Cyber Insurance Coverage: a Brave, Uncertain New World for Insurers and Policyholders

Despite the escalating intensity and frequency of cyber attacks, fewer than 1/3 of U.S. businesses have purchased cyber insurance policies. A recent report by Deloitte provides insight into why organizations are deciding to go without cyber coverage, as well as why many insurers are hesitant to offer the coverage on a large-scale basis.

According to a recent report by Deloitte, Demystifying Cyber Insurance Coverage, cyber insurance policies represented only $1.5 to $3 billion out of a total of $505.8 billion in premium revenues generated by U.S. carriers in 2015. Further, only about 29% of organizations had even purchased a policy as of October 2016. Just 40% of Fortune 500 companies have coverage. Even companies that do have policies may have “skinny” coverage that will leave them high and dry if they ever do file a claim; just ask fast-casual restaurant chain P.F. Chang’s, which found out the hard way that its cyber insurance policy did not cover millions of dollars in liabilities to credit card issuers in the wake of a POS breach.

Why is cyber coverage so spotty? It’s easy to point fingers at insurers, policyholders, or both. After all, insurance companies do not make money from paying claims; they make money from collecting premiums and paying claims only rarely. When a policyholder files a claim, whether it’s for a roof repair or a ransomware attack, the insurer will look for every reason not to pay out. At the same time, both the public and private sector are guilty of not taking cybersecurity seriously; from Yahoo to Major League Baseball to the U.S. Secret Service, organizations keep getting breached, yet they also keep behaving as though a major cyber attack will never happen to them.

While these are valid issues, the cyber insurance situation is not that simple. Deloitte’s report identified numerous obstacles in the path of both insurance companies that wish to sell policies and organizations that wish to buy them. Specifically, insurers struggle with:

• A lack of historical data, making it difficult or impossible to build reliable predictive models.
• The dynamic nature of cybersecurity, where brand-new threats are emerging literally daily.
• The potential for “catastrophic accumulation” of claims if a nationwide or worldwide cyber attack brings down hundreds or thousands of claimants simultaneously; for example, if cyber terrorists were to strike the nation’s power grid, or a major website host is taken down.
• “Tunnel vision,” which causes insurers to primarily focus on policies that protect insureds against the theft of personal identifying information (PII); not all organizations handle PII, and the threat landscape includes DDoS attacks, ransomware, and other attacks that can cripple an organization but do not involve the compromise of PII.

On the other side, policyholders are plagued by:

• Not fully understanding their cyber risks or insurance options; similar to the situation with health insurance, many organizations feel they don’t “need” cyber insurance or require only bare-bones policies.
• Erroneously thinking that they are already covered because another insurance policy, such as a general liability or business interruption policy, does cover some degree of cyber risk.
• An inability to effectively compare policies due to a lack of standardization, another issue that seen in the individual health insurance market; buyers are unable to make “apples to apples” comparisons.
• A legal landscape that is as dynamic as the threat environment; what is and isn’t covered by an insurance policy can be hard to determine, and insureds fear having to duke it out with insurance companies in court.

Cyber Insurance Is Not a Replacement for Proactive Cybersecurity

Organizations that wish to purchase cyber insurance policies cannot go it alone. They must enlist expert help from cybersecurity professionals, not only to make sense of potential policies but also to evaluate their risk environments and determine what type of coverage they need. Because the cyber risk environment is continually evolving and changing, cyber coverage should be reviewed annually; a policy an organization purchased two years ago may no longer meet its needs.

Just as homeowners’ insurance is not an excuse to keep your doors unlocked or leave food cooking on the stove unattended, even a robust cyber insurance policy is not a replacement for proactive cybersecurity measures. Insurance policies will always contain exclusions, especially in cases where the insured was negligent in some manner, claim payouts will never be immediate, and insurance policies cannot repair damage to an organization’s reputation.

