Buy Cyber Insurance _TOP_
An uptick in ransomware attacks has led more companies to buy cybersecurity insurance. But some bad actors actually target companies with this coverage, figuring they'll be more likely to pay ransoms.
buy cyber insurance
Ransomware attacks have hit the U.S. food supply, the health care system, the pipelines that carry fuel up and down the East Coast. And companies are worried about being attacked. More of them are buying what's called cyber insurance, but that demand has led to higher prices and to coverage that is less comprehensive. NPR's David Gura joins us now with more. Hey, David.
GURA: Yeah. Let's take ransomware, for example. It's been in the news lately. There have been these big attacks. Colonial Pipeline is one of them. JBS, the meat processor, is another one. You know, they can cause a lot of disruption, cause a lot of damage. And the ransom demands can be sizable, as we've seen. Colonial Pipeline paid $4.4 million. Well, a company can buy an insurance policy not just to cover the ransom payment itself but also the fallout from an attack. A company may have to hire a consultant to negotiate and make a payment. There's forensics work - trying to figure out what happened, what was taken. All of that's expensive. And then there's the notification part of this, Ailsa - how much it costs a company to tell its customers, and sometimes its investors, about what damage took place.
GURA: We have some new data on this from the federal government. In 2020, half the companies that bought insurance had cyber coverage. In 2016, four years earlier, it was just a quarter of them. So it is becoming more popular, and we're seeing the costs creep up for coverage. I think this uptick in demand for coverage says something about how normal these attacks have become. Companies are buying insurance for cyberattacks just like they buy insurance for fires and for earthquakes. That's made it become a regular part of doing business. And it's happening even as the federal government tells companies it doesn't want them to pay ransoms, that paying ransoms incentivizes more attacks.
GURA: Well, experts told me yes. It's becoming increasingly clear companies could benefit from this kind of insurance. But there's a catch. There's this concern that companies that buy cyber coverage could be targeted as a result. James Turgal helped run the FBI's information and technology branch. Now he's with the security company Optiv, and he consults with large companies. He told me some hackers actually scour IT systems as part of an attack to learn about the kind of insurance a company has. And then these bad actors will use that information as leverage.
JAMES TURGAL: They will actually put up a piece of that cyber insurance policy to show you that, one, they've infiltrated your system and they have exfiltrated data but also to let you know they know about the cyber insurance.
GURA: Well, insurers are forcing companies to do more to improve their IT infrastructure. They're also making more of an effort to verify a company's defenses are, in fact, as good as the company says they are. And that's part of what determines the premium. Daniel Soo is a cybersecurity consultant with Deloitte, and he says this is an approach you see with other kinds of insurance, like with car insurance, for instance.
GURA: Now, something else that's happening is insurers are denying claims if a company's systems are not as secure as it claimed. And one last point here - ransomware isn't new. It's been around for decades. But this kind of standalone cyber coverage, Ailsa, is fairly new. And because of that, policies vary. This could make it get more standardized as time passes.
Cyber insurance costs depend on several risk factors that vary from business to business. For example, some annual policies might cost around $500, while others cost $5,000 or more. Learn which factors affect your rate so you can better control your costs and still have adequate coverage.
Your cyber cost is influenced by who has access to your systems and data. For example, hiring a third-party partner for IT or website maintenance might put your business at more risk than hiring an in-house employee. Additionally, limiting access to only the necessary employees, partners and customers can help minimize your cyber risk.
Storing sensitive information on an unsecured network increases your risk for cyber threats like data compromise, computer attacks and electronic extortion. You might have a lower cyber insurance cost if you can show that you work on a secure network. This can include installing antivirus software, using network firewalls and updating passwords regularly.
Accountants, medical offices and IT companies are some of the many professions known for collecting and storing large amounts of data. These types of professions typically pay more for cyber insurance because it usually costs more to recover from a cyber incident involving large amounts of sensitive information.
