Groundbreaking Survey Shows What’s Broken That’s Affecting Cyber Insurance

SANS and Advisen join forces and bring together InfoSec and insurance worlds for the first time to shed light on gaps in the growing cyber insurance market, sponsored by PivotPoint Risk Analytics

Baltimore, MD, Bethesda, MD and NYC — June 21, 2016 — PivotPoint Risk Analytics, SANS and Advisen announced today the results of an industy-first joint survey that shows while cyber insurance is a young and rapidly evolving product — which can leave organizations with an uncertain sense of protection — there is a set of gaps that can be bridged to help cyber insurance mature faster and be seen as a more effective risk transfer vehicle. The unique data delivered in this survey represents the first time the respected information security research and insurance data and analytics firms have joined forces to bring the InfoSec and insurance worlds together to shed light on the gaps in this critical yet confusing market, currently projected to double in premiums by 2020.

Organizations of all sizes are rushing to adopt cyber insurance, a trend accelerated by SEC guidance to executive management and boards of directors of public companies. Yet in one of the key findings of the survey, only 48% of the CISOs and other information security (InfoSec) professionals surveyed find cyber insurance at least “adequate” when addressing the consequence of a data breach. InfoSec is often insuring the wrong things and uncertain as to what is and is not covered by their policies; insurers are uncertain of the risk they are accepting when writing a policy. The reason for this disconnect? Only 30% of underwriters and 38% of InfoSec respondents believe they even speak the same language.

“Senior executives are now insisting on cyber insurance protection. As a result many CISOs and other InfoSec professionals are interacting with underwriters for the first time. CISOs, and even the risk managers charged with buying insurance, often do not fully understand what is covered by their cyber insurance policies,” said David K. Bradford, co-founder and chief strategy officer, Advisen Ltd.

In one example, P.F. Chang’s recovered $1.7 million from its insurer for post-breach expenses and defense of a class action suit following a 2014 breach. But what the company did not recover, and what was the source of a lawsuit against its insurer, was its reimbursement to its credit card processor for a $1.9 million PCI DSS assessment. “Situations like this might be avoided by better communication and coordination between InfoSec professionals and underwriters before a policy is bound,” added Bradford.

Titled “Bridging the Insurance/InfoSec Gap: The SANS 2016 Cyber Insurance Survey” and representing 203 InfoSec respondents and 195 insurer and broker respondents, the research specifically uncovered the potential sources of friction and gaps between the InfoSec and insurance communities:

  • The Terminology Gap.” InfoSec and insurance professionals acknowledge they do not share a common definition of the fundamental concept of “risk.” InfoSec personnel think in terms of threats and vulnerabilities — and eliminating these by creating defenses, policies and programs. Insurance providers think in terms of reducing an organization’s risk of financial loss from a cyber incident.
  • “The Assessment Gap.” Assessment frameworks establish standard actions, practices, plans, metrics and, ultimately, costs for minimal acceptable levels of cyber hygiene and are used to measure and benchmark defenses against other organizations and regulations. But InfoSec and insurance favor different frameworks and models. Insurance favors quantitative over qualitative models, with only 25% of InfoSec respondents employing a detailed quantitative model.
  • “The Communication Gap.” These above gaps have fostered a communication divide not only between InfoSec and insurance, but also within organizations between the InfoSec professional and the Risk Manager and within the insurance community between the underwriters and brokers. All stakeholders need to work together to develop a common language. In particular, CISOs should be more involved in the procurement process because they understand the exposures. That means, however, that they need to understand the coverages better and have a common language with brokers and underwriters.
  • “The Investment Gap.” A lack of transparency in underwriting criteria has resulted in misaligned investments by buyers seeking cyber insurance. InfoSec personnel may invest in the wrong things, thinking it will make them insurable; or the insurance they purchase is not aligned with their realized losses and claims are denied. To further complicate matters, there may be policy provisions and exclusions that require experienced legal counsel to interpret. InfoSec professionals also may not anticipate the need for hard-to-find insurance for certain exposures (e.g. an email spoofing attack that causes an unauthorized funds transfer).

