Cyber-insurance in an area that is rapidly changing. Not only are insurers becoming more mature at assessing the risks and liabilities companies face when it comes to offering cover and calculating premiums, but the shifting regulatory sands mean businesses are also becoming acutely aware of the consequences of not having they cyber house in order.
A panel discussion held during AusCERT 2018 focussed on these challenges.
The recent introduction of National Data Breach (NDB) notification laws in Australia has delivered a catalyst to the insurance industry. But, there's still no standardised way for insurers to handle the liabilities the NDB introduces. They added that the requirement to protect physical copies of data, and not just electronically stored information, is included in the new obligations.
Another catalyst for this interest in cyber-insurance is the increased focus by regulators such as the Australian Securities and Investment Commission (ASIC) and the Australian Prudential Regulation Authority (APRA). ASIC and APRA have been very clear in their public communications, telling boards that they have strong obligations to ensure their companies are cyber-resilient. This has further increased interest in cyber insurance.
The types of cover offered tend to fall into two categories.
First party insurance protects the insured party against attacks, breaches and other activities that result in damage to themselves. In contrast, third party cover protects the insurer from liabilities that stem from damage to other parties. The issues that could lead to a claim go beyond data breaches and the loss of PII. Insurance can also cover other incidents that lead to a loss such as a system outage or some other technology failure.
One of the things often missed in the insurance discussion is the role of insurers after an incident. Many insurers have access to a large catalog of partners that can assist with the recovery from an incident for an insured party. That's of benefit to both the insurer and the insured. A faster recovery where the consequences of an incident are limited and where recovery is expedited results in benefits for both parties.
For service providers, it's important that the precise language in policies is understood. Not every policy provides coverage for "failure to supply". For example, if you were a cloud provider offering services to customers and your systems were compromised by a network failure, then you might not be covered for the consequences of failing to supply your customers. Furthermore, policies don't always cover personal injury as the result of a technology failure.
The panel noted that it might be possible to negotiate such items into a policy.
Similarly, if an insured party suffered an outage as the result of a utility fair, such as an energy or telecommunications supplier, then that may not also be covered. Such incidents are often called "systemic failures" in policies.
When it comes to fraud and financial crime, it's important to understand that even if the crime is carried out over electronic means that cyber insurance policies are unlikely to protect you. So, if a person with financial delegation is duped into sending funds to an unauthorised third party through business email compromise or some other exploit cyber insurance is unlikely to be the best vehicle for recovering the lost funds. However, it's possible the business could be covered under a specific crime policy or some other means.
Insurance isn't often seen as a innovative industry but the fast moving nature of the cyber-insurance sector is resulting in some new types of cover. For example, insurers are looking at reputations cover by looking at the effect of an incident on revenues. That can be challenging as the effect of reputational damage may not be seen for some time. For example, a company may lose a major client, as the result of an incident, many months after the actual incident.
Failure to supply and crime-related losses are also starting to find their way into policies. Although these aren't standard in policies but the high-tech nature of these crimes is seeing those types of incidents included in policies.
The insurance industry is not without challenges. There's still a lack of information about the types of data people are seeking to protect, it's value, the controls that are in place, and evidence that insured parties are taking a risk-based approach to their cyber resilience.
There's also no standardisation across the industry which makes it challenging to buy policies. For example, there's no stand language around the NBD or standards such as ISO 27001, PCI DSS or NIST.