The release of the NetDiligence® 2015 Cyber Claims Study, the only one of its kind, reveals the most current data on cyber security events and their true costs. NetDiligence President Mark Greisiger shares the latest findings, including the top areas of concern for both insurers and the C-Suite.
A Q&A with Nick Beecroft of Lloyd’s of London
New regulation and awareness around growing threats such as operational attacks is changing the face of the European insurance market. I talked to Nick Beecroft, emerging risks and research manager at Lloyd’s of London, about his work assessing cyber vulnerabilities and helping develop products to address them.
A Q&A with Gregory Rosenberg of Trustwave
Payment Card Industry Data Security Standards are now in their third version. I talked to Gregory Rosenberg, Sales Engineer at Trustwave, about what organizations need to know about the most recent changes to the standards, particularly as they relate to third party service providers.
A Q&A with Patrick Florer of Risk Centric Security
While it’s easy to get caught up in the splashiest current news story about a particular breach, analyzing a broader swath of cyber security data can give us a more vivid and sometimes more precise picture of the real risks facing organizations today. I spoke with Patrick Florer of Risk Centric Security about what precisely constitutes a data breach and what the statistics show us.
A Q&A with Ozzie Fonseca of Experian® Data Breach Resolution
Organizations are increasingly addressing cyber risk, and Ponemon Institute’s new study titled “Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age” explores the current attitudes business leaders have toward managing security threats and the steps they are taking to minimize them. I spoke with Ozzie Fonseca, senior director, Experian Data Breach Resolution, about what the survey uncovered.
What were some of the most surprising findings of the Ponemon survey?
To me, the most surprising finding was the fact that most companies are now viewing cyber risk as an equal or greater threat than natural disasters, business interruption and fires. For the longest time, cyber insurance was around but it was not accepted as a need. Recently, over the last couple of years, that has really changed. While the study itself doesn’t go into the reasons why, I think we can assume this is happening because companies are:
- Witnessing the very pervasive nature of data breaches—they are happening all of the time.
- Realizing the significant financial burden that these incidents pose on an organization.
- Understanding that they have to be ready and arm themselves with all of the tools out there and cyber insurance policies are an important tool.
What do companies most need to know about cyber risk insurance policies? What is the current perception out there?
I think it’s important for an organization to make sure that they thoroughly read and understand what’s covered and what’s not and how their policy works. In our study we found that 70 percent of companies that have been affected by data breaches are now looking to get a policy. For these organizations, the costs are no longer hypotheticals—there are real numbers at play. And 62 percent of companies we spoke to feel that cyber insurance premiums are quite reasonable. A few are still skeptical as to whether these policies are useful or not but of the people surveyed 70 percent either have or are actively looking for insurance while only 30 percent have no interest in purchasing a policy at this time. Several years ago it was the other way around, so that’s a big difference.
The study shows that 62 percent of companies felt their security “posture” improved when they purchased insurance. What are the reasons for this?
In a nutshell, insured companies are more confident and prepared to deal with the threat of cyber breaches. When you have a policy the insurer will ask you tough questions you’ve never asked yourself and in answering them you will learn much more about the risks out there and how to mitigate them. Moreover, often the insurer will ask the client to undergo a NetDiligence® cyber risk assessment to reaffirm reasonable safeguard practices and suggest improvements for any weak spots. You will also grasp the policies and services that need to be in place, such as notification support and credit monitoring.
What are the ramifications of this study, for companies and for insurers?
For everyone, the main takeaway is that having a policy will better prepare you to deal with a data breach. At the same time, cyber risk insurance is getting to the point of mass adoption so insurers can spend less time educating the market about cyber insurance—they can concentrate on fielding requests because they will continue to see growth in this area in the future.
This research reinforces a positive trend, that risk managers are becoming more knowledgeable about their cyber risk (including their significant legal liabilities should they suffer a breach caused by anemic security practices), and the many cyber liability insurance solutions available to help them cede this risk exposure. Our own NetDiligence 2013 Cyber Liability & Data Breach Insurance Claims study (click here to download or see the eRisk Hub) shows that even a modest data breach in a small organization can still result in sizeable dollar amounts being paid out to remediate and respond to the event. As such, cyber breach insurance coverage is no longer a luxury.
A Q&A with Rick Betterley of Betterley Risk Consultants, Inc.
Like any segment of the insurance industry, cyber risk management services evolve over time. To get a handle on some of the latest trends, I spoke with Rick Betterley, President of Betterley Risk Consultants (an independent risk management consulting firm), and publisher of The Betterley Report at www.betterley.com. Rick can be reached at email@example.com or 978.422.3366.
What do you see as the major trends in cyber risk management services?
We’re seeing a sharpening of industry focus from the service companies and insurance companies, as well as a more focused range of products for specific industries. The advanced vendors are realizing that one service doesn’t fit all and they have to adapt to particular needs, which is a sure sign of a maturing marketplace. Healthcare is a good example. We see more risk management services that cater to HIPAA, including compliance e-tools.
Another trend is more restriction in regard to vendors. Insurance companies are less willing to allow the insured party to use the vendor of their choice, and that’s a double-edged sword: Controlling the list of approved vendors helps the insurance company better manage their vendors and perhaps pass along better prices to customers but the risk is that the insured will be less satisfied with their policy, as they might not realize they’re restricted in their choice until it’s too late.
The final trend we see is more internal management of vendors by insurers. Insurance companies have an interest in these services as it’s a big part of a claims expense, so they are are investing more time and personnel into looking into them and making sure they’re cost effective, especially for individual claims.
What are the top five reasons middle-market organizations don’t buy cyber insurance?
- Brokers generally aren’t good at communicating the value between different insurance policies and the forms are hard to compare so it leaves the insured less confident to buy the product.
- In many cases, the insured believes cyber insurance is already part of their policy, when in fact it’s not.
- The organization is still resistant to the cost involved and believes it’s too expensive. They might read the headlines about data breaches but still have an “it won’t happen to us” denial.
- The organization might be resistant to the idea of notification costs as a sublimited coverage. They might find it off-putting that they are told that they have to get a higher amount of liability coverage to obtain the breach notice limits that are really driving the purchase.
- This one is hardly a blinding flash of insight, but the company just might not be paying attention. They might be short-staffed or they think it’s taken care of or they put off buying insurance until next year.
How are cyber insurers responding to fierce competition in the marketplace?
There are close to 30 carriers on the market now. One of the competitive responses we’re seeing is removing sub-limits that otherwise existed on breach notification, so if you’re buying a $10 million liability policy the insurer might let you have it with the full limit for breach notification avis viagra france. This practice was unheard of until last year. We’re also seeing lower deductibles. I already mentioned the limits on vendors, which help the insurance companies keep down costs. Finally, I would say we are seeing a tremendous investment in marketing to help brokers better communicate the value of their product.
NetDiligence can agree with many of the observations that Mr. Betterley is seeing in the trenches. We are also seeing some leading brokers and insurers that specialize in cyber liability coverage making a push to educate clients with traditional lines of insurance about the many nuances of cyber coverage and the must-have supporting services. This is done through weekly webinars and conferences. Even with all that, I am amazed while speaking at various conferences at how many small and medium-sized companies are just beginning to realize they have a cyber/privacy exposure, and want to learn the very basics. For this reason we are seeing more markets leverage our eRisk Hub® portal to help them get the message out about the liability exposures, coverage for same, and general ‘state of cyber liability union.’