Jake Kouns has been trying for years to get Black Hat organizers to pay attention to cyber insurance. As the CISO for Risk Based Security, he has proposed talks on the subject multiple times, only to be rejected. This year, the organizers had a change of heart. Not only was his talk accepted, but the topic of cyber insurance is the focus of a micro session (multiple talks) at the annual event, held this year on August 7th and 8th in Las Vegas.
“The uptick on policies continues, and people are finally more open to having this conversation,” said Kouns. “Now people are asking questions and wanting to know more about what is going on with cyber insurance.”
Cyber insurance, also known as cyber risk insurance, is still a small market. PWC estimates only about 30 percent of companies have cyber risk insurance or cyber liability insurance coverage. But the market appears poised for growth. In 2017, 170 U.S. insurers reported writing cyber insurance, up from 140 in 2016 and 119 in 2015, according to the U.S. Cyber Market Update report from Aon. And in a recent report, PWC noted cyber insurance has huge potential. The firm estimates that annual gross written premiums are set to grow from around $2.5 billion today to reach $7.5 billion by the end of the decade.
Before growth can really take off, Kouns believes it will be critical to clear up a vast amount of misunderstanding and misconception about the product among security professionals.
“That’s still the biggest issue with cyber insurance: confusion,” said Kouns. “You can talk to someone about insurance and they lens in on the policies they know. But with so many different carriers, it’s not even like comparing apples and oranges. It’s like apples, oranges and kiwis. Policies are all so different. If anyone tries to broad-brush about cyber insurance, they aren’t being honest.”
That confusion has also left a bad taste in the mouths of many CISOs and other security managers, according to Jeffrey Smith, Managing Partner with Cyber Risk Underwriters, who will also speak on the topic at Black Hat.
“The understanding is still dim,” said Smith. “And I sense some frustration and pushback from those who don’t view the product as a legitimate offering. There have been a handful of unsuccessful claims that get press. The coverage is a black eye on the market and it’s frustrating. Some claims have been denied, but people don’t hear the full story. They don’t hear about the successful claims.”
One such case Smith referred to is the 2016 case involving P.F. Chang’s and Federal Insurance Company. In a decision from the US District Court for the District of Arizona, the court held that the insurance policy between P. F. Chang’s and Federal Insurance Company did not cover fees and assessments that P.F. Chang’s had contractually agreed to reimburse to its debit/credit card processor resulting from a data breach. The court found that certain exclusions in the insurance policy barred coverage for MasterCard’s fees and assessments. Smith said the ruling is an outdated example of what cyber insurance covers and that the product has evolved considerably in recent years to address these kinds of gaps.
Smith said anecdotally he estimates that about 60 percent of small-to-medium-sized businesses currently lack cyber risk insurance coverage, and about 50 percent of enterprise-sized businesses have none. But he also anticipates an upswing in policy purchases due to what he has observed from customers in the healthcare and finance sectors, who are increasingly asked by clients to purchase insurance for compliance purposes.
While finance managers, not CISOs, are typically leading the conversation about insurance purchases within their organization, his hope is to educate security professionals at the session who want information on how insurance could impact their responsibilities.
“In the event the company does purchase cyber insurance, there is some role the CISO will need to play to maximize policy,” said Smith. “My objective is to educate and improve outcomes for them.”
Kouns said the focus of his talk will be to offer tips and best practices for incorporating cyber insurance into a risk management strategy. Admittedly, he noted it is a topic that is unconventional for a technically focused event like Black Hat.
“It does feel in some way out of place at Black Hat, but I think it’s a sign of the importance of cyber insurance to the industry today,” said Kouns.