No business wants to be hacked or suffer a breach. Alarming headlines seemingly every week remind businesses of the impact – damaged reputation, data loss, revenue loss and even going out of business. Because of the realities of a breach, many businesses are now protecting themselves by purchasing cyber insurance to cover losses associated with a cyber incident, such as breach, attack, virus or cyber security issue. According to the PwC report Insurance 2020 & beyond, annual gross written cyber security premiums are set to increase from around $2.5 billion in 2015 to $7.5 billion by 2020.
While cyber insurance has been offered for years, demand continues to increase due to the publicity from breaches as well as the potential losses. If a criminal locks a software system so a business cannot access their data, then the business is unable to function. This means the business must close and lose revenue until the software is back up and running. Cyber insurance protects the company from all associated costs from the incident, including data loss and revenue. Apple and Cisco business customers can now get cybersecurity insurance at a discount through policies the tech companies negotiated with an insurance carrier.
In addition to consumer facing businesses, many manufacturing companies are now purchasing cyber security insurance. According to a New York Times article, manufacturers are increasingly vulnerable because factories are now run on computers and digital systems, meaning a breach can halt production.
This opens many opportunities for insurance companies to offer cybersecurity insurance to companies ranging from small businesses to large enterprises. However, the profitability of offering cyber insurance depends on an insurers ability to accurately underwrite policies. While this is true for all types of insurance policies, correctly underwriting cyber insurance is especially challenging because risk factors are complex and not a lot of data currently exists. Without access to the right information, insurance companies cannot correctly underwrite cybersecurity policies.
When underwriting cybersecurity policies, insurers should consider the following:
- Cyber health of the network and computers – Companies can take steps make it harder for hackers to attack their network. For example, companies with open ports are more vulnerable because hackers can more easily access the data stored on the cloud. Companies that actively monitor and protect ports that are open for a specific reason can mitigate some risk, determining the security of a network is complex.
- Employee behavior – It’s been widely reported that human error, such as poor password hygiene and clicking on unsafe links, cause many security vulnerabilities. However, some employees cause the breaches by stealing data from companies and selling it on the dark web, which is the area of the Internet known for criminal activity. The dark web is not accessible by a regular browser. Criminals buy and sell all types of information – healthcare records, social security numbers, driver’s license, travel loyalty cards – that can often be used to commit other crimes, such as corporate breaches and identity theft.
Evaluating Risk of Employee Behavior
While most insurance companies have network vulnerability monitoring, determining employee behavior as it relates to risk is much more challenging and beyond the capability of most insurers. To accurately understand behavior risk, insurers must consider the following:
- Has an employee’s data recently been breached? Because many people practice poor password hygiene by using the same passwords for multiple accounts, this increases the odds a criminal can use the same passwords to access the company’s data.
- What is the employee’s current financial situation? What is their FICO score? Do they pay their bills on-time? Are they in debt? While not everyone in debt will commit criminal activity, being in a poor financial situation increases the risk that a person may perform criminal activity for money.
- Is the employee active on the dark web? Companies that employ people who are actively engaged in criminal activity are going to have a much higher risk of cyber security issues. Employees whose personal information is available for sale on the dark web also increase a company’s security risk.
Without this level of detail, insurance companies are making estimated guesses. To properly underwrite cyber security insurance, it is essential to have access to employee behavior data. Insurers that are issuing cyber security insurance policies without evaluating these factors are taking an unnecessary risk themselves.