When deciding whether to invest in cyber insurance, one of the most important first steps that any organization should take is to look inward, drawing upon (or developing if it does not already exist) a foundational understanding of the organization itself – its goals, its challenges, its assets and its risk appetite. Only after doing this groundwork, and building upon it to establish an effective cybersecurity governance program, can an organization approach the question of cyber insurance armed with the information it needs to make responsible and effective choices. These were some of the guiding principles and observations highlighted at a recent event co-hosted by the Kogod Cybersecurity Governance Center (KCGC), AIG and Axio. (Note: AIG is a KCGC Advisory Committee member and sponsor). This installment of KCGC | In Practice reviews some of the key insights drawn from these discussions about how to best leverage the interrelated benefits of cybersecurity governance and insurance.
PLEASE INSERT BLACK LINE HERE, AS SHOWN IN OTHER, PUBLISHED IN PRACTICE ARTICLEDiscussions about cybersecurity include a lot of buzz these days regarding insurance and its potential to help individual organizations, and even more broadly to influence the market, in managing cybersecurity risk. But many organizations are still grappling with fundamental questions about cyber insurance: How do we determine whether we need it? Who should be responsible for the decision to purchase coverage? How much and what kind of insurance do we need? This installment of KCGC | In Practice highlights recommendations for addressing these questions, building on discussions at the recent “Solving Cyber Risk” workshop co-hosted by the Kogod Cybersecurity Governance Center (KCGC), AIG and Axio. Read on to learn more.
Cybersecurity Risk – Should We Care?
To determine whether an organization needs cyber insurance, it must first address the basic question of whether cybersecurity is a relevant risk in the first place. Participants at the recent “Solving Cyber Risk” workshop reported that many companies (still) do not believe cyber incidents can impact their bottom line. If this were true, it could be a valid reason to dismiss the need for cyber insurance fairly quickly. But, this belief is often grounded in a mistaken impression that cyber incidents are primarily related to the theft or misuse of sensitive data such as credit card data or other personal information, including personal health information.
Getting Beyond Data...
PLEASE MAKE THIS SECTION, AND THE OTHERS SHOWN AS BULLETED LISTS BELOW, INDENTED (BUT NO BULLETS), AS SHOWN IN OTHER, PUBLISHED IN PRACTICE ARTICLEToday’s threat landscape is much broader than threats related to personal information, bringing with it the specter of partial or complete business interruption, bodily injury, extortion and impersonation – none of which require the victim to store or process significant amounts of personal data as part of its core business activities. Given the diverse range of vulnerabilities and threats, stemming from both insider and external activities of malicious or benign origin, that could lead to a cyber incident, it is highly unlikely that any organization meaningfully engaged in today’s economy is immune to or exempt from cyber incidents. And while the biggest breaches may make the headlines, smaller, less sensational incidents can still have a significant impact. For one, even relatively small incidents require a timely, accurate and rigorous response that many organizations are not internally-resourced to provide.
In addition to risks from threat actors, regulation is another important consideration. Even in light of the new administration in Washington, regulators like the Securities and Exchange Commission (SEC) are likely to continue their enforcement activities when it comes to cybersecurity. Recent actions by the SEC, the Federal Trade Commission (FTC) and the Consumer Financial Protection Bureau (CFPB) indicate that regulators’ focus is not limited to companies that have had a high-profile breach – companies that fail to promptly disclose significant cybersecurity incidents or simply do not properly protect their data or assets may face investigation and enforcement.
Even entities that are not themselves directly subject to regulation may receive funding from regulated portfolio and other investment companies, or may be subject to requirements through their third-party contracts. In short, not only are the exposures and threats changing constantly, but the grounds for enforcement actions are also likely to evolve and expand. All of these trends will continue to make it more and more difficult to rule out the risk of regulatory fines or other costs and requirements, including the sheer reputational damage associated with regulatory investigations, enforcement actions and fines.
...And Getting the Right Input
For organizations that believe cybersecurity risk may not apply to them – either at all or in a materially significant way – conference participants recommended engaging the entity’s Risk Council, or a similar body within the organization, that has enterprise-wide representation. Cybersecurity is an enterprise-wide concern, even if the enterprise does not yet fully realize this fact. Engaging a broad range of departments within the organization in the conversation about cybersecurity risk will ensure that the full scope of potential risks are properly considered by those who are in the best position to understand whether they actually apply. This process will provide the organization with an accurate picture of its cybersecurity risk exposure.
For example, although the organization’s core operations may not involve sensitive personal data, the human resources department may not be sufficiently aware of the cybersecurity risks and requirements that apply to their processing of employee data. A responsible governance program will involve policies, processes and organizational bodies that ensure cybersecurity is not isolated in the information technology department (who may be reticent to concede that insurance is warranted).
To Insure or Not to Insure?
