The soaring costs of recovering from a security incident or data breach is driving interest in cyber insurance. While cyber insurance is typically viewed as a product mainly for large organizations seeking coverage and protection against state-sponsored attackers, criminals, and politically motivated hackers, it is also valuable to small and midsized companies and independent contractors.
Regardless of size, a cyber insurance policy can cover the costs of a ransomware attack or a business email compromise (BEC), business losses stemming from an outage resulting from the breach, and expense incurred in rebuilding compromised systems. While the Federal Trade Commission (FTC) and the National Association of Insurance Commissioners (NAIC) have issued guidance suggesting small businesses consider cyber insurance as a means of resilience against cyberattacks, the fact remains that classic cyber insurance is expensive. It is often too difficult for small businesses to qualify for those policies.
To address this situation, companies are increasingly rolling out new products for work-from-home employees, SMB, and micro companies with 50 or fewer employees. Earlier this year, Internet of Things platform provider Pepper partnered with Embedded Insurance to offer policies covering IoT networks and mobile devices. In October, eSecure.ai announced its own offering underwritten by an unidentified “Top 5” insurance company, which would allow remote employees, independent contractors, and micro businesses to get insurance without going through the underwriting process.
The insurance product from eSure.ai only covers traditional end-point products, such as computers and laptops, and does not include mobile devices. In order to ensure potential customers have adequate security controls in place to qualify for a policy, eSure.ai requires that applicants go through a managed services provider (MSP) — the product itself is sold through the MSP channel. It is unreasonable to expect this group to have the security wherewithal and resources to install and maintain the necessary security controls, says Chase Norlin, CEO of Transmosis and president of eSure.ai, a Transmosis company.
Insurance or Warranty?
When individuals think of cyber insurance, they think of identity theft products offered by banks and other companies, but this perspective misses the bigger picture, according to Norlin. “A lot of consumers falsely believe that identity theft is going to somehow provide some broader cyber insurance coverage, which it does not,” Norlin says, noting that riders to homeowners’ or renters’ insurance policies “are incredibly weak.”
Last year, Transmosis launched a program to cover SMBs for losses they may incur from a cyberattack, but since that program’s contracts are not underwritten by an insurance company, it is not an actual insurance policy. Rather, it is more like a financial liability protection program or a contractual indemnity, where the company selling the protection is on the hook for any losses the policy holder suffers up to the value of the coverage.
One of the challenges SMBs could face when considering cyber insurance-type offerings from companies that are neither insurance brokers or carriers is distinguishing between actual insurance versus the warranty/guarantee model. As not all warranties and guarantees are the same, those who opt for this model need to determine what coverage is offered and comparing the warranty coverages to traditional cyber insurance.
“When a company comes to you and says, ‘I’ll give you a million dollars of liability if you sign on with us, and we’ll protect you,’ is that million dollars shared with everybody else? Is that dedicated to that person?” says Peter Herdberg, vice-president of cyber underwriting for Corvus Insurance (which was acquired by Travelers Insurance last month) “Do they actually get an insurance policy or is it a contractual indemnity for a million dollars that you’re promising that the person is going to have to sue to access anyway?”
Herdberg cautions prospective customers to ask questions so they know precisely what they getting and any possible conditions, limitations, or exclusions associated with the agreement.
Does Everyone Need a Policy?
High-net-worth individuals, such as entertainers, athletes, celebrities, corporate executives and other wealthy and famous individuals, should consider cyber insurance, but individuals who don’t fall in those categories may have a difficult time making the financial case to buy cyber insurance, says Herdberg. Organizations that are supply-chain feeders to larger companies could be targets of cyber criminals, so those companies need to consider the risks. Micro companies, such as law firms, accountants, healthcare offices and clinics, private equity firms, and other financial services companies that have few employees but are big targets for attackers, should also be looking closely at cyber insurance policies.
However, most mom-and-pop companies likely would not require the same type of business insurance, Herdberg notes, since their risk profile might not justify the cost of cyber insurance.
A full cyber insurance policy is generally more expensive and provides far more coverage than most individuals will ever need, save for the high-net-worth prospects, says Jeffrey Brown CISO for the State of Connecticut, a member of the Board of Advisors to Cowbell Insurance, and the former head of information security, risk, and compliance at AIG. While having cyber insurance can be useful, becoming a better educated on how you can protect yourself is a better first step, Brown says, noting that training and awareness webinars can help individuals become savvier on cyber issues.
It’s in everyone’s best interest, the buyer and the seller on insurance, when nothing happens.
Source: www.darkreading.com