An organization collecting and maintaining data valuable to threat actors owes it to the owners of said data to protect itself against breaches. That same organization owes it to itself to carry appropriate cyber insurance. In addition, management needs to thoroughly understand cyber insurance underwriting. Ignoring it is not an option.
Cyber insurance underwriting is the process of creating and implementing insurance policies to cover cybersecurity risks. It is an emerging industry that learns as it goes.
As cybersecurity threats evolve, so do the insurance policies carriers offer. Their policies are invaluable to small and mid-size businesses, large enterprises, corporations, and nonprofits.
No Organization Is Immune
The need for cyber insurance is rooted in the reality that no organization is immune from cyber-attacks.
We expect the biggest names in healthcare to be targeted simply because they possess so much information.
We expect government entities to be targets as well. But what about more obscure targets? What about insurance companies?
Last fall, an insurance company known as Globe Life filed Form 8-K with the Securities and Exchange Commission (SEC) reporting a data breach impacting a minimum of 5000 customers.
The number is likely to be much larger once the final analysis is complete.
This is an insurance company, mind you. Given the potential losses associated with cyberattacks, one would expect an insurance company to do better.
Nonetheless, one of Globe Life’s subsidiaries was attacked by threat actors who managed to gain access to:
- Customer names and addresses
- Email addresses
- Phone numbers
- Social Security numbers
- Health-related information
- Policy information
Those responsible for the attack offered the company a proposition: they would not use the compromised data for gain in exchange for a monetary payment. Despite the perpetrator’s claims that they had access to even more information they did not disclose, Globe Life said that credit card and banking information were never at risk.
Carriers Try to Avoid This Stuff
It is not clear if Global Life’s subsidiary carried cyber insurance. Regardless, this is the very stuff cyber insurance carriers want to avoid. Like any other form of insurance, cyber insurance fails if carrier losses mount. So carriers expect policy holders to take every reasonable step to prevent data breaches.
One such step more carriers are demanding these days is third-party risk management. According to darknet intelligence provider DarkOwl, organizations like Global Life are only as secure as their third-party vendors and partners down the supply chain.
Stop and think about the implications of that. A Global Life subsidiary being breached by threat actors has access to data on some 5,000 customers.
Could that threat actor take advantage of his access to move up the supply chain – all the way to Global Life itself? It’s a possibility that has to be accounted for.
As such, cyber insurance carriers expect policy holders to practice third-party risk management.
The Future of Cyber Insurance Underwriting
As cyber-attacks become more sophisticated and potential losses mount, the demand for cyber insurance underwriting should become more pronounced.
Meanwhile, insurance carriers will have no choice but to continually evaluate their underwriting practices. They need to protect themselves against losses or the whole thing collapses.
From the policyholder’s standpoint, cyber insurance underwriting is another tool for mitigating losses. It’s imperative that an organization’s decision makers understand underwriting and, more generally, cyber insurance.
Cyber insurance is a tool for recovering financial losses in the wake of a successful cyber-attack. But it is only sustainable if carrier losses are minimized. Expect cyber insurance underwriting to mature over the next few years, specifically to that end.