Many organizations who recognize the relevance and significance of cybersecurity risk still struggle with the fundamental question of whether purchasing cyber insurance is a prudent risk management choice for them. While external factors like trending cyber threats and attacks, benchmarking or even the price of insurance policies and packages are relevant, workshop participants did not recommend starting with an outside-in approach. Instead, organizations should focus first on understanding their own capabilities, needs and goals.
Residual Risk is the Question
Many organizations, including large companies with seemingly solid risk management programs, rely almost entirely on peer benchmarking to decide whether to buy cyber insurance and, if so, how much or what kind of coverage to buy. Many even look to their peers to determine when to scale back coverage. In contrast, workshop participants agreed that this approach is not an effective and accurate gauge for the company’s own residual risk, which should be the driving factor in assessing the need for cyber insurance.
Cyber insurance, like other forms of insurance, is a method of risk transfer. For insurance to be a cost-effective investment, in most cases a policyholder will want to limit the amount of risk that it transfers to the insurer to the residual risk that remains after the company has effectively leveraged other measures to reduce its overall risk. In fact, in today’s market, companies that have not sufficiently reduced their residual risk by investing in risk reduction measures, including technological solutions and responsible governance, are not likely even to qualify for insurance coverage. Accordingly, understanding and minimizing residual risk should be a key consideration for purchasing and properly customizing insurance coverage.
The Role of Governance
To both understand and minimize residual risk, an organization must evaluate its overall risk exposure and the effectiveness of its risk mitigation efforts to reduce that overall risk. Cybersecurity governance is essential to this process.
Responsible cybersecurity governance includes the adoption of a well-defined cybersecurity risk management strategy, such as the Cybersecurity Framework (CSF) developed by the National Institute of Standards and Technology (NIST). Such a strategy will enable (and require) the organization to identify and understand its own unique operations, assets and goals and assess how well it can detect, protect against, respond to and recover from incidents. These are critical components of establishing overall risk and determining residual risk.
Good governance also requires the clear identification of roles and responsibilities with respect to execution of a cybersecurity risk management strategy, as well as the development (and enforcement) of sound policies and processes to implement the strategy.
Investing in these foundational governance measures can have two powerful effects related to residual risk. First, by significantly improving execution of the organization’s cybersecurity risk management strategy, effective governance can actually lower residual risk. Second, by providing clear processes, roles and responsibilities, governance can improve senior leaders’ ability to effectively and easily access the information it needs to assess residual risk. Both of these benefits will help an organization to make a much more expedient and informed decision about whether to shop for cyber insurance, and a cost-effective decision when it actually comes time to buy.
After evaluating the organization’s residual risk, a company should also consider how much of that risk it has already transferred via existing insurance policies. Workshop participants noted that companies often hope to rely on ambiguities in insurance policies that do not directly address cyber risk exposure. Relying on these ambiguities is a somewhat risky choice because there is no guarantee of coverage. Of course, the level of risk involved in that choice is largely determined by the level of residual risk the organization is seeking to transfer.
Only after going through the process of identifying the loss scenarios and risks that apply to the organization itself (and not its peers) and then assessing whether the organization has the financial resources to continue operating in the event of such losses will an organization have enough information to determine its need for cyber insurance.
In addition to the fundamental issue of whether insurance is an appropriate and cost-effective investment, organizations also struggle with the critical question of who should be responsible for making the decision about cyber insurance. On this issue, panelists and other participants agreed that many organizations might need to reevaluate their existing approach if they want to make the wisest choices.
In current practice, an organization’s size and maturity can play a big role in determining who makes the decision about cyber insurance.
Conference participants noted that smaller, leanly-staffed companies might not have full-time legal, insurance or risk management personnel, relying instead on a Chief Executive Officer (CEO), Chief Financial Officer (CFO) and a core operational team. For these kinds of organizations – and private equity portfolio companies in particular – the decision regarding insurance often falls to the CFO as part of her purse string-responsibilities.
Larger entities will typically have a risk manager or an actual insurance officer who may be responsible for either making the decision themselves, or for reporting up to the CFO or General Counsel, who then decides. Some organizations may delegate this responsibility directly to their information security team or the legal office.
A limited number of organizations have a dedicated Risk Management Council, or similarly named entity, who may raise the issue of insurance and recommend that the organization purchase it. On one hand, ensuring that an entity with broad visibility be responsible for this issue is ideal, as (again) cybersecurity is truly an enterprise-wide concern. On the other hand, before applying for insurance, a Risk Council should be sure to engage with the information technology (IT) team – including the Chief Information Officer (CIO), Chief Information Security Officer (CISO) or similar position – to find out if the company can even qualify for insurance based on its existing practices. Though it may not be necessary, a third-party assessment can also help to validate internal evaluations of the company’s insurability.
