Don't confuse cyber insurance with cybersecurity, warn regulators
Major incidents trigger regulators to raise alarm over poor cyber risk measurement and use of cyber insurance as a substitute for adequate cybersecurity, explains Bill Mew.
The two incidents by NATO’s most powerful cyberspace adversaries have set off alarms at national security agencies. They have left thousands of organisations not only scrambling to fix and secure their systems but also wondering how to meet the cost of doing so.
With incident response skills in short supply and concerns that insurers could struggle to meet massive claims, regulators have raised the alarm. They claim cyber risk measurement has been inadequate, even without these incidents.
Regulators have also cautioned that this may be tempting firms to use cyber insurance as a substitute for adequate cybersecurity.
Where are we going wrong?
There are two possible approaches to cybersecurity:
Plan A) Minimise both risk and incident impact.
Plan B) Hope you won’t get hit and get insurance to cover the costs if you do.
Organisations often favour Plan B over Plan A primarily because Plan A requires commitment and upfront investment in protection, detection, back-ups, and incident response to prepare for something that may never happen.
Plan B, however, provides peace of mind in exchange for an insurance premium, allowing you to ignore the problem and then count on your insurer to meet costs including the technical fix, ransoms, fines, and litigation in the supposedly unlikely event that things do go wrong.
So what’s wrong with Plan B?
Plan B would work if risks, premiums and cover could remain low and comprehensive – without penalties or consequences.
There are, however, growing concerns that there simply is not enough money to keep the current system of cybersecurity insurance afloat in the event of a major attack. Responding to concerns over mounting claims arising from the massive SolarWinds incident, New York's Department of Financial Services (DFS) has taken action. It has issued a cybersecurity insurance risk framework to all authorised property and casualty insurers. It also criticised many insurers for their inability to accurately measure cybersecurity risk, saying:
Many insurers still have work to do to develop a rigorous and data-driven approach to cyber risk, and experts have expressed concerns that insurers are not yet able to accurately measure cyber risk [...] Insurers that don’t effectively measure the risk of their insureds also risk insuring organizations that use cyber insurance as a substitute for improving cybersecurity and pass the cost of cyber incidents on to the insurer. Without an effective ability to measure risk, cyber insurance can therefore have the perverse effect of increasing cyber risk – risk that will be borne by the insurer.
Often insurers base their risk assessment on cybersecurity risk ratings that are produced by firms that use web crawlers to check externally facing endpoints for known vulnerabilities. This is a fairly crude method, but it’s probably still the best way to address the mass market at relatively low cost.
The problem is that it’s a bit like evaluating fire-safety risk by looking at a photograph of a building taken from across the street. You can get an idea of the building’s shape and size, but you can’t tell if there’s flammable material inside, or if the building is equipped with fire alarms or sprinkler systems. A photo like this is better than nothing; but it still provides only a basic, limited idea of the real risk. The only truly effective approach is conducting in-depth, but expensive cybersecurity audits.
Unable to measure cyber risk cheaply, easily and accurately, insurers find that their clients can use cyber insurance as a substitute for improving cybersecurity. These clients are effectively passing the cost of cyber incidents on to the insurer – which is unsustainable.
Increasing cyber threats and exposure to silent cyber risk
According to the Hiscox Cyber Readiness Report 2020, the median cost of a cyberattack rose almost sixfold worldwide between 2019 and 2020, and the frequency of attacks is escalating rapidly as well. Yet only 26% of the firms sampled in Hiscox's report have a stand-alone cyber insurance policy. Most rely on generic insurance policies, or have no cyber insurance at all.
This means that many insurers are exposed to ‘silent cyber risk’ where cyber cover has been tacked onto existing liability or property insurance policies that were never intended to cover cyber risk. Ambiguity exists in many cases where policies do not explicitly include or exclude cyber cover, thereby exposing the insurers to the risk of "silent cyber", or losses to settle unexpected cyber-related claims.
Aware of their exposure, insurers are rapidly excluding cyber risk from generic policies and have added numerous exclusions to their cyber policies, making them almost worthless, They have also frequently disputed cover or refused to pay out at all. And even when they do pay out it is normally just for the technical fix, and not for any damage to your business and its reputation.
Often a condition of the insurance is that you need to use the insurer’s own incident response team or choose from its list of approved suppliers. It might appear convenient to have a short-list of pre-approved technical response specialists provided for you, but beware.
Experts at ECSC have warned that an incident response team appointed by a cyber insurer will be working for the insurer and not for you. They won’t just be seeking to fix your IT issues, but could well also be briefed to look out for any failings on your part that could open you up to a potential denial of cover.
Those on the insurer’s list of approved suppliers will know that being appointed for further business will be dependent on their loyalty to the insurer rather than to you. With disputes between clients and insurers on the increase, there is the concern that anything that this technical team discovers could be used against you.
Following an incident, you may find yourself not only in dispute with the insurer, but also with a host of others:
Cybercriminals demanding a ransom: we advise against paying a ransom, as you can be liable for a ransom paid to sanctioned entities and it does not guarantee you will get your encrypted files or stolen data back.
A hostile press and hysteria on social media: The standard crisis management approach involves responding to an incident by showing empathy on the assumption that as a victim you will gain sympathy. It normally works well, but not with cyber incidents. When you are hacked, you may be the victim of a crime, but you will be held to blame by the press and public for not preventing it from happening
Legal claims from class-action lawsuits AND regulators threatening to levy fines: ISO 27001 certification, checklists and plans count for little. You’ll need to provide evidence that risks had actually been properly evaluated and that reasonable processes and defences were in place and that it had all been tested (Plan A). They will penalise those that cannot demonstrate this (Plan B).
Back to Plan A then
There are a number of lessons to learn here. There are no shortcuts and Plan A is the only realistic option. You cannot avoid the need for thorough risk evaluation and cybersecurity planning to maximise your defences. Effective backups are also essential.
There may well be a place for cyber insurance, but only alongside a separate and independent incident response service. Rehearsing your incident response plan with immersive simulations will not only optimise your crisis preparedness, but such testing is also mandated under GDPR.
Use specialist brokers to help you find a cyber insurance policy that is right for your organisation. Be suspicious if their risk assessment is not detailed and thorough. And ensure that you are aware of all the policy exclusions and the full extent of the cover – will it just cover the technical fix or is the cost of independent legal, reputational and social support also included?
Cyber insurance is only ever supplementary to cybersecurity and incident response, and never a substitute for either of them
You might also be interested in
Founder and CEO of CrisisTeam.co.uk (SiliconANGLE global Startup of the Week – May 2019), an elite team of experts in incident response, cyber law, reputation management and social influence that help clients minimize the impact of cyber incidents. Previous cloud strategist at UKCloud (the...