a driver of cybersecurity spending, he says.
In the past, the cost of a data breach would, arguably, have been covered by the traditional general liability insurance policy of a business.
But in this era of mega-breaches, insurance companies have been excluding cyber losses from the list of covered risks under general business insurance policies. Instead, dozens of companies such as Chubb, Travelers, and American International Group (AIG) offer standalone cyber insurance as a specialty product.
Sony and restaurant chain P.F. Chang’s tried to rely on their commercial general liability policies to recover some of the costs of data breaches, and ended up in court fights with their insurance companies, the Insurance Information Institute noted.
New cyber insurance product categories offer the prospect of billions more in revenues to the insurance industry. But insurance companies are stepping carefully because they don’t have enough years of past data on claims to estimate actuarial risk and confidently set prices on premiums. In the wake of mounting data breaches, insurers are taking steps like raising premiums on cyber insurance, imposing deductibles, and limiting total recoveries to $100 million or less, Reuters reported late last year.
Some of the big companies hit hard by cyber attacks paid a hefty share of the losses themselves. Cybersecurity industry observers say Target’s insurance carriers paid $90 million of the losses from the company’s 2013 breach, while Target paid $162 million out of pocket through 2014.
A company’s costs after a breach could include legal battles with its insurance companies, if those carriers claim the business was not covered for some or all of the damage under the terms of their policies—-or if its security measures weren’t adequate.
Kim Green, chief information security officer at San Francisco-based Zephyr Health, predicts that insurance companies will begin requiring policyholders to adopt the specific security measures and procedures they recommend. Green says those decisions would be best left in the hands of the insured companies.
“Unfortunately, because carrying cyber insurance is almost always required these days, the insurance companies would undoubtedly have leverage should they move in that direction,” Green said in a survey of 10 chief information security officers last month by Security Current, a publication for those professionals.
Weatherford says companies should hire a broker to help them negotiate the terms of their cyber insurance policies to make sure there are no surprises if they have to make a claim. The boilerplate terms of cyber insurance policies tend to have many clauses that rule out coverage under a range of circumstances, he says. One such clause would exclude coverage for acts that could be defined as terrorism or insurrection, he says.
“You should eliminate this clause,” Weatherford says.
Cyber insurance companies are assembling their own partnerships with security professionals, such as law firms and the forensics companies that trace the causes of data breaches. Weatherford says companies shopping for cyber insurance should make sure their policies allow them to choose their own outside counsel to lead the response to a cyber attack, rather than being obliged to use the lawyer recommended by the insurance company.
The constantly evolving cyber threat environment means that insurance companies might no longer base the price of premiums on a security evaluation of the client that happens once a year, Weatherford says. Instead, policyholders’ data networks may be subject to continuous digital monitoring and risk scoring as threats arise. If the company response to an incident falls short, the premium could go up. Conceivably, premiums could change monthly, weekly, daily—or even hourly, he says.
While businesses may have seen cybersecurity companies and cyber insurance firms as competitors for the dollars they spend to protect themselves against losses from cyber attacks, the interests of insurance underwriters and security companies are actually aligned. In fact, there is some blending of roles.
Insurance companies are becoming more deeply involved in the details of cybersecurity protection and procedures, Weatherford says.
“Underwriters are incentivizing better behavior,” Weatherford says. “That mitigates their risk.”
