In October 2015, the Insurance Information Institute (III) released a white paper entitled “Cyber Risk: Threat and Opportunity,” which stated that the number and impact of successful data breaches continues to rise. This is driving increased adoption of cyber insurance in an attempt to reduce risk. $2 billion was spent on cyber insurance in 2014 – a figure expected to triple by 2020. Premiums will also increase due to the emergence of new threats and technology.
While healthcare, finance and manufacturing industries are among the main adopters, other industries are now following suit, driven by the knowledge that company size or industry will not deter hackers.
How can companies protect themselves using cyber insurance policies? How are premiums calculated? How is risk determined?
Insuring property is much easier as tangible, physical assets are involved. This is not the case with cyber insurance, as it encompasses a company’s entire digital and technological footprint, which includes data stored.
Physical assets such as storage devices, hard drives, etc., are involved, but it is the data that has value. Whether lost, stolen or destroyed, companies rely on data and the use of cyber insurance attempts to mitigate potential damages.
As with all insurance policies, premiums are based on the levels of perceived risk. In most cases, risks are easily quantified since they are based on historical statistics, demographics and other criteria familiar to insurance underwriters. These experts analyze all available information and set an insurance premium, payment and limits.
Cyber Security Experts
Underwriting experts have little knowledge of the complexities of IT infrastructures, security standards, and risk potential. Cyber insurance is a relatively new area and, as adoption increases, this creates opportunities in the insurance industry for skilled IT security professionals. These individuals are necessary to assess a company’s security posture based on tangible experience and qualifications and provide a score or rating based on the results.
In the same way that a skilled assessor can determine the cause of an auto accident or fire, the duties of assessors in cyber insurance can include but are not limited to:
- A complete audit of hardware and software to identify any items that require update.
- Confirmation of compliance with necessary standards. (Financial and healthcare companies have specific standards such as PCI-DSS and HIPAA.)
- Independent testing of security awareness among employees.
- The identification of potential weaknesses in any aspect of security, from external threats to on-premise security systems and document disposal. This is commonly known as penetration testing or ethical hacking.
Since insurance is based on risk, if a company pays little attention to security, insurance companies will either leverage high premiums or refuse to offer a cyber insurance option. The latter is more likely as every company must demonstrate an awareness of security issues according to defined recommendations, whether the NIST Security Framework or other. Similarly, companies that have experienced several data breaches or belong to a high-risk industry will command higher insurance premiums.
It is worth noting that cyber insurance is not and will never be a quick fix for a lax attitude to IT security. It is every company’s responsibility to protect their digital assets and cyber insurance is a worthy investment to protect against a targeted attack, unexpected service interruption, or natural disaster. There is no such thing as 100 percent secure and cyber insurance is not a replacement for robust backup and disaster recovery plans.
The combination of underwriting and technical knowledge necessary to calculate cyber insurance premiums is a challenge for insurance companies, given the disparity of professions. However, there is no denying that those with relevant IT expertise can find a home in the insurance market, and those with added underwriting knowledge are in an even better position as cyber insurance adoption increases.
Improve your cyber security with skilled IT employees.
Mitigate cyber security risks with a skilled IT team. Contact one of our 60 offices across the United States and start finding the right candidates.