With major security breaches like WannaCry and the Equifax hack occuring more frequently than ever before, organizations big and small are realizing it’s not a matter of “if” anymore, but, “when” they should expect a breach to occur. These recent events should be a wake up call for all companies that cybersecurity breaches are an almost unavoidable reality, and that it’s time to start protecting themselves financially at any cost.
However – even with the Equifax breach still visible in our rearview mirrors – insurance experts estimate that only about half of major enterprises have secured cybersecurity insurance policies.
To understand why cybersecurity insurance hasn’t gained significant traction despite the spate of high profile breaches, the editors of Insurance Tech Insider sat down with insurance consultant and expert – and jewelry designer, Lauren Effron. During the discussion, Lauren talked about what cybersecurity insurance policies cover, why companies may be reticent to purchase them, and whether or not cybersecurity insurance policy adoption will increase in the near future.
Here is what she had to say:
Insurance Tech Insider (ITI): How pervasive is cybersecurity insurance across enterprises? Some recent reports claim that about 50 percent of companies have it. Is this accurate?
Lauren Effron (LE): I think that number is an overestimate. I recently saw an article in the Insurance Journal that put that number as low as 16 percent of companies that have cybersecurity security insurance that covers all risks.
ITI: Why do you feel some companies are hesitant to purchase it?
LE: I think it’s a combination of many factors. First, many of they believe that cybersecurity breaches and incidents may be covered by their liability coverage. Obviously, that’s not the case. Others simply don’t understand the coverage options that are available to them enough to make an informed decision.
Then there’s the issue with pricing. There’s a lack of clarity about the pricing of cybersecurity insurance policies. And, because there are different coverages and different products from different insurance companies, it can be difficult for companies to compare one insurance product against the others. Also, since these are relatively new products that they have little to no experience with, they simply don’t know what it should cost, which can make the pricing seem arbitrary or confusing.
Purchasing cybersecurity coverage isn’t like buying a car insurance plan. There are so many different things involved – so many different aspects of cybersecurity to cover – that it can make it difficult to piece together the coverage options that the company needs.
Finally, for these big companies, there isn’t really a lot of hard data on how much a major breach could cost or what the impact would be should they be affected by one. There are estimates out there, but the sheer scope and size of the fallout from a breach is unknown to many of them. They simply may not realize the financial sense that cybersecurity security insurance could make for their company.
And it does make financial sense. These breaches could cost a company upwards of $200M and up – and that could be a conservative estimate.
ITI: Speaking of coverage options and choices, what is traditionally covered by today’s policies? What isn’t?
LE: There are a few different coverage options or types that are available to businesses, and those include data compromise protection, identity recovery protection, and cybersecurity damage by a virus or computer attack – and that includes restoring damaged or lost data.
Also, there are two types of coverage – first party coverage and third party coverage. First party coverage insurers anything that is done to an enterprise’s networks and data – that can include data destruction, distributed denial of service (DDoS) and other attacks. Third party coverage is for attacks that do damage to others, such as damage that results from failure to safeguard data. For example, the consumer data that was compromised in the Experian breach would be covered under third party coverage.
But there is another element to cybersecurity insurance – risk management. The insurance companies don’t want their customers to experience a breach since it would result in them having to pay claims. So, they work with their customers to ensure that they’re protecting their data. This is similar to what insurers do with liability insurance, where they go on-site and work with their customers to conduct risk-assessments and put safeguards in place.
ITI: Why are they difficult for insurers to price and underwrite for insurers?
LE: There is very little actuarial data available for the insurance companies to use to accurately price the third party coverage going forward. In order for companies to come up with actuarial sound pricing, there has to be some data available to them to determine reasonable premiums. This is starting to change, however. Catastrophe modeling companies are working to helping these insurance companies by establishing models that they can use in the actuarial process.
Then there’s the issue of uncertainty and unpredictability. Companies that have invested in the best cybersecurity defenses and that are following the best procedures could still fall victim to a cybersecurity breach as a result of third parties, vendors and other trusted partners in their supply chain that aren’t as astute with their security statures. This makes it even harder to establish what a company’s cybersecurity risk is.
ITI: Do you think adoption will increase in the near future? Why or why not?
LE: Adoption is certainly going to increase as a result of a number of factors. Part of it is going to be the publicity around some of these major breaches as they happen. Each time they happen, companies will become increasingly aware of the impact on their business.
Then there’s planning and budgeting. As executives become increasingly aware of the impact of breaches, they’re starting to budget more for cybersecurity security. And part of that budget will include insurance costs. And their boards are starting to put pressure on them to ensure that part of that budget is spent on cybersecurity insurance.