Cyber security insurance is set to become more sophisticated in 2016, forcing enterprises to meet new security requirements to be eligible for coverage, according to a new report.
Predictions by combined company, Raytheon/Websense, said cyber insurance will move toward a ‘must have’ and ‘evidence based’ model with new minimum level requirements in place for policies. This is expected to disrupt the cyber security industry and place new challenges on IT workers, while also driving improvements in companies’ ability to handle threats.
With ongoing technological advances and the growing value of data, cyber security insurance has had to rapidly evolve in the last few years to cater to the growing complexity and unpredictability of cyber-attacks, the report said.
Moving forward, insurance companies will refuse to pay for breaches caused by ineffective security practices, while premiums and payouts will become more aligned with underlying security postures and better models of the cost of an actual breach, the report said.
It was noted that cyber insurance actuarial models will be based on four factors:
- Market Cap – representing not only outstanding shares, but the perceived value of the company.
- Risk Profile – onsite assessment to determine how prepared companies are to defend against attacks.
- Targeting Profile – gathered from multiple cyber companies to determine how often a company is attacked.
- Responsiveness – how quick companies can shut off breaches, regain control of their companies and eject attackers.
Other variations in determining how ‘at risk’ certain sectors or organisations are will include factors like the value of the data stored, the company profile and culture, and training of employees in IT security best practice.
“We believe that cyber insurance policies will begin to take these variations into account, offering more customised policy rates for those defenders who can demonstrate a better cyber history,” the report said.
“As cyber insurance becomes still more mainstream, savvy defenders should factor in policy costs with defensive posture buying decisions; considering the impact of verifiable security risk exposure, including the third-party continuous monitoring of corporate networks for risky user behavior.”
Increasing end-to-end security
Bob Handsman from Websense said companies will need to take greater steps to increase end-to-end security if they want to meet the criteria for payouts as insurers “will not be lax” in cementing those requirements.
Insurers will undertake cyber audits for compliance to their requirements for a business to gain full policy value, while also reserving the right to conduct penetration tests to validate the health and effectiveness of the company, the report said.
“Just as life and health insurance is more for a smoker than a non-smoker, a company that follows certain practices stipulated by insurance companies will get a better rate, so it’s going to get much more complicated,” said Handsman.
Using email as an example, Handsman says too many companies do too little to defend against phishing, and invest too much in zero-day malware. “Too many people say ‘we’ll catch it at the malware’, and that’s like the banks saying ‘you know what, forget the locks on the doors, forget all the guards, we’ll just stop them at the safe’,” he said.
“Companies are now going to have to look at the chain of events (the ‘kill chain’) that can lead up to a breach, and figure out all the things they can do to stop it.”
The growing cost challenge
Insurance will likely continue to grow in cost, as Handsman notes that anyone selling insurance is in it for a profit.
“They’re not trying to find a cheap way to give you money if something bad happens. This coming year, we are going to see breaches and people are going to try and collect the insurance premiums and find out they don’t qualify because of one thing or another.”
A recent Wells Fargo survey found that 85 per cent of US companies with $100 million+ in annual revenue have purchased cyber or data privacy insurance, and 44 per cent have since filed a claim after a breach. Further, deductibles in the US have reached $25 million for $100 million policies.
Forty-two per cent of midsize corporations have cited cost as the biggest challenge to purchasing coverage, the Wells Fargo report said.
“[Insurance companies] put in high deductibles that will get rid of most of the lower level breaches, they only want to be there for the big stuff - it’s like getting health insurance but it only covers cancer,” said Handsman.
Seeking certain cyber insurance policies will also drive cost internally, added Handsman, as companies will have to invest in more technologies, end-to-end solutions, and do more due diligence around different offerings. A shortage of skills in certain areas may also mean companies are required to invest in more security personnel or professional services to meet certain requirements.
“The good news is it’s not regulated or demanded by government so it is optional. Then the company will end up making that choice,” said Handsman.
“They’ll say, it’ll cost us X amount to change this or we can take the lesser insurance. It’s a business decision, at the end of the day.”