Faced with the risk of cyberattacks, the prospect of losing data and the potential for large fines, the private sector has turned to the insurance industry to protect against losses arising from all manner of information security incidents. Research from CFC Underwriting shows a 50% growth in demand for cyberinsurance last year and the firm expects continued high demand for cyber insurance products in 2017.
The cyberinsurance industry is growing quickly as a result. Allianz estimates the total written premium for cyber insurance is currently $2.5 billion, but forecasts this could reach $20 billion by 2025. U.S. data breach regulations have fueled demand and the European Union General Data Protection Regulations are likely to further boost growth.
Cyberinsurance often provides victims of attacks with more than just payouts though. In many cases, cyber insurance companies will arrange for incident response firms to clean up after an intrusion. This is largely a positive thing for both parties--it can reduce pressure on the company to find and engage a competent provider at a time of crisis and gives the insurer some control over the cost of a cleanup, which can be significant. However, the tie-up between incident response firms and insurance companies may not be wholly positive.
( Read more : 10 things you should ask of your cyber incident response tool )
Insurance companies will be keen to ensure they partner only with those companies that have capacity to respond to multiple incidents simultaneously, potentially across multiple geographies, and have the skillsets required to deal with the range of potential incidents. This of course favors the larger response providers who already have a considerable advantage over smaller firms and will make it harder still for smaller providers to compete. Particularly outside the U.S. and U.K., incident response consultancy usually comes from independent firms that offer incident response expertise alongside other cybersecurity services.
But the influence of the insurance industry doesn’t end there. Insurance companies will not only dictate which providers are used, but are also how the incidents are handled. Generally, insurers want incidents to be resolved as quickly as possible to limit costs. For simple incidents, such as ransomware attacks, immediate remediation is fine, but for complex intrusions the best strategy is often to monitor the attack and tailor the response accordingly.
As I recall from my time leading incident response consultancy engagements, gathering information about the attackers, their tools and techniques, and understanding the type of information being targeted can help inform the best way to ensure the attackers are completely removed from the network. This is especially important when dealing with sophisticated cybercriminals or persistent nation state hackers who may have installed hidden backdoors or will immediately attempt to regain access to the network.
The expense associated with investigating, rather than simply responding to an incident, can be significant, but the option should be open to security decision-makers, rather than be imposed by a company seeking to limit the cost of a claim. An incorrect response could cause longer-term damage and disruption.
Organizations should know that insurers are not always obliged to pay for a response to an attack. One area that security executives must be aware of is the retroactive date of a policy. It is commonplace to detect intrusions months, and in some cases years, after the initial compromise took place, falling outside the period covered by a policy.
Cyberinsurance is still reasonably immature, but has the potential to make a positive impact on cybersecurity. The current situation of high premiums and relatively low coverage ceilings will change as more data are gathered about the scale of the problem and the threat actors involved. Over time, insurance companies will fine-tune the most effective ways to reduce cyberrisk and organizations must be incentivized through premium reductions to listen and take action.
Post Author : Rob Sloan, Cybersecurity research director, Dow Jones
This post was initially posted here & has been reproduced with permission.