Cyberinsurance Policy Sales: Who's Buying?


Risk and compliance officers and other business executives have the most influence over whether to purchase a cyberinsurance policy, according to a recent study about the increasing interest in underwriting risks.

Interestingly, the Ponemon Institute study of nearly 19,000 people involved in their company's cybersecurity risk mitigation and risk management activities found that chief information officers and chief information security officers had little influence over cyberinsurance decisions. The survey, commissioned in August by Experian Data Breach Resolution, found that the individuals who were most influential in making the case for cyberinsurance were business unit leaders followed by risk managers.

"Risk managers often find themselves in the eye of the security storm with the greater acknowledgement that data breaches have serious financial consequences for organizations," said Larry Ponemon, chairman and founder of the Ponemon Institute.

Although CIOs and CISOs may lack influence over purchasing decisions, solution providers that have teams licensed to sell insurance said they often help review policies to ensure that the coverage is in the right place. Many CISOs are spearheading risk and compliance activities at their organization, said Ben Goodman, president of Enterprise Risk Associates.

"They need to help the business-line executives understand the different coverages and [their] place when an event happens," Goodman said.

High-profile data breaches, such as the recent incident at Target, are driving interest and adoption of cyberinsurance policies. Seventy percent of those surveyed by the Ponemon Institute said their companies become much more interested in such policies after an incident occurs.

Despite the increased interest in cyberinsurance, the survey found that only 31 percent of companies in the study indicated they have a policy. Many perceived that their company's financial exposure due to security exploits would increase, forcing the need for cyberinsurance.

Company executives rarely, if ever, decide to insure against loss rather than put in security controls, said Pete Lindstrom, a risk management expert and principal analyst at Spire Security. There have been discussions over controls to meet compliance mandates where companies decide to risk being fined for not implementing a security requirement rather than undergo the expense of buying technology and having to rearchitect the network, Lindstrom said.

"Businesses know they need some due diligence and regular assessments to ensure the efficacy of the data protections already in place," Lindstrom said. "Unfortunately, there are few firms willing to go beyond the minimum requirements set out by compliance mandates."

The study found most companies satisfied with the premiums associated with their cyberinsurance policies. They covered human error, mistakes and negligence followed by external attacks by cybercriminals, system or business process failures and malicious or criminal insiders, according to the survey. Only 11 percent of those surveyed said policies covered attacks against business partners, vendors, contractors or other third parties with access to data.

In addition, the Ponemon study found that the average financial impact of the security incidents experienced by companies in the analysis was $9.4 million. Multiple incidents also added to the costs, which include consultant and legal fees, worker productivity losses, diminished revenue, legal actions, customer turnover and reputation damages. While the study found that policies often don't cover brand damage since it may be difficult to quantify, forensics accountants can often establish brand and reputation damage and revenue losses tied to breach fallout, said Mark Greisiger, president of NetDiligence, a Philadelphia-based cyber risk assessment services firm that works with cyberinsurance underwriters.

"There are many ways that the breach impact can be measured and documented for the policy underwriter," Greisiger said. "Modern policies are offering potential policyholders a much broader amount of coverage."

One area that often is not covered is intellectual property theft and exposure, an area that security experts say is increasingly being targeted by cybercriminals, Greisiger said. Underwriters are very likely to look into offering coverage of IP for future policies, he said.

PUBLISHED JAN. 21, 2014