Other key survey findings include:

  • Underwriter Reasons for Rejection: Inadequate cyber security testing procedures and audits ranked highest as the reasons for rejection at 44.4%, followed by inadequate processes to stay current on new releases and patches (40.4%) and inadequate cyber incident response plan (38.3%) and inadequate backup processes and recovery (34.0%). Interestingly, “other” reasons that ranked lowest included the lack of basic controls, such as firewalls, antivirus and intrusion detection; personally identifiable information on portable devices with no encryption; inadequate access controls/monitoring; as well as a general lack of understanding.
  • Who Is Making the Decisions? When seeking to buy cyber insurance, 42% engage the CSO/CISO and internal security team; 8% look to external consultants and security SMEs; and 22% use a combination of internal and external resources. Yet, the decision still rests with the C-suite (50%) and board of directors (25%). In fact, only 5% report that senior security management is involved in making the decisions.
  • What Do Insurers Look For? Most respondents had to adjust their security profile to obtain satisfactory cyber insurance coverage. Only 9% reported having to make no adjustments, while 41% of this set of respondents had to implement or update policies or processes. According to some brokers surveyed, underwriters also often decline to insure a company not because of its specific information security practices, but simply because it is in an industry the underwriter prefers to avoid. On the InfoSec side, organizations struggle to implement and document best practices that should ultimately afford them the best premium.
  • Perception Versus Reality: Respondents said they are most concerned about risks involving the organization’s data and information, followed by the applications and databases that interact with and manage that data and information. Risks related to the workforce, both employees and contractors, ranks third overall among the major categories of concern. However, workforce-related issues are the leading category where risks have been realized and where risk transfer through insurance should be focused.
  • The Haves and Have Nots: Despite the almost daily release of information about new cyber breaches, only 34% of respondents currently have cyber insurance, with another 12% reporting they are self-insured (led by government). Only 64% of respondents that are covered either by third-party coverage or are self-insured know how their organization obtains that coverage. And only 60% of this population indicated that they actually understand the characteristics and limits of their insurance coverage.
  • The Role of Government: Finally, only 29% of respondents felt a market-driven approach was desirable. Instead, respondents asked for regulators to step in to define due diligence and standards as well as to clarify existing regulations, although they were more reticent to have regulators actually require procurement of insurance or provide a common floor (as with National Flood Insurance). Governmental or regulatory policy can set that basic floor with flexible standards, while at the same time not legislating what will quickly be quickly outmoded and allowing the market to evolve.

Barbara Filkins, SANS Analyst and author of the survey says:

By uncovering these gaps, this report identifies the building blocks necessary to work together effectively, making cyber insurance a valuable component of an organization’s information security program and a sustainable industry.

The results of the “Bridging the Insurance/InfoSec Gap: The SANS 2016 Cyber Insurance Survey” will be presented Tuesday, June 21st, 2016 at 1:00 PM (13:00:00 EDT/US Eastern). To register visit: https://www.sans.org/webcasts/bridging-insurance-infosec-gap-2016-cyber-insurance-survey-101900

To download the full report and for more information on methodology and scope visit: https://www.sans.org/reading-room/whitepapers/analyst/bridging-insurance-infosec-gap-2016-cyber-insurance-survey-37062

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. SANS is the most trusted and, by far, the largest provider of training and certification to professionals at governments and commercial institutions world-wide. Renowned SANS instructors teach over 50 different courses at more than 200 live cyber security training events as well as online. GIAC, an affiliate of the SANS Institute, validates employee qualifications via 30 hands-on, technical certifications in information security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers master’s degrees in cyber security. SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; it also operates the Internet’s early warning system–the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to help the entire information security community. (www.SANS.org)

About Advisen

Advisen is leading the way to smarter and more efficient risk and insurance communities. Through its information, analytics, ACORD messaging gateway, news, research, and events, Advisen reaches more than 150,000 commercial insurance and risk professionals at 8,000 organizations worldwide. The company was founded in 2000 and is headquartered in New York City, with offices in the US and the UK. Visit www.advisenltd.com to learn more.

About PivotPoint Risk Analytics

PivotPoint is the leading provider of cyber risk analytics that measure Cyber Value-At-Risk. In a world where conventional wisdom says you will get hacked, you bought one of everything to try to thwart the attack and protect your crown jewels. And as the threat—and business evolves—so does your cyber risk. Our customers, on any given day, can prove they have lowered the company’s cyber risk to secure the value of their business. Visit PivotPoint at www.pivotpointra.com, Twitter or LinkedIn.

###

Media Contacts

PivotPoint Risk Analytics             Advisen                                               SANS

Leslie Kesselring                              Charlene Farside                              Kevin Fogarty

[email protected]                  [email protected]                  [email protected]

503-358-1012                                     302-861-6917                                     978-443-9055