Assessing damage after a major cybersecurity breach is one of the most harrowing things a CIO or CISO can face. There is plenty of blame to go around but rarely enough people to accept it evenly. And when it comes to recouping money from cyber insurance claims, this blame game is further complicated by confusion.
A typical corporate cyber insurance discussion goes like this: The CEO or board chairman calls the CISO into the room and tells him that their insurers is going to pay out only 38 percent of a claim because "you didn't implement encryption on the affected applications."
The CISO says: "First, I didn't know we had cyber insurance. Second, the impacted apps are running our ATM machines and if we would have encrypted them you would have fired me because our customers wouldn't have been able to access them. I wish you would have talked to me before you implemented these policies."
A CISO unaware that his own company had acquired an insurance policy to hedge against the cyber attacks he was hired to prevent sounds more like a plot line for an episode of the HBO series "Silicon Valley” than an actual business case. But such disconnect happens frequently in the wake of breaches, according to Julian Waits Jr., CEO of PivotPoint Risk Analytics. "Insurance is purchased in silos," Waits Jr. says. "The two things that you think would go hand in hand as you deal with financial risk transfer hardly ever talk to each other."
Ignorance, confusion creates coverage gaps
As a result, companies are often uncertain about what is and is not covered by their policies and are often insuring the wrong things at a time when claims can be rejected for inadequate cyber security testing procedures and audits, outdated patches, inadequate cyber incident response plan and inadequate backup and recovery processes.
[ Related: What is cyber insurance and why you need it ]
Meanwhile, insurers create aggregate risk models that are more like one-size fits all policies that don't necessarily fit well with enterprise customers' particular needs. These pose major challenges at a time when PwC says global cyber insurance market could grow to $5 billion in annual premiums by 2018 and at least $7.5 billion by 2020.
For better insight into cyber insurance, Waits Jr. commissioned research with input from IT and insurers. Cyber insurance research Advisen polled 195 insurers and brokers and SANS Institute surveyed 203 information security and IT professionals for “Bridging the Insurance/InfoSec Gap: The SANS 2016 Cyber Insurance Survey," a report written by SANS analyst Barbara Filkins.
Filkins identified four key gaps that organizations must close in order to effectively procure cyber insurance policies that suit their requirements:
- The Terminology Gap. Infosec and insurance professionals acknowledge that they do not share a common definition of the fundamental concept of “risk.” InfoSec personnel think in terms of threats and vulnerabilities — and eliminating these by creating defenses, policies and programs. Insurance providers think in terms of reducing an organization’s risk of financial loss from a cyber incident.
- The Assessment Gap. Assessment frameworks establish standard practices, metrics and costs for minimal levels of cyber hygiene and are used to measure and benchmark defenses against other organizations and regulations. But insurers favor quantitative over qualitative models, with only 25 percent of infosec respondents employing a detailed quantitative model.
- The Communication Gap. These above gaps have fostered a communication divide between infosec and insurers, as well as between the infosec professional and the risk manager and within the insurance community between the underwriters and brokers.
- The Investment Gap. A lack of transparency in underwriting criteria has resulted in misaligned investments by buyers seeking cyber insurance. InfoSec personnel may invest in the wrong things, thinking it will make them insurable; or the insurance they purchase is not aligned with their realized losses and claims are denied. To further complicate matters, there may be policy provisions and exclusions that require legal counsel to interpret. For example, P.F. Chang's recovered $1.7 million from its insurer for post-breach expenses and defense of a class action suit following a 2014 breach. But the company did not recover $1.9 million it shelled out to a credit card processor for a PCI DSS assessment.
CISOs must be part of cyber insurance procurement
Shawn Wiora says SANS' gap findings are consistent with his experience evaluating and purchasing cyber insurance policies. As CIO and CISO of nursing care facilities provider Creative Solutions in Healthcare, Wiora found many policies lacking when matched up against his own security model, which is based on the cyber framework established by the National Institute of Standards and Technology. He says that there is a tool or assessment matrix to help CISOs correlate their security postures with the policies they elect to purchase. Another challenge is that so few cyber insurance claims have been processed and made publicly available, which keeps businesses in the dark.
While cyber insurance is an issue that everybody wants to understand, no one wants to talk about it because discussing cyber risks makes people uncomfortable, says Wiora, who took steps to educate his entire C-suite about cyber risks and insurance. "There is a lot of confusion and it's such a young industry," Wiora says. "The insurers don't get it."
So, what is a CISO/CIO to do? David K. Bradford, co-founder and chief strategy officer of Advisen, has an idea: “The CISO needs to be involved at a very early stage to map those exposures and to work with the risk manager to understand what those exposures are so that when the risk manager goes to the market he is able to explain it to the brokers who in turn are able to explain able to match it up with the insurers to select the correct coverage."