Multiple Drivers For Cyber Security Insurance



Similar documents
Breach Found. Did It Hurt?

ENTERPRISE EPP COMPARATIVE REPORT

Internet Advertising: Is Your Browser Putting You at Risk?

DATA CENTER IPS COMPARATIVE ANALYSIS

Mobile App Containers: Product Or Feature?

Can Consumer AV Products Protect Against Critical Microsoft Vulnerabilities?

WEB APPLICATION FIREWALL COMPARATIVE ANALYSIS

SSL Performance Problems

DATA CENTER IPS COMPARATIVE ANALYSIS

2013 Thomas Skybakmoen, Francisco Artes, Bob Walder, Ryan Liles

Evolutions in Browser Security

NEXT GENERATION FIREWALL COMPARATIVE ANALYSIS

BROWSER SECURITY COMPARATIVE ANALYSIS

An Old Dog Had Better Learn Some New Tricks

2013 Thomas Skybakmoen, Francisco Artes, Bob Walder, Ryan Liles

Internet Explorer Exploit Protection ENTERPRISE BRIEFING REPORT

Navigating the NIST Cybersecurity Framework

CORPORATE AV / EPP COMPARATIVE ANALYSIS

Compliance in the Age of Cloud

The CISO s Guide to the Importance of Testing Security Devices

(e) Upon our request, you agree to sign a non-electronic version of this TOS.

Cyber Governance Preparing for the Inevitable Perimeter Breach

Mechanics of Currency Hedged Indices

MANAGING Cybersecurity Risk AND DISCLOSURE OBLIGATIONS

GENOA, a QOL HEALTHCARE COMPANY WEBSITE TERMS OF USE

Securing Amazon It s a Jungle Out There

Cyber Liability Insurance

AN INSIDE LOOK AT S&P MILA 40

Mitigating and managing cyber risk: ten issues to consider

The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v

Why Is DDoS Prevention a Challenge?

Examining the Evolving Cyber Insurance Marketplace

TERMS OF USE. Last Updated: October 8, 2015

Gus P. Coldebella Partner, Goodwin Procter LLP Former General Counsel, Dept. of Homeland Security. What are we going to talk about today?

HEALTHCARE BUSINESS INTELLIGENCE (BI) MARKET

How To Create A Firewall Security Value Map (Svm) 2013 Nss Labs, Inc.

E-Sign Disclosure & E-Statements Terms and Conditions

Verified by Visa Terms of Service Credit Card Accounts

SECURITY SAVINGS BANK MONMOUTH, IL STRONGHURST, IL MOBILE REMOTE DEPOSIT SERVICES AGREEMENT, TERMS AND CONDITIONS

2013 North America Auto Insurance Pricing Benchmark Survey Published by

The Business Case for Security Information Management

Scriptless Test Automation. Next generation technique for improvement in software testing. Version 1.0 February, 2011 WHITE PAPER

Individual and Family Health Insurance Researching, Shopping and Buying Health Insurance: The Insurance Exchange Effect

Mobile Banking and Mobile Deposit Terms & Conditions

Getting Smart About Revenue Recognition and Lease Accounting

WILLIS SPECIAL REPORT: 10K DISCLOSURES HOW TECHNOLOGY AND TELECOM COMPANIES DESCRIBE THEIR CYBER LIABILITY EXPOSURES

GENOA, a QoL HEALTHCARE COMPANY GENOA ONLINE SYSTEM TERMS OF USE

Taking the Pulse of the U.S. Healthcare Market

TEST METHODOLOGY. Hypervisors For x86 Virtualization. v1.0

Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age

The promise and pitfalls of cyber insurance January 2016

Bank of Denver Mobile Deposit User Agreement ( Agreement ):

DON T BE A VICTIM! IS YOUR INVESTMENT PROGRAM PROTECTED FROM CYBERSECURITY THREATS?

CROWDFUNDING WHAT IS CROWDFUNDING?

