Security Think Tank: When cyber insurance is right and when it is not

How can IT security best use the new financial and insurance products available to IT to improve data protection without increasing cost?

Cyber insurance has existed since the early 1980s, and interest in this area has grown in the past two decades as the use of IT has become more pervasive in businesses. But the cyber-insurance market remains immature, because the risks underlying the coverage are difficult to quantify from an actuarial standpoint. 

With no standard set of actuarial tables, insurance carriers are often left to their own underwriting standards and creativity when offering cyber-insurance policies.

Reasons to explore cyber insurance

Valid reasons for risk management executives to explore cyber insurance include the need for:

Coverage to protect against catastrophe: Cyber insurance can be beneficial in the event of a large-scale incident. These types of loss event are growing in size and scale with the increase in exposure to cyber risks. 

In the past five years alone, the four largest reported IT security breaches have cost the impacted companies an average of $4.85bn. Protection against such catastrophic loss events is vital for the quick recovery and overall viability of any affected company.

  1. Regulatory-related coverage for specific industries or to meet regulatory guidance/mandates (such as Securities and Exchange Commission cyber-related event disclosure)

    In certain industries, such as financial services, regulators may require a certain level of insurance to protect the institution from first-party claims relating to computer crime and fraud. This type of insurance is highly standardised and commonly known as a financial institution bond.

  2. Targeted coverage for specific, easily valued loss events

    Executives may also want to consider coverage for specific costs that are easily defined and quantifiable, such as fines and penalties or expenses relating to breach notification. Specific coverage definitions will increase the likelihood of future claims being paid.

Reasons not to explore cyber-insurance

On the other hand, risk management executives should avoid using cyber-insurance as:

A stop-gap measure to compensate for weaknesses in an information security programme: Faced with the reality that information security is weak, many risk management executives consider insurance a quick and easy strategy to transfer risk. However, qualifying for cyber-insurance is much like qualifying for personal life insurance.

Individuals who are in poor health or who pursue high-risk lifestyles may well find life insurance coverage prohibitively expensive or even impossible to obtain. Similarly, companies with weak information security programs will probably find cyber insurance too costly or unobtainable. 

Furthermore, in the worst-case scenario, even if a company obtains cyber-insurance it may find that a weak security control gives the insurance company grounds not to pay a claim. Insurance is simply not a panacea for organisations that fail to protect themselves adequately.

  1. Blanket coverage for a broad range of low-limit loss events

    Insurance brokers may approach risk management executives with proposals to cover all sorts of cyber-risk with the intent of providing full coverage.

    Although the coverage statements within their proposed policies may be broad, the exclusions tend to be equally wide and limit the possibility of settling a claim. A better approach is to self-insure for low-limit loss events and to rely on cyber insurance for catastrophic loss events.

  2. A response to the general fear spawned by highly publicised cyber attacks

    Cyber attacks and security breaches often make the headlines, and new regulations requiring disclosure of cyber incidents mean such reports are likely to multiply.

    Insurance carriers may use this to their advantage and prey on the fears of risk management executives to sell new products. To avoid making an ill-advised investment, avoid the initial temptation to allay fears through insurance alone.

John Wheeler is a research director at Gartner

Read more on IT risk management