Expect your cyber insurance cost to be higher if you've had a cyber claim in the recent past. A business with past claims is considered to have a greater risk of a future breach than a business without a previous claim.
Therefore, conditions seem ripe for cyber insurance sales to take off, especially since consumer awareness of the exposure appears to be on the rise. This is thanks, in part, to the proliferation of widely publicized breaches in the private and public sectors, and as more individuals fall victim to identity theft.6 So, with a potentially huge exposure gap for the industry to fill, why have insurers generally remained cautious about writing cyber coverage on a large-scale basis? And why are so many prospects still hesitant to add the coverage to their insurance portfolios?
Our research revealed a number of significant obstacles carriers face when contemplating the sale of cyber insurance, as well as issues causing many prospects to hesitate when considering a transfer of at least a portion of their risk to third parties (see figure 1).
Many cyber insurers are concerned about biting off more risk than they can chew, let alone swallow. Besides the considerable challenge of underwriting and pricing cyber exposures given the dearth of data cited above, insurers may fear being overwhelmed by a sudden aggregation of losses.
Another concern is that a relatively narrow view of what constitutes cyber risk may be prompting many insurers to focus their marketing efforts primarily at those facing the possibility of PII theft. However, those we spoke with said such coverage is rapidly becoming commoditized and price-sensitive, limiting long-term insurer growth and profit potential.
Take the case of a manufacturer running an industrial control system with the help of IoT technologies. What if its operations are compromised by those who either shut it down maliciously and/or sabotage the products it is producing? Then there are the unique risks facing makers of autonomous passenger vehicles, which could theoretically be activated remotely by hackers and then stolen or misdirected into accidents.9 It is also conceivable that autonomous commercial trucks could be hijacked remotely in a cyberattack. Are these emerging exposures covered by standard liability policies, or might a specific cyber endorsement or stand-alone cyber policy offer a more certain risk-transfer alternative?
This lingering uncertainty likely makes it that much harder for insurers to quantify the exposure they are taking on when they write a cyber policy, and for buyers to appreciate how much exposure is actually being taken off their hands with the policies currently being sold.
With this approach, many insurers could perhaps leverage their internal cybersecurity expertise to facilitate external business growth. In defending themselves from cyberattacks, insurers often have threat intelligence units to collect and analyze data for their own risk-management needs. Such resources could perhaps be externalized to inform smarter underwriting and pricing of cyber coverage.
Insurers might also offset their data disadvantage somewhat by adopting a segmentation approach to underwriting. This would narrow the scope of cyber expertise required of underwriters by targeting specific industries or niches within them. Alternatively, insurers could become specialists in a certain type of exposure (such as data breaches vs. denial of service attacks) or area of technology (such as the IoT or domain name servers), rather than write generic cyber policies across the risk spectrum, so as to have a better handle on the exposures being assessed.
Overall, adopting a risk-management-based approach could give insurers some breathing room to collect more data and bolster their predictive models for the long haul. It could also improve their immediate competitive position and enable them to expand cyber writings more aggressively in the interim.
In addition, while global and regional brokerages may have the resources and expertise to take on this educational assignment, smaller independent agencies could have a problem keeping up. Such agents tend to deal with small business accounts that generate relatively low premium and commission payments, therefore providing little incentive for them to do more than pitch add-on cyber endorsements to standard policies.
A big part of the education process is to inform clients about the potential costs of a cyber event, both above and below the surface. Take data breaches, for example (see figure 6). There are well-known cyber incident costs to account for, such as customer breach notifications, but also less obvious expenses such as the value of lost contract revenue or the loss of intellectual property. This can lay the groundwork for a more informed sales presentation and purchase decision.
In the long run, standardization should lower the chances for potential coverage disputes that raise claims management costs for insurers, undermine consumer confidence in the certainty of their coverage, and hinder efforts to increase sales. Ultimately, establishing standards in cyber policies could enable those already selling products to write more business, while easing entry for additional players. 041b061a72