The confusing and treacherous world of cyber insurance has been investigated at the Gartner Security and Risk Management Summit in London.
Asking for a show of hands from the audience of around 20-30 delegates, Gartner research vice president Paul Proctor asked how many had cyber insurance (one hand raised), how many were considering taking out cyber insurance in the next 12 months (two hands raised) and how many were simply interested in it (most hands raised).
Proctor said that rather than a new concept, this has been around for 20 years but it has exploded in the last 18 months. However the problem is that there is not enough evidence to make it a good business model and little in the way of examples of cases.
Listing the top ten talking points around cyber insurance, Proctor said that there is a danger of "buying into the sales pitch", as the biggest factor is insurance companies investing in marketing meaning that you rarely see something written by someone who has a background in cyber insurance.
He also said to be wary of brokers and find one with experience in claims settlement and also understand the different categories of loss in the policy, as often people do not read or understand the small-print.
Regarding a pre-insurance survey, he said: “You need to do a pre-insurance survey so you need to look at your security policy. The insurer may say see it and often it is textbook perfect but you do none of it. If you go after it, look at policy first. Think that if you make a claim, survey what they use to check box to protect yourself.”
He also said that in the case of a claim, an insurer will want to see all of your network data and evidence of a malware infection and will want to do a forensic process, so make sure you have locked down the way you say you have and prove it to have a better chance of a settlement.
This was also the case with users, as if you have a policy where employees are not allowed to put programmes on machine but download applications and install Java code, it is important to understand exclusions.
One of the key areas in the rise in cyber insurance is the cloud. Proctor said: “Is a cloud insurance model unsustainable? If you read agreements you will find you have paid for a service, but the cloud is uninsurable as it limits your liabilities and your provider works with 100 other companies. If there is a breach the cloud provider will cover your expenses, but the chances of being 100 per cent whole are minimal.”
Finally, Proctor said that in its investigations, Gartner has had "extraordinary difficulty in finding claims". He said that the reality is that there is nothing public on this, and finding someone on this has been impossible. It was forced to come to the conclusion that the reason is because claims often end in negotiated settlements so no one will talk about it.
“We cannot find information and we are speculating as to why that is. Ask your brokers on claims process even if anonymised,” he said.
“The healthier you are the better the premiums, but you have to make sure you are adhering to everything in there.”
Proctor also said that there are 20 major insurance carriers doing cyber insurance but only four specialising in it and premiums are often $10-35,000 per $1 million.
He likened it to medical insurance where you only want to make a claim for a major injury but at the same time, not to look for blanket coverage. “If you are sick when you apply, they will not insure you as you cannot say you were not sick when the claim is not paid. Also don't let executives push you into it, it comes into getting claims paid,” Proctor said.