Why doesn’t my cybersecurity insurance cover that?

There is still no standard approach on which the insurance industry underwrites cyber liability coverage. Find out some answers from an industry expert.

01 insurance

Still some risk to customer

Cybersecurity insurance is designed to alleviate losses from various cyber incidents, including data breaches, damage to networks, and any interruptions to business operations. But while billion-dollar companies are all in desperate need of cybersecurity insurance and can afford to spend millions without thinking twice, cybersecurity insurance only transfers some of the risk of a breach to the insurer. It does not cover lost data, reputation damage or lost business.

The major issue facing insurers today remains insurance underwriting to quantify cyber risk. In 2015, the National Association of Insurance Commissioners (NAIC) adopted guiding principles for insurers underwriting cyber risk, but there is still no standard or valuation approach on which the insurance industry, as a whole, underwrites cyber liability coverage. 

Senthil Rajamanickam, who is the FSI Strategy and Operations Manager at Infogix, discusses the issues in the cyberinsurance space.

cybersecurity insurance

Estimating the wrong value

Estimating the wrong value of data assets can have a catastrophic effect on any organization that is data driven. Cybersecurity insurance providers are responsible for mitigating such a risk, but this is a huge challenge. Overvaluing data will create a higher than needed premium, making it cost prohibitive or even worse pricing organizations out of the market. If the data is undervalued, an organization’s own assets become at risk because insurers only have to meet the commitment they have agreed upon.

cybersecurity insurance

Everything is not covered

Cybersecurity insurance today only covers a fraction of the direct cost – while the indirect cost is more than two times the covered direct cost, leading to incomplete business protection in spite of having insurance.

cybersecurity insurance

Quantifying cyber risk

The biggest issue in insurance underwriting is quantifying cyber risk. There is no standard or valuation approach on which the insurance industry, as a whole, underwrites cyber liability coverage. 

Non-traditional insurance, like cyber liability, is challenging to underwrite because of the absence of actuarial quantitative data that is so easily identifiable in commercial insurance policies. Within retail it is easy to put an exact value on a product but data is a different story.

With complex assessment points that are difficult to underwrite, insurers need a comprehensive approach to estimate data asset value. In fact, because data is intangible and not a typical asset to which value can be assigned, few insurers have direct insights, knowledge or understanding into the cyber liabilities of these digital assets.

cybersecurity insurance
Pexels

Capturing risk associated with data

Capturing the risk associated with the data privacy issues can be a hassle because of the cascading nature of the risk. It’s challenging to underwrite such insurance because the carrier has to think about the personal information of each affected consumer, their compromised credit card information, any goods or services bought by the hacker with the compromised card, the cost of card replacement and credit monitoring.

The list cascades from the affected consumer to the business and everything in between. Cybersecurity underwriters need to consider such deep cascading issues before assuring businesses they have full protection.

cybersecurity insurance

Patent-related issues

From a business perspective, there are many patent-related issues that can surface when a breach takes place, leading to lawsuits and legal battles. If a hacker breaks into a file storage system and steals information on new technology being built, it can compromise an entire organization.

Even when a breach occurs, it’s worth noting that many organizations do not have the tools necessary to detect a breach and provide the direct real-time awareness. Which is necessary to calculate risks of the insured digital assets stored by cloud service providers or enterprise networks. 

Cybersecurity insurance underwriting today
Pexels

Cybersecurity insurance underwriting today

Currently underwriters are using inputs from information security tools such as Security Information and Event Management (SIEM) and structured questions in many cases to help them predict possible data breaches and allow the organization to mitigate the cyber risk. 

Unfortunately, these tools only provide a view of an organization's past security incidents, the main cause of an incident and when and how a cyber attack happened. But it cannot help predict future incident.

Cybersecurity insurance
Pexels

Cybersecurity insurance underwriting approach: Associated costs

Underwriters are looking at the costs associated with updating or rebuilding a business, after a breach, based on existing disaster recovery (DR) plans, which in many cases lack consideration for intangible data asset values and only provide value based on physical assets.

In addition, underwriters also review the cost of security measures an organization will need to put in place to prevent a future attack as a pure risk mitigation play, not a risk prevention approach. 

Cybersecurity insurance
Pexels

Cybersecurity insurance underwriting approach: Data controls

Identifying new techniques to associate value of data assets can help. Setting up data controls before a cybersecurity breach that continuously monitors an organization’s data environment and monetizes its data value can generate monthly data monetization reports that identify the organization’s data asset value based on data usage. This can be a great help for an underwriter trying to define cyber liabilities during a data breach. 

Organizations should also set up automated data controls that effectively scan for the patterns of cyber threats, and once detected helps automate notifications, automates escalation and ensure process-based response due to a breach, thereby reducing indirect cost associated with cyber incidents.

cybersecurity insurance

The Value Scale

There is a lot of risk when it comes to underwriting cybersecurity and that risk isn’t going away any time soon. Insurers must accept the risk and the acceptance of that risk is changing in the industry. The traditional model of avoiding high risk, managing medium risk while promoting mitigating low risk is changing the value scale that drives the business.

Even if it is considered high risk it can still be a good risk as long as the business value is high. Take for example cloud data apps. Their business value is high even at the cost of a possible security issue. But since the value is high the risk is worth the reward.

RELATED: Confusion over cyber insurance leads to coverage gaps