Insurers working to fill cyberinsurance data gaps

Insurers are starting to expand their services to better educate their customers about cyber risk and even help them defend against attacks before they happen and deal with the fallout of when a breach does occur

Insurance companies typically have decades of data, if not more, on which to base their risk estimates.

That's not the case with cyber risk, however. There's very little historical data available, the data is not complete, and the threat landscape doesn't just change year by year, but day by day. There isn't even a standard set of definitions that everyone can agree on.

That's starting to change, as insurers expand their services so that they can better educate their customers about cyber risk and even help them defend against attacks before they happen and deal with the fallout of when a breach does occur.

I say potahto

One of the first problems when it comes to buying cyberinsurance is that nobody knows exactly what it means. Corporate financial officers, security managers, and insurance brokers have different understanding of risk, for example.

According to a recent cyberinsurance survey by the SANS Institute, only 30 percent of underwriters and 38 percent of information security professionals believe that they speak the same language.

Even within insurance industry itself, the language varies greatly from policy to policy, said David Bradford, co-founder and chief strategy officer at Advisen, which provides insurance data and analytics, and helped sponsor the SANS study.

For example, one policy might refer to a "privacy breach," another to a "data breach", and a third to "network security wrongful acts."

"Is a privacy breach the same thing as a privacy wrongful act?" he asked. "Is a data breach the same as a network security wrongful act?"

"And a lot of the language hasn't been tested in court yet," he added.

The problem is especially acute for small and midsized businesses and their insurance agents, said Dan Weedin, president at Toro Consulting.

"The insurance buyer has no idea about what they've got and what their risk is, and the insurance agent is also very limited in their knowledge," he said. "It's like the blind leading the blind."

Steve Malone, director of product management at security vendor Mimecast

The fact that the threat landscape is constantly changing makes it even more difficult to keep up, said Steve Malone, director of product management at security vendor Mimecast.

In a recent survey the company conducted, only 10 percent of IT experts said they believed that their cyber coverage was completely up to date, and of those who had cyber insurance, and only 43 percent were confident that it covered business email compromise fraud. There was a similar lack of confidence about new social engineering attacks.

"Almost half -- 45 percent -- of firms are clueless as to whether their cyberinsurance policy is up to date for covering these types of threats," Malone said.

Measuring risk

When it comes to buying insurance, it's all about the risk. Does the customer smoke? Are they a safe driver? Are there smoke alarms in their house?

With cyberinsurance, however, neither the insurance companies nor the enterprises buying coverage have a good way of quantifying risk.

As a result, prices can vary greatly, said Advisen's Bradford. For example, similar coverage from competing insurers can range from $10,000 to $50,000, he said.

"The models just don't exist like they do in the automobile or life insurance industry," said Casey Corcoran, vice president at FourV Systems. "The empirical data just doesn't exist yet for insurance companies to have a robust answer for what is the liability, what is the amount I need to ensure for. And we're in a time now where IT information is increasing at an exponential rate. How do you adapt a model to something that's changing exponentially, especially in an industry that's used to writing policies for a year at a time, or longer?"

FourV is one of many vendors attempting to help insurance companies and their customers measure cyber risks -- not just once, when the policy is first written, but on an ongoing basis.

It's like the way that Progressive offers a discount of up to 30 percent to drivers who install the company's "Snapshot" gadget in their cars, he said.

Some insurers, for example, are looking to move beyond just selling policies to offer complete risk-related services, he said. They'll help companies evaluate their risks before they sell the policies, and then help them deal with breaches that may occur.

Helping companies with their cybersecurity doesn't just help insurers better measure customers' risk, but it also provides a better understanding of risk to the enterprises they service, he said. "If I'm talking to the CISO, they're used to answering the question 'Are we secure?' with 'It's a tough job, but I got it.' When pressed, the information security organization will generally answer with technical jargon."

For example, CISOs will talk about the systems and processes that they have in place. Those are activities, not risk measures, said Corcoran.

"If I'm the CFO, I have no confidence in that answer," he said. "What the insurance company is offering to do is interpret between the technical organization and the risk organization."

Insurance firms have to learn to live with this, said Tim Francis, enterprise cyber lead at Hartford, Conn.-based Travelers.

"You may not necessarily have the foresight to predict every iteration," he said. "But you can build the framework and the structure and have the resources at our disposal to try to deal with those threats when they develop. One of the things that we've done at Travelers is that we've gone out of our way to hire resources that come with non-traditional insurance backgrounds."

For example, Travelers has hired technical experts, former FBI forensic investigators, and former cyber crime prosecutors, he said.

This allows Travelers to better understand their customers' security infrastructure and risks, and learn which types of vulnerabilities are most likely to lead to breaches.

"Companies that demonstrate stellar cybersecurity and data security will likely receive better pricing than companies with a bad history," he added.

"The larger trend that we've seen, and that Travelers has been on the forefront of, is providing our clients with risk management advice and best practices," he added.

Another such company is AIG with its CyberEdge service, which helps companies train employees on cybersecurity, assess their security infrastructure, close security gaps, monitor the dark net for emerging threats, and continually scan both their own and partner networks for vulnerabilities. Then, if a breach does occur, AIG will help a company recover with access to legal firms, forensics investigators, and public relations experts. To do all this, AIG partners with Risk Analytics, K2 Intelligence, IBM, BitSight, RSA, and Axio Global.

That allows insurance companies like AIG to move away from pricing policies based on paid insurance claims.

"From a cyber perspective, that vantage point is really really narrow," said Scott Kannry, CEO at New York-based Axio, a data sciences firm focusing on cyber risk.

"We believe that cyber risk can be solved," he added. "The information is there. It's just not being captured."

AIG isn't alone in forging relationships with cyber security firms.

Symantec, for example, recently partnered with Guy Carpenter & Company, the reinsurance arm of Marsh and McLennan.

"Symantec provides Guy Carpenter with technical knowledge and proprietary data to create a cyber-aggregation model that helps reinsurers gain a better understanding of their correlated cyber risks," said Pascal Millaire, vice president of cyber insurance at Symantec.

In July, New York-based Integro Insurance Brokers announced that it will provide coverage for the loss of intellectual property and trade secrets, which are typically not covered by cyberinsurance. The company is able to evaluate this risk through its own risk assessment program.

That includes access to third-party readiness and preventative services, according to James Sheehan, the firm's cyber risk practice leader.

According to Advisen's Bradford, if a company's intellectual property is stolen, the damage can be catastrophic -- but also difficult to quantify, and very difficult to insure.

Business email compromise -- also known as CEO fraud -- can cost a company millions, and is also frequently not covered.

Here, however, some businesses now have a simple answer.

In June, Los Angeles-based Grandpoint Bank announced that it will insure business bank accounts against funds transfer fraud and cyber deception, starting at $30 per month.

"It's a group policy that you just have to enroll for," said Petra Griffith, the bank's director of product development. "You don't have to go through an underwriting process. You just pay a monthly fee -- similar to buying cellphone insurance through the cellphone carrier. The cost is much less than if you went and got a separate insurance policy."

Join the CSO newsletter!

Error: Please check your email address.

Tags cyber security

More about AxioCSOFBIMarshMimecastRSASANS InstituteSymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place