Covered California. Terms and Conditions of Use

Money One Federal Credit Union Pocket 2 Pocket Service E-SIGNATURE AND ELECTRONIC DISCLOSURES AGREEMENT

Business Mobile Deposit Capture Terms & Conditions

ENTERPRISE EDITION INSTALLER END USER LICENCE AGREEMENT THIS AGREEMENT CONSISTS OF THREE PARTS:

Sukuk Liquidity Trends

Insurance Considerations Related to Data Security and Breach in Outsourcing Agreements

THE U.S. INFRASTRUCTURE EFFECT INTERVIEW BY CAROL CAMERON

computer to identify you as a unique user and to take into account your personal preferences and technical information. We use:

INDEX-BASED INVESTING

CYBER SECURITY SPECIALREPORT

Practice Essentials. Index-Linked Insurance Products 201 THE S&P MIDCAP 400 AND ITS ROLE IN INDEXED INSURANCE PRODUCTS

Should Costing Version 1.1

Legal Notices. Purpose and Scope of Website. StanCorp Financial Group, Inc. Contact Us. Public Affairs. Special Investigations Unit

Statement of Work. for. Online Event Registration Product Deployment for Salesforce Implementation. for. Open Web Application Security Project (OWASP)

SERVICE TERMS AND CONDITIONS

Solving the Security Puzzle

VENDOR MANAGEMENT. General Overview

Cyber Risk: Global Warning? by Cinzia Altomare, Gen Re

Hit ratios are still very low for Security & Privacy coverage: What are companies waiting for?

Looking Down Under: An Approach to Global Equity Indexing in Australia

The Nuts and Bolts of Fixed Indexed Annuities

Data Breach Cost. Risks, costs and mitigation strategies for data breaches

OCIE CYBERSECURITY INITIATIVE

SOFTWARE LICENSE AGREEMENT

ZIMPERIUM, INC. END USER LICENSE TERMS

E-SIGN and EFT Disclosures and Online/Mobile Banking User Agreement

Guide to the Dow Jones Corporate Bond Index

How to Protect against the Threat of Spearphishing Attacks

EmoeHost agrees to provide to Client the Services agreed upon between EmoeHost and Client as selected by Client at

Transcription:

ANALYST BRIEF Multiple Drivers For Cyber Security Insurance EXPECTATIONS PLACED ON INSURANCE CARRIERS RISE WITH MARKET GROWTH Author Andrew Braunberg Overview There has been considerable good news for insurance carriers over the past couple of months. Several market surveys demonstrate fairly strong adoption of cyber security policies among businesses based in the United States. Another set of reports in circulation suggests that US public businesses are heeding Securities and Exchange Commission (SEC) guidance to better explain potential cyber risks. More transparency regarding cyber risk and cyber attacks is expected to drive greater adoption of cyber insurance as a means of demonstrating better corporate risk management. It is becoming a mainstream assumption that insurance carriers can help organizations with cyber risk management, both in the traditional risk transfer sense and in the broader sense that they can act as neutral arbiters of cyber security best practices. This is readily demonstrated in the recent push by the White House to promote greater insurance carrier participation in the National Institute of Standards and Technology (NIST) effort to create a cyber security best practices framework for critical infrastructure providers.

NSS Labs Findings Recent market surveys put cyber security insurance adoption at approximately one third of large US businesses. Insurance carriers are being pulled into the creation of the NIST cyber security framework, raising their profile among security professionals. The White House is hopeful that this interaction will help to foster a competitive cyber insurance market. An examination of recent SEC files reveals that US public companies are more forthcoming with details regarding their cyber security risk profiles. Proposed reform of European Union (EU) data protection laws is expected to accelerate cyber security insurance adoption in Europe. NSS Labs Recommendations Enterprises should view cyber security insurance as an important component of their overall risk management strategy. US- based public companies must understand and keep abreast of current SEC expectations for cyber risk/incident disclosure and, just as importantly, current industry best practice for reporting. Enterprises should better leverage information technology (IT) security teams when selecting cyber security insurance and when explaining risk profiles. Insurance carriers should more fully consider and assess the differences among security vendors and products, in particular the differences in overall security readiness that are achievable based on the specific products used for defense- in- depth strategies. 2

