Rising costs of cyber-crime call for specialized teams to manage cyber-risk solutions and adoption of industry best practices to lower premiums
High-profile data breaches at Sony, JPMorgan Chase, Target, Home Depot and others have become a top concern for many executives, but the danger still hasn’t sold the majority of companies on the idea of buying stand-alone cyber-insurance to protect themselves from the rising cost of cyber-crimes.
In a recent survey of more than 2,200 executives involved in cyber-risk management, the Ponemon Institute finds that 52 percent of respondents believe their company’s exposure to cyber-risk will increase over the next 24 months, while only 19 percent say their company has cyber-insurance coverage. The survey results, published in the institute’s 2015 Global Cyber Impact Report, also show 37 percent of companies polled ‘experienced a material or significantly disruptive security exploit or data breach one or more times during the past two years’.
Cyber-crime involves attacks on the data companies use, the systems that move that data or the systems that help run a company’s manufacturing or business operations. Companies collect a wide variety of data for different purposes, including personal identifiable information (such as social security numbers), credit card numbers, employee data, medical records and other types of commercial information. Each company uses its data and business operating systems differently, and each company has its own estimate of the cost to restore that data and those systems if they were to be lost or disabled. Protecting and restoring critical data and systems should be the main concern when companies consider buying cyber-insurance, and insuring the right areas for appropriate amounts is the goal.
Last year, the Center for Strategic and International Studies calculated the annual cost of cyber-crimes globally at $445 billion; US President Barack Obama estimated the cost at more than $1 trillion. Due to the increasing number and size of some of the very largest data breaches, insurance companies are considering raising the minimum cyber-coverage for large companies. ‘You may have to pay for a minimum of $200 million of coverage,’ says Bob Parisi, managing director and cyber-product leader at Marsh, because carriers are saying ‘the minimum capacity charge is no longer good – we need two to three times that amount.’
So as the need for cyber-insurance protection rises along with the price, how can firms ensure they pay the lowest cost for the most coverage?
Crafting the right policy
1. Create a cyber-risk solutions management team. To properly deal with cyber-risk, companies should form a team of officers to handle data usage and network security issues. This group should include someone from the general counsel’s office, a compliance officer, the head of IT and information security, the CFO, the top risk management officer, an HR representative and key players in product development and business operations. All these areas deal with cyber-risk and its implications, and they must be involved in determining the right types of insurance to buy. The board should receive regular briefings from this group.
‘Rather than viewing this as a ‘check the box, or let the IT department deal with it’ situation, [cyber- security] is something that should be treated more as an enterprise risk-management issue that needs to be addressed by all levels of the organization,’ says Rebecca Pearson, senior vice president for Willis’ financial and executive risk cyber/E&O team.
2. Determine your cyber-exposures. Once a cyber-risk management team has been assembled, Parisi says it needs to have frank discussions to ‘determine what your risk profile looks like and what the relative frequency and severity of your exposures are based on how your business operates and the environment it operates in.’
For example, retailers, healthcare organizations, the hospitality industry and financial institutions typically concentrate on protecting the large amounts of personal identifiable information they collect, while manufacturers generally focus on protecting their supply chain, distribution and manufacturing operations from cyber-attacks that might disable them. Companies that handle personal information will want to make sure they have coverage for breach of privacy; large manufacturers will want to make sure they have business interruption insurance. Other kinds of exposure cyber-insurance may cover include: data breach liability, class action lawsuit liability, D&O management liability, cost of loss or corruption of data, cyber-extortion, network security failures, denial of service attacks and financial loss to third parties.
‘Organizations need to clearly define what their cyber-exposures are so that, when they buy cyber-insurance, they make sure the insurance covers their particular exposure,’ says Kevin Kalinich, global practice leader of cyber-solutions for Aon.
3. Assess how your company manages risk. Once you’ve identified your cyber-exposures, it is important to understand how your company is currently managing those risks. Companies that handle large amounts of data and personal identifiable information need to determine how effective their privacy policy is and whether they are using the latest available encryption technologies to mitigate some of their cyber-risk. All companies should have their risk management team conduct a thorough assessment to determine the level of risk mitigation currently being applied to key areas of the company and which areas remain unacceptably exposed.
‘Each company will have to take different steps depending on what its exposure is,’ says Pearson. ‘As a baseline, it needs to have privacy policies and an incident response plan in place, and it should be implementing appropriate IT security and training its employees on data network security.’
