Today’s computer networks’ infrastructure, users, and services are all vulnerable to a wide range of threats such as distributed denial of service attacks (DDoS), intrusions of various types, eavesdropping, hacking, phishing, worms, viruses, spams, and so on. To mitigate the danger posed by these threats, network users have typically relied on antivirus and anti-spam software, firewalls, intrusion-detection systems (IDSs), and other tools. A large industry (companies such as Symantec, McAfee, Microsoft Defender, and others) and significant research efforts are currently focused on developing and deploying tools and techniques to detect threats and anomalies in order to protect the cyber infrastructure and its users from the negative impact of such threats.
Despite advancements in risk-aversion approaches over the last decade due to hardware, software, and cryptographic procedures, complete or near-perfect cyber-security protection is difficult to attain. The impossibility comes from a variety of factors, including:
- Existence of a few very good technical solutions.
- Difficulty in building solutions that cater to the various intentions underlying network attacks.
- Misalignment of incentives for network users, security product suppliers, and regulatory bodies to secure the network are misaligned.
- Network users who take advantage of the favorable security impacts provided by other users’ security investments, in turn, do not invest in security, resulting in the free-riding dilemma.
- Customer lock-in and first-mover advantages of insecure security products.
- Difficulty in measuring risks, resulting in difficulties in devising relevant risk elimination solutions.
- The problem of The Market for ‘Lemons’ that is security companies have little motivation to create solid systems.
- Product providers engage in liability evasion.
- User naiveté in fully utilizing the feature benefits of technology solutions.
Given the aforementioned insurmountable impediments to near-perfect risk mitigation, the necessity for alternate risk management strategies in cyberspace arises. To underline the need of enhancing cyber-security, US President Barack Obama issued a cyber-security executive order in February 2013 emphasizing the need to reduce cyber threats while remaining resilient to them. In this regard, some security researchers have recently recognized cyber-insurance as a potential risk management tool.
What’s a Cyber Insurance?
Cyber-insurance, often known as cyber security insurance, is a risk management approach in the broad sector of Operational Risk that transfers network user risks to an insurance business in exchange for a charge, i.e. the insurance premium. Potential cyber-insurers include ISPs, cloud providers, and regular insurance companies. Insurance contracts shift appropriate levels of self-defense liability to clients, making cyberspace more resilient. The term self-defense refers to a network user’s efforts to defend their system with technical solutions such as anti-virus and anti-spam software, firewalls, employing secure operating systems, and so on.
Cyber insurance has the potential to be a market solution, aligning the economic motivations of cyber insurers, users (individuals/organizations), policymakers, and security software vendors. In other words:
- cyber-insurers will profit from appropriately pricing premiums,
- network users will seek to hedge potential losses by jointly purchasing insurance and investing in self-defense mechanisms, policymakers will ensure an increase in overall network security,
- and security software vendors may benefit from forming alliances with cyber insurers.
A critical aspect of risk management is determining what is an acceptable risk for each firm or what is reasonable security for their specific working environment. Practicing a ‘duty of care’ protects all interested parties – executives, regulators, courts, and the general public – who may be affected by those risks. When creating security measures, the Duty of Care Risk Analysis Standard (DoCRA) provides procedures and concepts to help balance compliance, security, and business objectives.
What’s Cyber Insurance in Practice?
Cyber-insurance is a type of specialized insurance designed to protect organizations from Internet-related hazards, as well as risks associated with information technology infrastructure and operations in general. This type of risk is often excluded from standard business general liability policies or is not clearly described in traditional insurance products. Cyber-insurance policies may give coverage for the following items:
- First-party coverage against losses such as data destruction, extortion, theft, hacking, and denial of service attacks;
- liability coverage indemnifying companies for losses to others caused by errors and omissions, failure to safeguard data, or defamation;
- other benefits such as regular security audits, post-incident public relations and investigative expenses, and criminal reward funds.
What are the Benefits?
Cyber-insurance products are still in the early stages of development, and insurers are actively collaborating with IT security firms to develop their solutions. Insurance products are increasingly being acquired with existing IT security services as insurers pay out on cyber losses and cyber dangers evolve and adapt.
According to one estimate, 46% of all breaches affect businesses with fewer than 1,000 employees. Strong security measures and cyber liability insurance may be required in this instance.
Cyber-insurance is extremely advantageous in the event of a large-scale security compromise, in addition to directly increasing security. Insurance provides a smooth funding channel for big loss recovery, assisting firms in returning to normal operations and decreasing the need for government aid.
What are the Different Kinds of Policy?
An insurance policy that covers loss caused by a cyber or hacking disaster.
Theft and Deception
An insurance policy that covers loss of money (or an equivalent monetary instrument) as a result of theft of such assets by a malevolent actor(s) whose fraudulent action, primarily unauthorized access to the policyholder’s systems, permits such actor to get such assets through fraudulent transfer.