Analysis Survey Says... According to a recent Ponemon Institute survey 1 of risk management professionals in US private sector organizations, cyber security has become a mainstream business concern. Respondents rate the need to protect against cyber security risks as comparable to other insurable risks, such as natural disasters or fire. Confirming the severity of this concern, 31 percent of the organizations in the survey state that they currently have a cyber security policy, and 39 percent state that their organizations have plans to purchase a policy. Ponemon also asked respondents to disclose which employees within their organizations make the decisions to purchase cyber insurance. Interestingly, chief information security officers (CISOs) and IT security personnel have little influence regarding choice of insurance carrier. Risk management teams are most likely to evaluate carriers and influence buying decisions. Other important influencers are business unit leaders, general counsels, and chief financial officers (CFOs). Respondents cited formal risk assessments conducted by the insurer as the most common means of determining their required level of coverage. That insurance carriers would want to perform their own risk assessment is not surprising, nor is the assumption that carriers are becoming repositories of information on security best practices. As discussed in the analyst brief Cyber Security Insurance: Self- Insure Or Hedge Your Bets? The Current State Of The Market, however, there is little consistency among the cyber security policies offered by carriers. This is at least partly due to a lack of consistency in the manner in which rates are determined. Inhibitors To Cyber Security Insurance Respondents in the Ponemon survey with no current plans to obtain insurance (30 percent) include among their reasons the belief that premiums are too high and/or include too many exclusions, restrictions, and uninsurable risks ; the belief that existing property and casualty policies cover cyber risk (almost always not the case); and the inability to purchase policies because of an organization s current risk profile. For those under the impression that the insurance carriers would add some much needed data rigor to the cyber security risk management markets, there is some bad news: they simply are not there yet. The truth is that carriers believe that technical controls account for a relatively small percentage of the overall security posture of an organization and that they can build risk models without a detailed understanding of the specifics of the technical controls in place within a particular customer. 1 http://www.experian.com/innovation/business- resources/ponemon- study- managing- cyber- security- as- business- risk 3

Critical Infrastructure Providers The current Administration is investigating several strategies to convince critical infrastructure providers to adopt better risk postures. The White House is exploring ways to incentivize critical infrastructure vendors to adopt the cyber security best practice framework currently being developed through the NIST, the goal of which is to help critical infrastructure providers reduce their risk exposure through the adoption of agreed upon best practices. The NIST has until February 2014 to produce a final version of the framework, which was mandated in a February 2013 Executive Order. Adoption of the framework is voluntary, however, and this has convinced the Administration that a set of initiatives should be created to entice critical infrastructure providers to adopt the framework. Working to align the framework with the same types of controls that insurance carriers require when writing cyber security insurance policies is viewed as a way to encourage adoption of the framework. The strategy is to include insurance carriers in the process of developing the framework with the goal of building underwriting practices that promote the adoption of cyber risk- reducing measures and risk- based pricing and foster a competitive cyber insurance market. 2 In other words, it is hoped that adoption of the framework will lead to lower cyber security insurance premium costs. Unfortunately, after several preliminary iterations, the framework document remains an exceptionally high level document. SEC Cyber Risk Guidance For Publicly Traded Companies In 2011, the Division of Corporation Finance within the US Securities and Exchange Commission (SEC) issued its first guidance (i.e., recommendations) to public companies regarding the disclosure of cyber risk. While the guidance does not mandate specific disclosures, it does suggest the direction that the SEC would like to see disclosures move. The Division of Corporation Finance is the entity within the SEC that selectively reviews public company SEC files for compliance with disclosure requirements. For this reason, Division disclosure guidance documents are taken seriously by public companies. The requirement for publicly traded companies to report on their cyber risk and to detail any cyber attacks is expected to drive them to be more transparent and responsive regarding efforts to mitigate this risk through technical security controls or cyber risk insurance. This is similar to the way in which state security breach notification laws (currently in place in 46 of the 50 US states) have driven the market for cyber risk insurance to pay for the costs associated with breach disclosures. 2 http://www.whitehouse.gov/blog/2013/08/06/incentives- support- adoption- cybersecurity- framework 4