The cybersecurity experts at Lazarus Alliance have deep knowledge of the cybersecurity field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. Our full-service risk assessment services and Continuum GRC RegTech software will help protect your organization from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cybersecurity®. Call 1-888-896-7580 to discuss your organization’s cybersecurity needs and find out how we can help your organization adhere to cybersecurity regulations, maintain compliance, and secure your systems.

New York State Cybersecurity Regulations for Financial Institutions Could Be Model for Other States

The first phase of the New York state cybersecurity regulations, which apply to insurance companies, banks, and other financial institutions operating within the state, went into effect on March 1.

While the insurance and finance industries are already highly regulated, New York’s legislation is the first at the state level to mandate specific cybersecurity requirements. While there is some overlap with existing regulations and standards, the requirements under New York’s law are very specific. However, there’s nothing Earth-shattering about the requirements; they consist of common-sense, proactive cybersecurity practices that all organizations should already be adhering to. Because of this, and the international reach of the finance and insurance organizations it applies to, it is expected to be a model for other states.

Requirements of the New York State Cybersecurity Regulations

The new law is 14 pages long and contains 23 sections; you can download a PDF copy of it here. Among other things, organizations must:

• Design and implement a cybersecurity program based on a comprehensive risk assessment. Among other requirements, the program must address the organization’s plan to detect and respond to “Cybersecurity Events,” “recover from Cybersecurity Events and restore normal operations and services,” and “fulfill applicable regulatory reporting obligations.” The cybersecurity program must also establish secure development procedures for applications developed in-house.
• Implement and maintain a written cybersecurity policy. The policy must be based on the risk assessment and include “policies and procedures for the protection of [the organization’s] Information Systems and Nonpublic Information stored on those Information Systems.”
• Design and maintain a written cybersecurity incident response plan.
• Provide all employees with ongoing cybersecurity awareness training.
• Designate a Chief Information Security Officer (CISO). The organization may hire its own CISO or use a third-party service provider to fulfill this function.
• Perform penetration testing, vulnerability assessments, and periodic risk assessments.
• Maintain audit trails.
• Establish appropriate system user access privileges.
• Employ “qualified cybersecurity personnel” to perform cybersecurity-related functions. Third-party personnel may be substituted for in-house employees. Importantly, the law requires that these personnel be provided with ongoing training so that they stay current in their field.
• Establish a separate cybersecurity policy for third-party service providers.
• Utilize multi-factor authentication and data encryption.

The law also contains reporting, notification, and confidentiality requirements, as well as certain exemptions for organizations with fewer than 10 employees, less than $5 million in gross annual revenues, and less than $10 million in assets.

Skills Gap Could Make Compliance Challenging

Most banks, other financial organizations, and insurance agencies in the state of New York have six months from March 1 to implement the first phase of the law, including the cybersecurity policy, employee training program, and incident response program. Despite the law’s exemptions for smaller firms, many finance and insurance organizations are worried about their ability to comply with the new law. There is a significant cybersecurity skills gap, which has already driven salaries through the stratosphere – assuming an organization can even find qualified talent to begin with. Now that multinational Wall Street finance companies are expected to begin aggressively recruiting security analysts and engineers, the talent pool will shrink even further, and labor costs will rise even higher.

The new law is quite complex, and the penalties for non-compliance are very high. Now more than ever, firms affected by the New York law need to (1) Make use of RegTech software such as Continuum GRC’s IT Audit Machine (ITAM) to automate their governance, risk, and compliance functions and (2) Outsource their cybersecurity to a qualified third-party provider such as Lazarus Alliance.

The cybersecurity experts at Lazarus Alliance have deep knowledge of the cybersecurity field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. Our full-service risk assessment services and Continuum GRC RegTech software will ensure that your organization is complying with the new requirements under New York’s cybersecurity law, and protect you from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cybersecurity®. Call 1-888-896-7580 to discuss your organization’s cybersecurity needs and find out how we can help your organization adhere to the New York state cybersecurity regulations, maintain compliance, and secure your systems.