Beyond a few regulated industries such as health care, most companies get relatively little official guidance on security, and ideas about best practices tend to be fragmented. Government and industry groups provide some help, but most companies are more or less free to chart their own course through the hazards of the digital era. While that can have advantages, fostering flexibility and innovation, some companies would like clearer standards. That might help strengthen defenses, improve risk management, and make it easier to defend against accusations of negligence in the event of a major breach.
“There’s a lot of room there for the insurance companies to make a better assessment of the risk of issuing cyber insurance policies,” said Dave Frymier, chief information security officer at Unisys Corp. “That would go a long way toward drawing a proper line in the sand about what’s negligent and what isn’t.”
Insurance companies are amassing expertise in the area of cybersecurity. Multiline property and casualty insurer Ace Group, part of Ace Ltd., for example, has hired lawyers who constantly look at the regulatory environment, statutes and case law as well as actuaries to monitor and handle risk. American International Group Inc., Ace and others have partnered with security firms that offer technology and services to prevent or recover from attacks.
“Through the way we price insurance, we nudge people to alter the way in which they manage their risks. We reward mature infrastructure, we reward mature governance with lower rates and larger coverage,” said Peter D. Hancock, President and CEO of AIG, speaking April 2 at a cyber insurance event at New York University.
Insurance companies have learned how to measure risk when issuing life insurance policies and they’re adept at looking at a person’s driving record, age, demographics and where he or she lives before issuing a car insurance policy. “The equivalent of all that has yet to be done for cyber insurance,” said Mr. Frymier.
Some industries such as health care and financial services already have regulations about how data should be handled, but there isn’t much guidance out there for companies not in regulated industries. There’s potential for insurance companies to use something like the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity, released in February 2014, to evaluate risk in corporate cyber insurance policies. The NIST framework is a set of industry standards and best practices to help organizations manage cybersecurity risks.
Mr. Frymier suggests that insurance companies could score companies based on the dozens of safeguards or countermeasures known as control objectives outlined in that framework. Based upon a company’s score, the insurer would set a premium and would determine how high the deductible would be and how much coverage a company would receive.
As the insurance industry becomes better at measuring risk over time, it will be able to broaden coverage and increase capacity, which is something companies say they need. Historically the risks that have been covered in a typical cyber policy have been narrow and the amount of capacity that’s available for any one company is still very small, Mr. Hancock said.
“The largest coverage I’m aware of is for a bank that has about $400 million in coverage which is very small when you think about it,” he said.
Other insurance experts say it’s much more common for large companies to have coverage in the $100 million to $200 million range. In a filling last month, Target Corp. noted that its 2013 data breach will cost an estimated $252 million in expenses. After its expected $90 million insurance compensation that still leaves $162 million in expenses that are not covered.
“The amount of insurance we’ve been able to buy is far less than we would like,” said Mr. Frymier, of Unisys. “The deductibles are much higher than it seems that they ought to be and it costs more than we think it should.”
Not all companies are looking for more insurance involvement in their cybersecurity practices. One CIO of a Fortune 100 financial services firm said his company is inundated with standards for cybersecurity and already works closely with insurers.
Still, insurers see the value in standards that could be used across a wide variety of industries. Mr. Hancock said that AIG supported the design of the NIST framework. “We think it’s a terrific start,” he said. “There’s a tremendous dynamism in the way insurance can respond to risk that complements government regulation which is inherently a little slow to adapt.”
Companies can get discounts for demonstrating they have internal training policies such as teaching employees how to recognize phishing scams, said Ken Piddington, CIO of MRE Consulting Ltd., which provides managed IT services. If a company rigorously documents those efforts, insurance companies will discount policies further, said Mr. Piddington. Services from companies such as FireEye Inc. may make companies eligible for additional discounts. “Insurance companies love monitoring,” he said.
In fact, insurance providers are increasingly partnering with cybersecurity firms so they can recommend services to clients. Ace Group has partnered with a number of companies including FireEye for education, BitSight Technologies for monitoring, and Wombat Security Technologies for security awareness.
Ace Group began writing policies to cover cybersecurity in 2003. Since then, the company has handled more than 1,000 incidents. “We’ve noticed patterns of trends that would better suit our clients if we were transparent and if we showed them where incidents went awry,” said Michael Tanenbaum, senior vice president of Ace USA Professional Risk, part of Ace Group. For example, between 2007 and 2011, data breaches were largely the result of lost and stolen laptops, he said. “We’ve educated clients and they’ve adopted encryption,” he said.