Topic Number 2 The SEC guidance was presented in a document titled CF Disclosure Guidance: Topic No. 2, 3 dated October 13, 2011. The document notes that there is no existing disclosure requirement that explicitly refers to cyber security risks and cyber incidents, but it states a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents... Therefore, as with other operational and financial risks, registrants should review, on an ongoing basis, the adequacy of their disclosure relating to cyber security risks and cyber incidents. The document goes on to caution public companies that when determining whether risk factor disclosure is required, we expect registrants to evaluate their cyber security risks and take into account all available relevant information, including prior cyber incidents and the severity and frequency of those incidents. If cyber risks are deemed material, then appropriate disclosures suggested in the document include: Discussion of the details of operations that contribute to material cyber security risks and discussion of any potential costs and impact Discussion of the details of operations that are outsourced to third parties, which may contribute to material cyber security risks, and discussion of how to mitigate these risks Description of any cyber incidents that are individually, or in the aggregate, material, including a description of the costs and impacts Risks related to latent cyber incidents that may remain undetected Description of relevant cyber security insurance coverage The Willis Reports The insurance carrier Willis has been attempting to quantify the degree to which large US private sector organizations are following the SEC- recommended guidelines. Willis has this year released two reports on this topic. The first, which was released in April 2013, focused on the Fortune 500; 4 and the second, which covered the Fortune 1000, 5 was released in September 2013. The reports offer some good news to proponents of better cyber risk disclosure. They reveal that 85 percent of Fortune 500 companies are following the SEC guidance to some degree, by providing a level of disclosure regarding cyber exposures. That is a reasonable start, but the details of the report demonstrate that large public companies still are a long way from implementing the full scope of SEC cyber reporting recommendations. Willis notes that the number of organizations disclosing details of actual cyber events was only 1 percent. It notes that this percentage seems low considering the number of attacks that appear in the press on a regular basis. It also notes that in spite of SEC guidance requests, no dollar figures associated with the costs of attacks are presented in any Fortune 1000 company SEC filings. One of the more interesting data points that surfaces in the Willis reports is that just 6 percent of the Fortune 500 mention cyber insurance in their SEC filings. 3 http://www.sec.gov/divisions/corpfin/guidance/cfguidance- topic2.htm 4 http://blog.willis.com/wp- content/uploads/2013/05/willis- Cyber- Disclosure_2013.pdf 5 http://blog.willis.com/wp- content/uploads/2013/08/willis- Fortune- 1000- Cyber- Report_09-13.pdf 5

This number is much lower than several recent market surveys suggest, including the Ponemon survey discussed earlier. Another example is a recent report 6 by Chubb, which indicates that about 36 percent of public companies in the US purchase cyber risk insurance. That is not too far from the Ponemon survey result, which revealed that number as 31 percent. But why the discrepancy between these surveys and that which is reported to the SEC? One possible explanation is that companies are overreporting their insurance coverage to survey takers, which would suggest that the SEC filing numbers reflect more accurately the true market uptake for cyber risk insurance. But the other explanation would be that corporations are attempting to downplay cyber risk in their SEC filings and are therefore underreporting risks in general and risk reduction and risk transfer strategies in particular. The latter explanation may bear out, given the apparent underreporting on technical risk protection deployments (for example, firewalls and AV). The Willis reports note that only 52 percent of the Fortune 500 and only 25 percent of the Fortune 1000 mention these protections being in place. Common sense, industry best practice, and a multitude of compliance mandates under which large businesses operate in the United States, make these reported numbers suspect. It is difficult to imagine a Fortune 1000 organization operating today without at least elementary network and endpoint security products protecting its assets. So at a high level, it seems that public companies are beginning to embrace the SEC guidance on cyber security; however, the level of detail that the SEC was expecting is still almost universally missing in the Fortune 1000 SEC filings. For this reason, Senate Commerce Committee Chairman Jay Rockefeller continues to push to strengthen cyber risk disclosure requirements. In a letter to the SEC Chairperson earlier this year, Rockefeller wrote: Investors deserve to know whether companies are effectively addressing their cyber security risks just as investors should know whether companies are managing their financial and operational risks... Formal guidance from the SEC on this issue will be a strong signal to the market that companies need to take their cyber security efforts seriously. 7 With respect to cyber risk, public companies currently navigate between disclosing too little information and disclosing too much. They are being advised by the SEC against underreporting their cyber risk posture, but they are also taking care not to oversell their ability to protect against cyber risk. Given the level of guidance the SEC is currently promoting, it is highly likely that it will increasingly scrutinize public companies that completely omit disclosure of cyber security risks and incidents. What is less clear, but perhaps more interesting, is the degree to which the SEC will pursue public companies that are considered to have mischaracterized their ability to reduce or transfer cyber security risks through technical controls and insurance policies, respectively. As the Willis examination of the SEC files of the Fortune 1000 shows, a considerably high percentage of the largest companies in the United States claim not to have the resources to adequately limit the consequences of cyber attacks. This includes a quarter of all health care, high tech, and banking organizations in the Fortune 1000. Meanwhile, In The EU Interestingly, the market for cyber security insurance in the European Union is only a fraction of the current market in the United States. (The gross domestic product [GDP] of the EU is larger than that of the United States). 6 http://www.chubb.com/businesses/csi/chubb15936.html 7 http://www.commerce.senate.gov/public/?a=files.serve&file_id=49ac989b- bd16-4bbd- 8d64-8c15ba0e4e51 6

