This post was inspired by a Twitter discussion with Rob Lewis (@Infosec_Tourist).
I recently saw a IT services contract that had a stipulation requiring the service provider carry a multi-million dollar cyber insurance policy. I think that’s pretty smart. More broadly, I see that cyber insurance has to potential to be a maturing and transformational force for information security. Here’s why…
At it’s core, information security, for most firms, is a lot like insurance: a necessary expense to address a set of risks. We read story after story about boards of directors, CEO’s and other executives not understanding or not taking information security threats seriously. There are likely many reasons for this, some of which are no doubt due to the non-deterministic nature of information security: it’s hard to tell when you’ve done enough, and that there is always something new to buy or hire someone to do.
Security is generally not a competitive differentiator for most firms and therefore the management naturally desires to minimize those costs in order to spend money on more profitable areas of the business. Insurance policies are not competitive differentiators and few companies like to buy more coverage than necessary.
Insurance companies are in business to make money. Companies wanting cyber insurance coverage will need to meet certain requirements set by insurers, and likely different levels of maturity and control will afford different premiums.
In addition to the obvious benefit of having coverage should something bad happen, with cyber insurance companies now have a direct, tangible financial linkage between the maturity of their security program and eligibility for coverage and the rates they will pay for such coverage. Additionally, CFO’s and other executives responsible for obtaining insurance coverage will receive advice and counsel related to the organization’s information security posture from a “trusted” partner, rather than only her internal security staff or auditors.
The coverage itself is also important for many firms. As an example, most companies purchase insurance that covers loss due to fire. A firm’s building may have a fire sprinkler system, but there is still some remaining risk of loss due to a fire and so it is most economical to cover that risk with insurance, rather than hiring teams of firefighters to patrol the halls full time. The same is going to be true in the cyber world. Sensible controls should be in place, but we have to be cognizant that it’s not economical, indeed maybe not even possible, to eliminate the risk of loss due to electronic attacks, and so cyber insurance coverage seems like a sensible thing.
Organizations certainly should not see cyber insurance as the “easy button”; allowing them to pass all or almost all of the risk on to insurers and the costs of the coverage onto customers. I would assume that the insurers will take reasonable steps to ensure that they are not facilitating bad behavior, since that would impact their own business.
Back to the contractual requirement for a cyber insurance policy. I think it is pretty smart to include such a requirement, since that it not only ensures that you, the customer, have some deep pockets to collect from if things go south, but also that the insurance company is going to essentially be working for you to ensure your vendor is acting responsibly with respect to information security.