This article appeared in Cybersecurity Law & Strategy, an ALM publication for privacy and security professionals, Chief Information Security Officers, Chief Information Officers, Chief Technology Officers, Corporate Counsel, Internet and Tech Practitioners, In-House Counsel. Visit the website to learn more.
In an environment of moving targets, it seems unimaginable that insurance against cybersecurity attacks can be robust enough to provide real protection. There are many types of risks involved, and some include physical damage to property.
In 2014, the Department of Homeland Security addressed the topic of cybersecurity insurance and suggested that a robust cybersecurity insurance market could mitigate risks and even reduce the number of successful cyber-attacks by: 1) promoting the adoption of preventative measures in return for more coverage (monitoring and securing); and 2) encouraging the implementation of best practices by basing premiums on an insured’s level of self-protection.
In the space devoted to the topic, they also admit companies may forego insurance because of the perceived high cost of those policies, confusion about what they cover, and uncertainty that their organizations will suffer a cyber attack. But as a business owner myself, I am painfully aware that the possibility of suffering an attack is well accepted, and policies must be carefully read and updated as risks increase and change over time. In fact, we might expect to see cyber terrorism covered in addition to cybersecurity, suggesting a political dimension may be distinguished in the source of the attacks.
Risk Management Approach
By the end of 2014, the review of insurance coverage to indemnify losses from digital crime had seriously gotten underway. The National Association of Insurance Commissioners (NAIC), was already actively involved in commissions and groups, fashioning model laws, and sending notices to consumers on risk management.
In October of 2017, the NAIC adopted an Insurance Data Security Model Law, after the New York Department of Financial Services issued cybersecurity rules applicable to banks, insurance companies, and other financial institutions. As other states follow, firms face not only the changing nature of attacks, but also the different demands each state puts on the business owner to manage risk and make decisions about insurance.
By 2019, South Carolina adopted the NAIC model data security law almost verbatim with the South Carolina Insurance Data Security Act. And as Christopher Brubaker reported in Cybersecurity Law & Strategy’s ALM sibling, The Legal Intelligencer last October, both the New York cyber rules (New York Department of Financial Services Cybersecurity Rules and Regulations (NYCRR 500)) and the South Carolina act are based on a risk management approach to cybersecurity, pointing to owner responsibility. This approach, he said, which is also the basis for the NIST cybersecurity framework, is widely regarded as a best practice approach. What he adds, however, is that the question remains if regulations of this type will improve cybersecurity. California has also entered the field with massive new requirements for privacy and security involving California residents and, like the EU’s General Data Protection Regulation (GDPR), for a more far-reaching audience as well. See, California Consumer Privacy Act (CCPA).
No doubt many best practices recommended by various government agencies and through the commercial resources for cybersecurity protection will be worth mastering. But can best practices, which are time-bound, save a company from losses in the future if the nature of the loss is unpredictable? As Brubaker recognized, it is generally accepted now that everyone is vulnerable, and vulnerability and penetration testing need to become routine. This is what he means by a risk management approach. If purchasing insurance, a firm must pay careful attention to risk management demands as well as exclusions.
The EU’s GDPR dramatically shifted the demand for corporate responsibility when it went into effect in May of 2018. It was still vague in the precise steps to be taken, but its effect in encouraging help from third party software manufacturers began to grow. Companies worldwide followed with techniques that became contagious, even without knowing how effective they were.
Through the private sector, the IT industry has launched a wide range of products to help organizations achieve whatever is defined as risk management, whether temporary or not. Anti-virus software, invented some time ago to address the problem of viruses, seems to be effective in both reducing those attacks and staying on top of them. Certainly, this is a generally accepted first rung of the risk management ladder.
The Cyber Insurance Market
Introducing risk management is an attempt to define responsibility for monitoring and mitigating the risks of a cyber attack. Short of addressing classes of risk by names, modes and methods alike, cybersecurity does not appear to lend itself well to being insurable. It is a moving target, and neither best practices nor risk management may ever catch up. That’s why a software solution is attractive. Otherwise, naming each type of threat and consequence leaves room for insurance companies to deny coverage if an attack or its effect is not included fully or specifically in a policy or if coverage can otherwise be argued away.
