Insurance: for those unexpected events
Insurance: for those unexpected events

UK financial services body the Prudential Regulation Authority (PRA) has issued a warning to insurers regarding the risk of claims for damages arising from cyber-attacks on their customers.

The PRA recommendations include the carrying out of stress testing of their capability to respond to a large number of claims at once – no doubt inspired by the recent WannaCry and notPetya attacks.

Following a year-long consultation, the PRA has set out what it expects from insurers that underwrite cyber-related losses. This includes introducing measures to reduce "unintended exposure to risk" such as raising premiums and having robust exclusions as well as specific limits for the cover offered.

This got us here at SC Media UK wondering whether cyber insurance policies are weighted too much in favour of the insurer rather than the insured, and just what the security industry makes of it all? Not least, whether cyber insurance adds value to the security equation or devalues it.

Dr Mike Lloyd, CTO at RedSeal, is of the opinion that "cyber-attack insurance is critical" as "organisations realise that perfect protection is not possible". His argument being that many enterprises are suffering breaches despite high levels of security spending.

"The days of just accepting all cyber-risks are gone," Dr Lloyd continues. "Too many companies have been hit too hard, so boards of directors are taking notice." He also admits that for the most part, insurers still don't fully understand either cyber-risks or the security implementations of the enterprises they are selling to. "We have insurance buyers who want more coverage, and issuers who do not want to take on a huge unknown risk," Dr Lloyd concludes. "Resolving this tension will not be easy."

Ken Munro, a partner at Pen Test Partners, agrees. He thinks the problem today is that cyber insurance is viewed with too much scepticism. "Many organisations are stockpiling money in Bitcoin to counter ransomware attacks," he explains. "Why aren't these businesses investing in cyber insurance policies instead? That's not only a wasted investment that offers no real benefit, it also fuels attacks."

Paul Calatayud, CTO at FireMon, isn't so sure. Cyber insurance is "of low value when it's used as a method of offsetting investments that should have been made in the defense of the cyber-security posture," he told SC.

Calatayud even went as far as suggesting that it can lead to a false sense of security or complacency which can result in "some organisations offsetting the cost of premiums and thinking that the coverage will cover any losses," which he compares to unbuckling your seatbelt while consoling yourself that your medical expenses will be covered when you have an accident.

Meanwhile, Tim Erlin, VP at Tripwire, argues that while cyber insurance is one method of managing risk, its use "should be specific, rather than broad". And enterprises need to be very aware of just what risk they are actually managing with these policies.

"Cyber insurance won't stop the bad guys," Erlin says. "At best it provides mitigation for the financial impact of a cyber-attack, but you are still responsible for actually preventing, and responding to, actual attacks."

Whatever your opinion of cyber insurance, Professor Giovanni Vigna, founder and CTO at Lastline, is convinced it's something we all need to get used to. "Whenever there is risk, there is a need to mitigate the risk and reduce exposure," he told SC Media.

“The problem is that currently there is not enough historical data to determine the correct balance between costs and benefits." The next few years will be very important in shaping the cyber-security insurance business. This should be good for security posture as it will mean strict requirements in terms of preventative measures before a policy is issued.

"This will force every company that wants to be insured to actually have a well-defined and documented security posture," Professor Vigna insists.

Simon Edwards, European cyber security architect at Trend Micro, agrees. He told us that, as defined in GDPR, organisations should be deploying ‘state of the art' security controls to protect user data. "Insurers will probably require much the same if they are to cover the risk as required," Edwards said.

Robert Capps, vice president at NuData Security agrees, adding: "Security posture can actually improve in the face of an in-force cyber liability policy, as underwriting guidelines and policy pricing is directly impacted by a company's cyber-security posture, and actual exposures regarding data on file."

However, Ilia Kolochenko, CEO of web security company High-Tech Bridge, warns that cyber insurance remains "a slippery slope and should be carefully analysed by legal and technical teams". If not, he says, you may end up paying money to cover statistically impossible events or implicitly undertake being liable for any breach.

The insurance industry can – so Ryan Jones, CEO at ThreatInformer reckons – be of enormous help to companies with lower levels of cyber maturity. They will be able to "benefit as much from having quick access to legal, PR and forensic experts sourced by the insurers as from a claims payment itself," he insists.

Then there's the small matter that in order to incentivise clients to reduce cyber-risk, insurers will "often provide additional risk management tools and guidance which might otherwise be cost prohibitive for small companies".

Yet, as Alan Levine, security advisor for Wombat Security Technologies, points out, "Cyber insurance policies don't cover what CISO's would hope them to cover." They have been largely developed in reaction to personal data breaches when the real potential impact should come from intellectual property breaches. "Insurers aren't providing coverage in that space right now," Levine warns, "and they may never offer that coverage at all."

Shahar Ben-Hador, CISO at Imperva, agrees that cyber insurance is "perceived in the security industry as high premiums and high risk for the buyer". From an information security leadership position, he argues it's virtually perceived as a lose-lose situation: "Not only do you buy insurance to protect from what you failed to protect against, but it is also highly likely that a potential claim will be disallowed for the same reasons."