Why Cyber Insurance Cannot Replace a Mature Security Posture
by Nat, on 11/04/2019 4:30:00 PM
Although cybersecurity insurance can appear attractive, it is important that businesses understand it cannot feasibly serve as a replacement for threat mitigation. The majority of cyber threats are avoided by reaching a baseline standard of security maturity. The investment required to achieve this baseline is generally less than a few years of premiums and the deductible for just one incident.
Risk of cyber-attack is notoriously difficult to estimate. With insurance companies designed to profit, this uncertainty is transferred to customers in the form of increased costs. There are several aspects to cyber threats that make them inherently more challenging to predict when compared to more established insurance products. Unlike car insurance, where accidents occur sporadically to individuals and at a predictable rate, cyber incidents can have widespread impact (e.g. WannaCry). Unlike earthquake or flood insurance, where insurers can diversify simply by selling to multiple geographic regions, the impacts of a widespread cyber-attack are not predictably contained. Additionally, natural disasters occur at a steady rate that can be accurately estimated using historical data. The little data available to cyberinsurance is flawed and incomplete; breaches are often unreported and new attack vectors are introduced, unrelated to previous breach data.
A major predictor of cyber-attack risk is an organisation's security maturity. Measuring this effectively would require the insurance industry to perform costly audits and/or enforce common guidelines for a standard of security maturity. As the cybersecurity insurance industry is still quite immature, these mechanisms have yet to evolve. This means a resilient organisation could be provided a similar policy to a vulnerable one, with much higher premiums than should be necessary. Without a minimum baseline, each organisation is effectively sharing risk with highly vulnerable entities.
When considering cyber insurance, it is important that organisations be aware of potential secondary costs. Claim payments are not always certain. Policies will contain liability exclusions and other scope limitations that can invalidate claims or require contesting in court. A notable example is Mondelez' current case against Zurich, its insurer, who refused to pay the $100 million claim for damages caused by NotPetya malware. Zurich is arguing that the liability exclusion for "a hostile or warlike action" (by a sovereign power) applies. Organisations should note additional costs after a successful claim, associated with remediation and hardening. As most policies contain a "pre-existing condition" clause, coverage will not apply to claims caused by vulnerabilities identified in a previous claim. Similarly, a successful cyber-attack is correlated with increased risk subsequent attacks, so organisations can expect premiums to rise following a successful claim.
The Equivalent of Speeding or Drink Driving
A common argument for cyber insurance is that it is similar to car insurance: "You cannot protect against someone else deciding to drive into you and, similarly, you cannot know when a sophisticated hacker decides to strike." However, the vast majority of breaches are the result of a poor security practices. This is the equivalent to an unsafe car, speeding or driving under the influence - insurers are unlikely to cover damages. Most current breaches can be protected against by a sufficient security baseline. WannaCry and NotPetya used known exploits for which security fixes had already been released. They only had such widespread impact due to poor patching practices. Cyber insurance is more appropriate for catastrophic impacts caused by a sophisticated, targeted attack. As it is highly unlikely that most businesses would be targeted by an Advanced Persistent Threat (APT), premiums for a mature organisation should be appropriately low.