Evgeny Lebanidze, of Cigital (Security Team Lead at Citigal at the time), co-authored a Guide for Developing a Cyber Security and Risk Mitigation Plan for the National Rural Electric Cooperative Association. He stated perhaps the best of best practice objectives succinctly: “This guide helps cooperatives think about security in a systematic way, consistent with the current Federal thinking. The basic concept is not ‘do this and you are secure’ but a commitment to a process of continuous improvement.”
This was an impressive observation in 2011, but this was an organization responsible for oversight and security of critical infrastructure. Private organizations might want to look at this guide. Here is the update.
In conventional coverage, risk mitigation and insurance are seen differently. Risk mitigation in automobile or home insurance, for example, are submitted to actuarial analysis from data accumulated over long periods. Risk mitigation devices are available, such as seatbelts and rear-view screens, or home security systems, with benefits established if these are used.
But in cybersecurity, the history is a series of individual events with similar, or even the same, consequences. Knowing the consequences often incites fear, however, and deliberate and well-paced steps that lead to protection are not easily built from fear, even if fear might sell insurance policies.
In early 2015, Thomas W. Brown, an attorney with Portland’s Cosgrave Vergeer Kester LLP wrote a report on the state-of-the-art of insurance options in Cybercrime: Insurance Coverage Issues and Options. For the moment written, it carefully summarized the landscape of what constituted variants of cyber crime and what types of coverage were available in each class. It tacitly cautions that both cyber crime and insurance coverage will change over time, and both need vigilant review of the details where the devil resides.
By 2015, policies were already being offered that were designed to cover against losses in this area. They covered the usual data and network interruption and theft or loss of data, but also programs and proprietary information. Some included mailing, phone bank and credit-monitoring costs. We’ve seen some of this additional coverage come up in the many breaches that have occurred in large public companies that affect thousands of people. Brown also mentions hybrid policies that blend coverage from different policy types.
Insurance coverage for cybersecurity attacks continues to incubate, but also hibernate to some degree on certain themes. It remains clear that every policy and every term of every policy needs to be read in the context of the potential variations of the threats or attacks themselves. At this date, recommendations for defensive postures in cybersecurity are increasingly around steadfast monitoring and then mitigating the risks, even if insurance is purchased to cover themes and classes of cyber attacks.
On March 7th this year, Alastair Paterson recommended Four Steps to Begin Better Managing Your Digital Risk in SecurityWeek. These include identifying key assets, including Code and Patent Rights, not always mentioned with respect to insurability. As CEO and Co-Founder of Digital Shadows, Paterson has the experience and expertise to inform his recommendations, notably (3) Monitoring for Exposure and (4) Mitigation Strategies. It is worth following Alastair’s techniques for monitoring and mitigating risks. The specific direction is particularly appreciated, as the mere instruction to Be Vigilant does not always lead to action and results. One problem for many organizations is that both Monitoring and Mitigation are full-time jobs; they add to the cost of operations. With or without insurance, they probably require additional talent and instruction than is usual for some companies to retain in house, so many are actively in learning mode.
Raising additional questions about the maturity of the cyber insurance market in the Lawfare Blog dated March 8th of this year, Brian Corcoran provides a salient discussion of an insurance dispute between the manufacturer Mondelez and Zurich Insurance Company, as to whether the Mondelez policy from Zurich covered their 2017 NotPetya ransomware attack.
The insurance company denied coverage for all the consequences of a cyber attack by arguing it was warfare attributed to Russia, as Russia was universally acknowledged as the source. Warfare, of course, was not covered. Admittedly the stakes are very high, but they are high for all large enterprises. This is a particularly interesting case because it reveals the inadequacy of insurance policies that can never be so specific as to include every current and prospective attack. Most of all, it makes these policies undependable, short of their limiting the ceiling of their coverage in exchange for greater scope.
In addition to the cost of the insurance, companies potentially must endure the high costs of litigation, not merely with their stakeholders, but with the insurance companies from whom they sought protection. This does not encourage organizations to seek salvation there. It just leaves the wisdom of buying insurance still in question.
Nina Cunningham, Ph.D., is an affiliate of Altman Weil, Inc., and president and CEO of Quidlibet Research Inc., a global strategic planning and cost management firm founded in 1983.