An insurance policy that covers the legal, technical, or forensic services required to determine whether a cyber attack happened, the consequences of the attack, and how to halt an attack.
An insurance policy that covers lost revenue and associated costs if a policyholder is unable to conduct business as a result of a cyber incident or data loss.
An insurance policy that covers the costs of investigating threats to commit cyber assaults against the policyholder’s systems, as well as payments to extortionists who threaten to obtain and divulge critical information.
An insurance policy that covers reputation threats and cyber defamation.
Data Loss and Recovery on a Computer
An insurance policy that covers physical damage to or loss of use of computer-related assets, as well as the costs of retrieving and restoring data, hardware, software, or other information deleted or damaged as a result of a cyber assault.
An insurance policy that covers the costs of restoring or recreating data that has been lost due to a security breach or system failure.
The latest addition to cyber insurance, this insurance policy covers the loss from cryptocurrency hacks, thefts, and extorsions (with limitations). Companies like Lloyd’s and Relm Insurance are entering this market. Some insurers exclusively cover crypto exchanges because that is where the majority of crypto funds are held. Others only in specific circumstances reimburse stolen cryptocurrency funds. In general, the plans do not cover losses caused by volatility in the cryptocurrency market. They frequently do not safeguard against direct hardware loss and damage, cryptocurrency transfers to third parties, or disruption or failure of the blockchain backing the asset.
How do you Get a Policy?
Before the insurance provider will issue the policy, companies wanting to obtain cyber-insurance coverage are frequently required to engage in an IT security audit. This will assist businesses in determining their present vulnerabilities and will allow the insurance carrier to assess the risk they are taking on by issuing the policy to the firm.
By completing the IT security audit, the business purchasing the policy will be required, in some situations, to enhance its IT security weaknesses before the cyber-insurance policy may be purchased. This, in turn, will assist lower the risk of cybercrime against the organization purchasing cyber insurance.
This also enables a more precise calculation of premium costs commensurate with the level of predicted loss from such risks.
What are the Main Weaknesses?
Ambiguities in terms
It’s not always clear what is covered and what is not.
FM Global conducted a poll of CFOs at organizations with more than $1 billion in revenue in 2019. According to the poll, 71% of CFOs believed that their insurance provider would cover “most or all” of the losses their firm would incur as a result of a cyber security attack or crime. Nonetheless, several of those CFOs said that they expected cyber-attack-related damages that were not covered by standard cyber-attack policies. Specifically, 50% of CFOs predicted that a cyber assault would devalue their company’s brand, while more than 30% predicted a revenue decrease.
War exclusion clauses
Cyber insurance, like conventional insurance contracts, generally includes a war exclusion provision, which clearly excludes harm caused by acts of war. While the majority of cyber insurance claims will be for ordinary criminal behavior, firms are more likely to be victims of cyberwarfare strikes by nation-states or terrorist organizations, whether explicitly targeted or just collateral damage. Following the US and UK governments’ classification of the NotPetya attack as a Russian military cyber-strike, insurers argue that such occurrences are not covered.
Are These Policies Easily Accessible?
Although at least 50 insurance companies provide cyber-insurance products, the actual writing is today centered among five underwriters. Many insurance firms have been cautious to enter this coverage market since there is no reliable actuarial data for cyber exposure. Inadequate disclosure about cyber assaults by those impacted is impeding the creation of this actuarial data. However, following a big malware breach in 2017, Reckitt Benckiser disclosed information on how the cyberattack might affect financial performance, prompting some analysts to assume that the trend is for firms to be more upfront with data from cyber disasters.
The top companies in the US offering cyber insurance products are:
- Chubb (Market share: 9.8%)
- Fairfax Financial (Market share: 9.0%)
- AXA XL (Market share: 8.7%)
- Tokio Marine HCC (Market share: 5.2%)
- AIG (Market share: 5.0%)
- Travelers (Market share: 4.8%)
- Beazley (Market share: 4.2%)
- CNA (Market share: 3.8%)
- Arch Insurance (Market share: 3.6%)
With cyber insurance premiums predicted to rise from roughly $2 billion in 2015 to $20 billion or more by 2025, insurers and reinsurers are refining underwriting criteria. Because of market immaturity and a lack of standardization, underwriting cyber products is an interesting place to be in the insurance sector these days.
How Much Does It Cost?
The average cost of cyber liability insurance in the United States in 2019 was estimated to be $1,501 per year for $1 million in liability coverage and a $10,000 deductible. The average annual premium for a $500,000 cyber liability limit with a $5,000 deductible was $1,146, and the average annual premium for a $250,000 cyber liability limit with a $2,500 deductible was $739. In addition to location, the type of business, the quantity of credit/debit card transactions processed, and the storing of sensitive personal information such as date of birth and Social Security numbers are major cost drivers for cyber insurance.