Why cyber insurance policies are so 'ridiculously cheap'
The cyber insurance market is growing rapidly and policies are incredibly inexpensive -- but experts at Black Hat 2019 had concerns about those low prices.
The cyber insurance market is booming, and enterprises can get incredibly cheap policies to help offset financial damage from cyberattacks and data breaches.
That's the good news, according to a series of experts who spoke at Black Hat 2019. The bad news, however, is the burgeoning cyber insurance market is so new that many insurance carriers don't yet have a firm grasp on what cyber risk entails, and many enterprises aren't clear on what a policy actually covers.
A Black Hat Micro Summit attempted to clear up some of the confusion around cyber insurance and discuss some of the challenges facing the rapidly growing market. Jeremiah Grossman, founder of WhiteHat Security and organizer of the cyber insurance micro summit, said he believes cyber insurance will have "a profound impact on every single one of us, in every single thing that we do in this industry."
Cybersecurity expert Jake Kouns, who spoke at one of the three micro summit sessions, agreed. Kouns is the CISO at Risk Based Security, which specializes in vulnerability intelligence and risk ratings, and he previously worked at insurance carrier Markel as director of cybersecurity and technology risks underwriting.
"I believe firmly that if your organization doesn't already have [cyber] insurance, it's going to -- whether you like it or not," he told the audience.
Jake Kouns of Risk Based Security highlighted several 'scary' limitations for cyber insurance during his session at Black Hat 2019
Cyber insurance market growth
"It's a land grab," said Jeffrey Smith. "Everybody feels like they need to be in this space."
Smith, an insurance broker and managing partner at Cyber Risk Underwriters, spoke during one of the Black Hat sessions about how the cyber insurance market has experienced a boom in recent years. He said that while there are hundreds of companies that offer some type of cyber insurance, only around 20 actually understand and can assess cyber risk.
Matt Prevost, senior vice president and cyber product manager at insurance carrier Chubb, also spoke during one of the sessions, explaining that cyber insurance is a $4.5 billion market growing at approximately 25% annually. Prevost said Chubb pays out more than 90% of claims it receives, and the claims tend to be maxed out, which suggests most policy holders are underinsured.
When you can get $1 million in cyber insurance coverage for under $1,000, it's eye-opening.
Jack KounsCISO, Risk Based Security
The vast number of players and available policies has created lower prices for cyber insurance, Kouns said. "It's ridiculously cheap," he said. "There are so many carriers trying to get into this space that prices continue to be pushed down, from what I see."
In addition, the speakers said many cyber insurance policies will cover specific threats or issues, from ransomware attacks to data breaches that expose the personally identifiable information of customers or users.
Kouns said certain types of policies could reach a tipping point soon, but for now prices are still "way too cheap" for the kind of coverage provided. "When you can get $1 million in cyber insurance coverage for under $1,000, it's eye-opening," he said.
Cyber insurance market challenges
While cyber insurance policies are cheap, experts said there are concerns behind those low prices.
Smith said the cyber insurance market is still in its infancy, and as a result there isn't a lot of actuarial data for policy underwriters. He explained that with most types of insurance, he can determine a lot about a company's risk and projected insurance rate based on its size and vertical industry because of the amount of actuarial data available.
"That's not the case with cyber insurance because it's a new and evolving product," Smith said. "We don't have credible actuarial data."
But that hasn't stopped the growing number of carriers entering the industry from offering inexpensive cyber insurance policies to enterprises. And according to Kouns, some carriers aren't even looking at enterprises' risk profiles or security controls.
"In fact, there are a lot of carriers out there that do no underwriting," Kouns said. "They will hate me to say this, but they'll look your revenue and your industry and say 'Here you go!' and that's about it."
Kouns said a lot of the smaller companies in the cyber insurance market "don't understand security." Smith agreed, and said even as actuarial data becomes more prevalent, insurance carriers will still be challenged because cyber threats -- and the damage they can cause -- are so volatile.
"The problem is, unlike static risk like fire or workers slipping and falling, this risk evolves," Smith said.
Cyber insurance limitations
The experts at the cyber insurance micro summit generally agreed that fears of insurance companies not paying out cyber claims are largely overblown. During his session, Prevost compared the belief that cyber insurers don't pay claims enterprises to the inaccurate belief that because one cybersecurity product didn't work effectively, then all cybersecurity products are ineffective.
Still, the speakers said enterprises need to be aware of the limitations and exclusions in their cyber insurance policies. Kouns showed a slide with common and sometimes "scary" exclusions, including failure to encrypt data on mobile devices and failure to comply with PCI DSS standards. He highlighted one vague exclusion that rejects coverage for "failure to maintain or take reasonable steps to maintain security."
"That's horrible," Kouns said, "and you should run [if you see it]."
In addition to standard exclusions, Smith advised the audience to take a close look at policy definitions and conditions, which can "hide" coverage limitations. For example, he said, acts of cyberwar or cyberterrorism may be excluded by some carriers.
Those exclusions present a major obstacle for enterprises, according to Sergio Caltagirone, vice president of threat intelligence at Dragos Inc. Dragos, which specializes in industrial control systems security, works with many energy and utility companies that have experienced nation-state cyberattacks. "If insurance companies are going to exclude acts of war, then that's a problem because then we're talking about possibly excluding nation-state threats," said Caltagirone, who added that the international community hasn't yet settled on what kind of attack would cross a threshold into an act of war.
Definitions, exclusions, conditions and prices will vary greatly from carrier to carrier, Kouns said, so organizations need to shop around and pay close attention. "What concerns me is that there are so many of them out there and they are so different that there's very little commonality," he said. "It's very, very hard to compare these things and to make sure we understand what's going on."
Kouns implored cybersecurity professionals to assist their organizations by reviewing cyber insurance policies and even assisting with filling out applications for coverage. Smith agreed, saying that cybcersecurity vendors can fill in the insurance industry's data gap and provide valuable information and tools for risk assessments.
"The lesson I've learned is the more we take your stuff and combine it with our stuff, the better the outcomes are that are going to be enjoyed by our customers," Smith said told the audience.