During this internal risk assessment, companies also need to review the insurance policies they already have in place. Parisi says they should look at all the risks they’ve uncovered and determine whether there is coverage for those risks built into current policies. He suggests they should ask such questions as: do we have cyber-extortion under our kidnap and ransom policy? And if not – or if so – what does that mean for our cyber-risk?
Kalinich says legal departments should check whether their general liability policy includes coverage for business interruption or property damage to third parties. If you have a basic crime policy, it might also cover loss of funds from an account resulting from a cyber-event. Companies should find out to what extent current insurance policies cover a range of liabilities during a crisis, as well as the future risk of legal action. They should then do a ‘gap analysis’ to determine where the gaps are in the risk-transfer measures already taken. This will help them make intelligent decisions about what to do about any unaddressed risks, how much that will cost and what the likelihood of an event is, in order to buy the appropriate coverage.
‘Review your existing insurance,’ says Kalinich. ‘Only after you’ve done that gap analysis should you look at the stand-alone cyber-insurance market.’
Keeping costs down
To lower the cost of premiums, companies must pinpoint the risks they need insurance for and then ensure they buy a policy that covers the cost of recovering from the risks that threaten the firm without adding charges for coverage they don’t need.
Steve Hamby, cyber-security expert and CEO of G Software, warns companies that because cyber-insurance is still relatively new, they could be offered a ‘one size fits all’ policy. Many legal experts believe cyber-insurance may soon be viewed as mandatory to avoid lawsuits from third party business partners. But Hamby cautions that having just any cyber-policy won’t protect a company from financial losses and lawsuits; you have to have the right policy for your organization.
Most companies will transfer risk through an insurance policy and mitigate risk with technology, internal controls, policies and procedures. Performing a risk assessment and gap analysis will tell you which risks you’ve transferred through policies or mitigated through other means. ‘If you’ve mitigated [a risk], then you’re not looking to pay for it in your [cyber-insurance] policy – there’s no point to that,’ notes Hamby. A key question he advises companies to put to prospective insurance providers is: how do the controls I have in place affect my cyber-policy such that you are not quoting me the same price you are quoting someone else who has no security infrastructure at all?
Generally speaking, having solid privacy policies and procedures and a strong security infrastructure should lead to lower premium costs. But Parisi says carriers are also looking for companies to demonstrate that they are aware of cyber-risks and have board involvement, and that concerns about security and privacy ‘are baked into how the company operates. What the better companies are able to show these days is not only that they are as secure as they can be, but also that they have a certain level of resilience [to cyber-incidents]. They can show they will be able to manage through the crisis or the event in a way that is designed to diminish and minimize the potential harm or repercussions of a breach of security.’
Pearson agrees and emphasizes the importance of having an incident response plan and disaster recovery plan in place. ‘If a carrier sees that a company doesn’t have any sort of incident response plan, it is not going to look favorably on it,’ she points out.
In fact, how your company is viewed by an insurance carrier makes a marked difference. When it comes to cyber-policies, insurance carriers will especially be looking to see that certain information, security and technology standards are being used – and they may refuse to write a policy if they are not. ‘You’ve got to get a sense of how you’re going to be perceived by the insurance carriers,’ says Parisi. ‘They look at how you handle technology and security from a policies and procedures level.’
Be among the best
Adopting the best practices in your industry may also help reduce premiums as there is some correlation between that and lowering the incidence of cyber-crime. Kalinich says adopting the top standards in your industry can help your insurance premiums because ‘it will help you reduce your risk and also help satisfy the fiduciary duty of the board of directors and management because it demonstrates that you are trying to implement best practices.’
Finally, to bring premiums down, companies are advised to approach several insurance carriers to understand how they compete on price and coverage amounts. Stephanie Tomlinson, senior vice president of complex risk at Aon, says you can lower premiums by using an experienced insurance broker that is knowledgeable about cyber-coverage for all types of firms.
‘The broker can go out to all of the markets, evaluate all of the various insurance policies and make sure your company is getting the best coverage at the best price,’ she says. She suggests clients use a request for proposal to ‘approach multiple insurance brokers in order to understand what level of expertise the brokers bring to the table.’
Ultimately, Kalinich says protecting your company and getting the best price for cyber-insurance is a process that requires a corporate culture co-ordinated from the board to the line employees. ‘The only way this works is from the top down,’ he says. ‘[There] has to be a management culture where everybody is on board to follow best practices and take cyber-security into consideration.’
This article appeared in the fall 2015 print issue of Corporate Secretary Magazine