Taking this step of involving the IT team or obtaining a third-party assessment is critical to avoiding, or at least mitigating, the risk that the company’s application for insurance might be declined. Especially for publicly held companies, trying and failing to obtain cyber insurance will present additional liabilities beyond the immediate security risks of inadequate cybersecurity practices.
On balance, any of the above options, as well as others, could work in terms of who should own responsibility for cyber insurance decisions. There are few clear right or wrong answers regarding delegation of this responsibility. However, there are some universal guiding principles.
First, whomever makes the decision regarding cyber insurance should receive input from a group of stakeholders representing different functions and interests of the organization. Obtaining diverse perspectives will help in accounting for all relevant facts and risks as well as variations in risk tolerance across the organization. Workshop attendees observed that senior management and members of the Board are rarely all in agreement regarding the level of residual risk that the organization should absorb or transfer via insurance and it is important to consider this range of perspectives.
Second, and as noted above, the organization’s cybersecurity program lead – likely its CISO or equivalent – must weigh in and continue to participate throughout the process of purchasing insurance. Both the initial decision to buy cyber insurance as well as the particular kind of insurance purchased and any modifications to the policy will likely affect (and, in turn, be affected by) how that person directs the organization to respond to cybersecurity incidents when they arise. For example, the manner in which an organization handles particular incidents (e.g., timing, mitigation efforts, which personnel are involved) can affect whether an insurance policy is even triggered in the first place or whether the incident may fall within a specific policy exclusion.
In order to be effective and responsive to the organization’s specific needs, cyber insurance coverage should complement and address the unique characteristics of the company’s cybersecurity program, including how the program mobilizes in response to incidents. To achieve this fit, the cybersecurity program owner must be involved.
In short, much like the overarching issue of cybersecurity itself, decisions about cyber insurance require clearly-defined roles and responsibilities but also sufficiently broad and diverse input to encompass the true breadth of relevant risks.
In the Market
An organization’s decision to invest in cyber insurance ideally should be driven by a full evaluation of whether its risk mitigation practices – including, primarily, responsible governance and appropriate technology – result in a residual risk that exceeds the organization’s risk appetite. If it does, then investing in insurance as a method of transferring and reducing some of that residual risk makes good sense. Once the company has determined that insurance is appropriate and begins evaluating policies, it should keep in mind a number of important considerations.
Understand the Details
Overwhelmingly, speakers, panelists and attendees agreed that understanding the details of the policy and how well it responds to an organization’s specific needs are the most important guidelines to follow when selecting, and then customizing or updating, an insurance policy for cyber risk. The team or individual responsible for purchasing insurance must understand what the policy covers and, perhaps most importantly, what it does not cover.
Coverage limitations may include explicit holdbacks and exclusions, or more subtle thresholds or other triggers that restrict coverage. Even if the policy does not exclude a particular event, it may require that an incident rise to a certain threshold in terms of volume, severity or another metric before the policy will apply. Purchasers should consider these guiding questions: Will the policy cover the particular loss scenarios that are most relevant to our organization? And, in those loss scenarios, exactly what needs to happen (or not happen) in order to trigger coverage?
This need for detailed clarity is particularly relevant to organizations seeking to rely on policies that do not explicitly address cyber exposure. As noted above, organizations hoping to rely on ambiguities in their traditional insurance policies have little guarantee that they will actually receive coverage and should seek well-documented clarity from the insurer before relying on these provisions.
To achieve this clarity, seminar participants urged companies to engage with their broker and the carrier’s team, recommending an actual conversation or even a series of conversations to review, discuss and clarify the entire policy. Not only would these interactions help to clarify the real breadth and limits of coverage, but they are also an opportunity to begin an ongoing partnership with the carrier, which will come in handy during the claims process or periodic review of the policy.
Without a thorough and informed understanding of both the company’s needs and the policy’s coverage, any purchase of insurance will be, at best, overly-broad and not cost-effective and, at worst, potentially devastating in the event a major incident is not covered.
A Note on Price and Benchmarking
Conference participants noted that many companies focus almost exclusively on price and peer benchmarking as the primary decision points for purchasing cyber insurance. While this may seem like an efficient strategy, experts caution that using these largely external data points will likely result in coverage that does not address the organization’s actual risk.
There may be some minimal reputational benefit to the mere fact of having insurance, regardless of how poorly it addresses the organization’s actual risk. But, generally, insurance that does not adequately address actual risks will not be cost-effective – either because the organization is paying for unnecessary coverage or because it is paying a monthly premium (however low) for coverage that it cannot actually use.
Overall, the decision about whether to invest in cyber insurance and, if so, how much and what kind, is primarily organization-specific. And while that means that following the pack is not as viable a shortcut as it may seem, practitioners should take some comfort in the fact that most of the information they need is largely within their domain, and perhaps not nearly as volatile as they may think. In fact, the internal process of assessing residual cybersecurity risk is likely to improve a company’s cybersecurity program.