Insurance giant Allianz estimates that the current US cyber security insurance market is approximately USD $1.3 billion, while the EU is generating about USD $200 million. 8 A draft data protection regulation currently working through the EU Parliament might help jump- start the cyber security insurance market in Europe, however. The reforms, which were first proposed in January 2012, would replace the current Data Protection Directive (95/46/EC). A component of the proposed regulation would mandate broader and stricter requirements for private organizations to disclose data breaches and cyber attacks. It is estimated that the new rules would impact 40,000 businesses. 9 This increased transparency into cyber risk is expected to drive broader adoption of cyber insurance. 8 http://m.liveinsurancenews.com/cyber- insurance- is- zurichs- new- focus/8528359/ 9 http://euobserver.com/justice/118989 7

Reading List Cyber Security Insurance: Self- Insure Or Hedge Your Bets? The Current State Of The Market. NSS Labs https://www.nsslabs.com/reports/cybersecurity- insurance- self- insure- or- hedge- your- bets 8

Contact Information NSS Labs, Inc. 206 Wild Basin Rd Building A, Suite 200 Austin, TX 78746 USA +1 (512) 961-5300 info@nsslabs.com www.nsslabs.com This analyst brief was produced as part of NSS Labs independent testing information services. Leading products were tested at no cost to the vendor, and NSS Labs received no vendor funding to produce this analyst brief. 2013 NSS Labs, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the authors. Please note that access to or use of this report is conditioned on the following: 1. The information in this report is subject to change by NSS Labs without notice. 2. The information in this report is believed by NSS Labs to be accurate and reliable at the time of publication, but is not guaranteed. All use of and reliance on this report are at the reader s sole risk. NSS Labs is not liable or responsible for any damages, losses, or expenses arising from any error or omission in this report. 3. NO WARRANTIES, EXPRESS OR IMPLIED ARE GIVEN BY NSS LABS. ALL IMPLIED WARRANTIES, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON- INFRINGEMENT ARE DISCLAIMED AND EXCLUDED BY NSS LABS. IN NO EVENT SHALL NSS LABS BE LIABLE FOR ANY CONSEQUENTIAL, INCIDENTAL OR INDIRECT DAMAGES, OR FOR ANY LOSS OF PROFIT, REVENUE, DATA, COMPUTER PROGRAMS, OR OTHER ASSETS, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. 4. This report does not constitute an endorsement, recommendation, or guarantee of any of the products (hardware or software) tested or the hardware and software used in testing the products. The testing does not guarantee that there are no errors or defects in the products or that the products will meet the reader s expectations, requirements, needs, or specifications, or that they will operate without interruption. 5. This report does not imply any endorsement, sponsorship, affiliation, or verification by or with any organizations mentioned in this report. 6. All trademarks, service marks, and trade names used in this report are the trademarks, service marks, and trade names of their respective owners. 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information