Online security insurance has become more popular with enterprises, but does it have a place in a business security program? The manager of BusinessInsuranceQuotes, Frank Kasimov, explores a growing market.

To make it simple, every online security program comprises two sides: protection and response. For an online security policy to be successful, it needs to have both. However, enterprises need to understand that there are five conditions on both sides that they need to deal with:

  1. There are things they have completely operationalized and under control.
  2. There are things that are manageable, but it stresses their resources to do so.
  3. There are things that require hard work to manage even barely.
  4. There are things they have absolute no knowledge how to manage; by investing in technology, processes or staff will not make a substantial difference.
  5. Humans are behind the design and management of their programming, and humans tend to err.

So the real question is, how can businesses manage these unavoidable conditions, particularly acknowledging that not all attacks can be detected in time, and not every incident can be successfully diminished without suffering some adverse effect?

For some companies, an online insurance policy may offer the answer to these questions.

Cyber risk practice leader for Lockton Companies, Ben Beeson, set the stage by saying that CISOs benefit from their online security programs and especially the insurance part, which is a form of cover for them.

But, is online security insurance necessary for every business, or only a select view can see it as a feasible option? Το answer this we should look at how online security insurance integrates with a company security program –but only after having explained the basics of online security. Online security insurance was the main focus of several discussions and presentations at the 2016 RSA Conference in San Francisco. In the first part of this series, a team of technology and financial experts discuss the topic and the ways it can be integrated into a modern business security program.

The online security insurance market

Almost 100 insurance companies offer online security insurance in one way or another while 80 to 90 percent of the total market turnover is concentrated in ten companies.

Opinions vary among experts, but the notion of online security insurance, or online insurance, as some of them postulate, has been with us for the past 12 to 16 years. As Blake Huebner, security training VP at Optiv Security said that “cyber insurance has been around since the nineties,” during a panel discussion at the RSA Conference.

Regardless of when the concept was introduced, its adoption by the online insurance market, in line with the adoption of the assorted technology, was led by regulations around data and privacy breaches, and, ultimately, by actual security breaches that had to be dealt with.

“The recent breaches at Home Depot and Target, have put this market into the spotlight,” Huebner said. “The highest adoption rates are observed in the healthcare sector, with education, utilities, gaming, retail and financial services following.  It’s not exactly Gold Rush, but the market is maturing rapidly”.

After its initial enthusiastic launch in the past years, the online insurance niche has now several brokers and providers offering their services, generating substantial revenues. Having taken off like a rocket ship in the last several years, there are now many providers and brokers operating in the cyber insurance space — and the market is making some serious cash. As Jacob Ingerslev, head of technology E&O for Cyber & Media Liability at CNA Insurance , a financial services firm, said during an RSA Conference presentation, close to 100 insurance companies currently offer online security insurance in one way or another, while 80 to 90 percent of the total market turnover is concentrated to ten of them.

Beeson said that last year, the online insurance market produced between $2.5 billion and $3 billion in profits, during a panel discussion at the 2016 Advisen Cyber Risk Insights Conference in San Francisco. “PricewaterhouseCoopers already categorize it as a profitable market, and it is expected to grow nearly four times in the following four years — with estimated revenues between $7 billion and $8 billion by 2020. Insurers remain profitable even when they issue $100-million policies.”

Although the insurance industry is apparently generating profits, these are coming from a limited number of corporations. “Only 2% of companies in the country have online insurance,” stated Julian Waits, president & CEO at PivotPoint Risk Analytics. “The most challenging step is to quantify the risk– it’s not straightforward and there is immature actuarial information, therefore, insurance companies are struggling with ‘how do we evaluate this risk’ and … how much or what they need to get, and what they’re getting in return in the end.”

Although online security insurance cannot replace industry best practices in security, experts believe that it is an essential component that functions in complement to a tight, well-planned security program. “Any professional in security knows that 100% protection against attacks is impossible,” said  Nathan Oulman, lead architect for Hostmonster reviewing site Dailyhosting.net. “If such a thing could happen, then you could achieve 95% protection with best practices and due diligence, leaving the remaining 5% to online insurance. Although many believe that insurance coverage justifies less strict security measures, this is simply not true.”

As this challenge gets dealt with, more policies for more organizations should start appearing on the market, filling the online security protection gap.

How can online insurance integrate with a business security program?

Generally speaking, according to experts, online insurance is a rational choice. Although it can be expensive, some organizations believe that the inclusion of online insurance in their online security package is worth the extra cost.

Nevertheless, it takes more than just calling the insurer and ordering a policy. The decision-making process involves extensive analysis. To make things more complex, companies have started looking at online and risk insurance from a different perspective. “There is a world before the breach at Target, and the world after it,” Beeson stressed.

In the pre-Target breach era, online insurance programs were created following a static approach towards risk evaluation. Companies would complete an assessment and then present it to -and sometimes discuss it with- the underwriters. “After finishing the assessment and writing the policy, the insurers would typically leave and pray for the following 12 months,” said Beeson.

Following the Target breach, however, frequently occurring breaches are a normal thing, which means that the model of ‘waiting-with-fingers-crossed’ isn’t efficient for insurers anymore. According to William Dixon, VP at Stroz Friedberg, an online security, and risk management firm, although online insurance is considered a somewhat new instrument, for the most part of the past seven years, it was viewed as a reconsideration, attached to the side of a company’s online security policy.

“Companies have begun to understand that it is impossible to completely cover their risks with only people, technology, and process,” said Dixon. “As a result, many customers are including online insurance with their online security programs, not simply as an addition, to further improve the security of their processes and technology, but also as an instrument of managing the recovery, should a breach happen, in the form of breach notifications, remediation, credit monitoring and additional support from external counsel.”

Ken Allan, Ernst & Young’s global information security leader, explained that, oftentimes, some companies have to deal with unsurpassable obstacles when they try to obtain a robust online security insurance program. “A large banking client of ours carried out an analysis to discover their options with their online security investment – investigating if it would be feasible or not to increase their investment towards protecting more critical assets,” Allan said. “In certain occasions, the technology was extremely complicated, and the acquisition and management costs outweighed the potential benefits. The bank opted for online insurance coverage instead.”