those in the insurance industry understand what makes an enterprise secure and how security can be efficiently measured. Page 7

10 Understand how insurance can help manage cyber risks and learn to speak the language of enterprise risk and to engage at senior levels on these topics. Advise executive leadership on cyber risk management. Be able to advise clients on the options for transferring risk. Business leaders are realizing that cyber security is a top-level business concern that requires a whole-company approach. While the business leaders are frequently not well versed in cyber security, cyber security professionals often do not have a sufficient understanding of the priorities and decision models of the organization s leadership. And cyber people often do not speak the language of business leaders. This communications gap works against the effective management of cyber security. Engage with brokers and carriers. Advance the understanding of cyber security among insurance brokers and carriers through publications, presentations, deliberate consultative initiatives, and other dialog. Take every opportunity to learn from brokers and carriers about how they view risk. Learn from brokers how the engineering of risk can be applied to cyber. Tailor risk assessments and other enterprise diagnostic assessments to be meaningful in an underwriting context. In particular, devise new ways of reliably identifying the probability of cyber events and the potential financial cost (impact) they would yield. A caution for professional services firms Providers of cyber security professional services should be aware that all 50 states require those who accept a commission, service fee, or other valuable consideration for selling, soliciting, or negotiating insurance to be licensed. Those providing advisory services related to cyber insurance must understand and respect these boundaries. Remaining Challenges Among the major long-term challenges to normalizing cyber insurance are three related issues. These issues have serious implications for the future of cyber insurance. Accumulation risk and cyber catastrophe What Cyber Security Professionals Should Do Become knowledgeable in cyber insurance its capability and limitations and understand how it can serve as a tool for the enterprise management of cyber risk Advise executive leadership (C-Suite, CSO, CRO, GC, etc) on the management of cyber risks Engage with the insurance industry (brokers and carriers) and help them understand what the cyber professional community can offer Cyberspace presents a type of risk that commands attention from insurers: those occurrences that could affect a large number of insureds simultaneously. This is called accumulation risk and might theoretically present a shock loss for insurance carriers a loss that is so significant as to have a material impact on the profitability of an underwriter. Hypothetical examples include: A widespread botnet-driven distributed denial of service attack, which could put a large number of insureds offline for an extended period of time A zero-day exploit against a widely deployed operating system or key business application A systemic attack on a cloud provider that affects a large portion of its customer base The potential for such a catastrophic event and its actual dimensions can be postulated and simulated, but that still leaves much uncertainty. The basic approach that the insurance industry takes to the possibility of shock losses is reinsurance, but the unknowns in cyber complicate this solution as well. Page 8

11 Reinsurance Reinsurance is insurance for the insurer a risk management approach in which a carrier purchases insurance from another carrier to reduce its large portfolio risks. Reinsurance is starting to become a part of the cyber insurance landscape and is expected to emerge as a major component of cyber insurance in the long term. Reinsurers are currently cautious because of the unknowns associated with accumulation risk in cyber. Additionally, the wide variety of policy constructs, terminology, and exclusions in policies currently being issued makes understanding the boundaries of what they are covering quite challenging as these policies are aggregated. Both factors represent risk to the reinsurer. Government role in cyber insurance Some of the aspects of cyberspace indicate a potential need for a government role in cyber insurance. A majority of the most serious cyber attacks today are perpetrated by organized groups, either militaries, intelligence services, organized crime syndicates, hacktivist collectives, or even terrorists. Many cyber attacks originate or transit other countries, where attackers can exploit jurisdictional boundaries and gaps and inconsistencies in international legal frameworks. The boundary between industrial espionage conducted by a military intelligence service of another country and foreign aggression against the United States is not very clear. A cyber attack on a component of U.S. critical infrastructure by a foreign power could be considered an act of war. In these extreme but not far-fetched cases, it may be reasonable to expect the government to play an active role in defending against the cyber attack. Where does this leave insurers? The government already plays the role of insurer of last resort when risks go beyond what the private sector insurance industry can reasonably insure. Examples include flood insurance, terrorism insurance, and certain categories of mortgage insurance. Ultimately the question becomes, what is the role of government in cyber security? 4 Key Takeaways Cyber insurance will be increasingly prominent for managing the ever-present risks of operating in cyberspace. Cyber insurance is offered by many carriers and, at $2 billion in annual premiums, the sector is growing rapidly. There are impediments to this growth, however, the most significant being the limited actuarial data available on which underwriters depend. Four communities, insureds, brokers, carriers, and cyber security professionals all have different but interdependent roles to play in applying insurance to cyber risk. Recommendations for each are summarized in the accompanying table. Delta Risk can help Understanding cyber threats, exposures, mitigation strategies, and risk management are fundamental needs for any organization that operates in cyberspace today. If your organization is faced with managing challenging cyber risks, Delta Risk may be able to help. With our independent and objective focus on cyber strategy, policy, and operations, we can help you think through the ideas presented in this Viewpoint as they apply to your organization, understand and prioritize your cyber challenges, and devise and implement tailored approaches to address them. 4 See the Delta Risk Viewpoint, 50 Years to Daylight: The future of information security Page 9

12 Summary of Recommendations Understand cyber risk and exposure Potential Insureds Integrate cyber security with enterprise risk management Develop cyber resilience being able to continue or resume operations in the aftermath of a breach Engage a specialist broker who is knowledgeable in cyber and can identify policies that align with your specific needs Understand policy terms, limits, and exclusions Insurance Brokers Increase depth of in-house cyber security expertise Provide advisory services to help clients understand, engineer, and manage their cyber risks Find efficient ways to continuously or regularly measure enterprise cyber risk Insurance Carriers Examine underwriting and claims management and experiment with innovative products Increase the depth of cyber expertise in the underwriting field Follow industry trends in regulatory compliance for cyber and tailor products to be compatible with these mandates Find efficient ways to continuously or regularly measure enterprise cyber risk Cyber Security Professionals Become knowledgeable in cyber insurance its capability and limitations and understand how it can serve as a tool for the enterprise management of cyber risk Advise executive leadership (C-Suite, CSO, CRO, GC, etc) on the management of cyber risks Engage with the insurance industry (brokers and carriers) and help them understand what the cyber professional community can offer Page 10

13 Contact Information To discuss these ideas please contact us at Delta Risk offices: San Antonio, Texas 106 St. Mary's Street, Suite 428 San Antonio, TX Washington, DC 4600 N Fairfax Dr., Suite 906 Arlington, VA