A panel of industry insiders at SC Congress Atlanta looked at cyber-insurance, taking a look at what is driving the industry's quick growth.
The product is not new, but following a string of high-profile breaches over the past few years, has come to more prominence, said Illena Armstrong, VP of editorial at SC Magazine, welcoming attendees and introducing the session.
Cyber-security as an insurance product has evolved dramatically, said panelist Brook Dutcher, underwriting manager, technology and cyber at Tokio Marine HCC. And there's been no contiguous path with a lack of continuity in approach, he said.
Benchmarking has been challenging, he told the audience. “The nature of exposure is entirely different in various sectors.”
Adding to the lack of clarity is the fact that cyber-security does not have the actuarial data underwriters traditionally look to when assessing risks. “Looking at the way data is handled and how it's located changes the style we've been taking with this risk,” Dutcher explained.
Tom Costin, manager of information security at the Federal Reserve Bank of Atlanta, said he tends to look at cyber-security insurance as a risk transference. “We need to understand the risk, and in order to understand a risk mitigation plan we look at likelihood and impact,” he said. The questions that need to be asked, he added, are: What are the costs? What kind of organisation is it and what data is held? In the case of financial and healthcare organisations, there's high risk.
Further, when looking at cost it's necessary to look beyond the initial impact. There is more to the situation than direct costs, he explained, namely the effect on brand and reputation. “Having cyber-security insurance makes your risk posture stronger,” Costin said.
It was the breach at retailer Target a few years back that set the precedent for responses to an attack, Dutcher said.
Cyber-security insurance is really just another mitigating factor, Costin added. “When responding to breaches and other cyber incursions, organisations need to have a response team in place, including a CISO, as well as technology, such as configuration management, and know how to work with it."
“The importance of having a security framework is knowing where the risk is,” Costin said.
Last year was the year of the healthcare breach, with 100 million medical records exposed, Dutcher pointed out. “From our vantage point, we ask: ‘How do you assign a value to that risk and what's the volume of records and the regulatory guidelines.'” As well, he added, what are the shareholders saying?
Organisations have to keep moving forward to assess and operate with a reasonable standard of care, Dutcher said. The point is to recognise where the important data is and segment it off, he said.
When asked how buyers can make sure they are covered, Dutcher explained that claims depend on a policy addressing specific aspects of exposure. This could mean reputation, regulatory fines, etc. “Carriers have different ways to assess risk,” he said.
Today, there are myriad market segments, he added. For example, an Uber driver will reach different levels of coverage as they login to their app and pick up and drop off customers. The electronics can recognise the different situations and coverage is switched to recognise the various steps.
As far as what goes into an evaluation, large organisations with revenue in excess of $500 million (£346 mil) are perceived differently than smaller organisations, Dutcher said. “We're able to encourage companies to adapt reasonable business practices, such as NIST initiatives, to provide guidance for underwriting."
And what about government entities which often self-insure? Costin said cyber-security insurance could help the Fed by limiting risk to taxpayers. However, there is a caveat. “We need to be extremely careful in our measurement of risk.” He said he wasn't sure the tools were in place to measure that risk to the level of accuracy that would support his department's financial fiduciary responsibility. “Self-insuring is essentially the default, but we work to understand the risk budget,” he said.
It will be challenging, he added, to apply an older mindset to the emerging risk landscape, particularly the Internet of Things, which, he said, is designed to be promiscuous, opening the possibilities for a huge amount of exposure.