In a positive step for the cyber insurance industry, Beazley and Munich Re have upped their maximum cover from $50 to $100 million, a move that speaks of increasing confidence in a sector that’s still suffering from a dearth of information. Cyber insurance has become an even more important consideration for companies of late, and the clearest indication of this trend is visible in the number of policies sold. Marsh, for example, have reported that sales to US clients have grown by more than 20% year on year since 2012, with the manufacturing sector registering the largest number of new purchases last year.

Some of the highest profile losses on record have been data-breach related and there’s little doubt that this type of cyber insurance is a growing area of interest. By now it’s quite clear that the Walmart, Home Depot and Trump Hotel breaches were not flukes, so a policy costing a million could save hundreds in the long term. The argument that these losses are negligible to companies such as Target may be technically correct, but that doesn’t make such savings unimportant; indirect effects such as customer goodwill, costs to third parties and reputational damage are always difficult to measure. On the other hand, statements noting that “it’s a valid business decision to accept the risk [of a breach]”, while true, tend to be quoted ad nauseam if such an event actually takes place (with apologies to Jason Spaltro, Sony VP for information security).

Silobreaker Time Series showing Target breach in 2013.
Silobreaker Time Series showing when news of the Target breach broke in December 2013.

While insurance can work wonders to reduce the impact of a breach or compromise, there are also caveats. Actually having an insurance policy doesn’t always mean that one is protected and it can sometimes be ambiguous as to whether or not certain losses are covered, not least in the ever-evolving realm of information security. Just ask bitcoin processor BitPay, whose CEO was tricked into sending nearly $2 million worth of bitcoins to a scammer impersonating the company’s CFO. Commonly known as business email compromise (BEC) or “CEO fraud”, the popular scam has taken millions from businesses including Mattel and KPMG. In this case the Massachusetts Bay Insurance Company refused to pay up on the grounds that BitPay’s insurance against ‘computer fraud’ did not cover the scam, arguing that fraud did not take place because the perpetrator did not access BitPay’s computers to steal the funds. The Houston-based Ameriforge group encountered an identical issue after their director of accounting fell victim to a BEC scam. Both businesses are suing their insurance providers.

data breach time series
Silobreaker Time Series charting reports on data breaches and BEC scams since Feb 23rd.

What’s worse than having insurance and being unable to use it? Believing that insurance cover is a way to mitigate the risk of a compromise rather than the outcome. Companies applying this logic feel that the likelihood of an attack is low, so money can be saved by neglecting a real defence in favour of a monetary safety net. There’s evidence for this dangerous mindset taking hold: a 2015 Websense report on the finance sector found that cyber insurance may actually be providing businesses with a false sense of security. It’s important to remember that insurance coverage is limited in scope and scale, attracts higher premiums as breaches increase in frequency, and will never be a viable solution to a long term security problem. Relying on this type of ‘defence’ entirely ignores the inherent long term value and scalability of threat intelligence, incident detection/response and prevention; these are strategic mechanisms that become only more important as security threats continue to multiply.

Rising cyber insurance sales and cover levels indicate that more companies are starting to take their cyber security seriously, but there are still many hurdles to be overcome. Information is lacking, policies are evolving and premiums remain costly for vulnerable industries, while pay-outs are capped. This means that investing in threat intelligence, incident detection and response is still the best way of ensuring that data stays safe and one never needs to make a claim.