Cyber insurance underwriters will favor – and may offer premium reductions – for third party data management providers and their clients if they have undergone formal data security compliance reviews by certified outside examiners, research by 360 Advanced, Inc. shows.
A poll of leading insurance executives by 360 Advanced concludes that while underwriters believe penetration by professional hackers is almost inevitable, underwriters will favor doing business with firms whose top management has invested time, staff and money in developing information security defenses.
The executives stopped short of saying not having completed an outside information security compliance examination would be a barrier to coverage, but agreed underwriters would look more favorably on firms with such attestations or assessments.
“Having completed a third-party compliance examination is one indicator of senior management’s interest and commitment to security and prevention,” said Brian D. Brown, CEO of CyberSpecialist Consulting Group in Atlanta, a pioneer and recognized expert in cyber security risk management. “It shows information security is a core value, and that gives some comfort to the underwriting industry.”
Insurance industry pressure is mounting for both data management vendors and their clients to take steps to better protect data or face significant coverage restrictions, all agreed.
“That’s a yes,” declared Lou Mitchell, Chief Operating Officer at Orlando-based Sihle Insurance Group, when asked if third-party compliance attestations can earn premium reductions. “They will get a premium discount.”
The interviews showed that while the potential premium discount will not offset the fees required to achieve various levels of information security, such as SOC 1 and 2, HIPAA, PCI and others, passing an outside information security examination is a net positive in the policy writing process.
“Having an assessment will get credit, conservatively about 10 percent, but it should be a lot more,” said Brown. “If you can release an executive summary to the insurance companies, then it becomes a pretty powerful pricing tool for the insurance underwriter to justify the credit in their rating.”
It is doubtful that underwriters would require data surety attestation as condition of insurability, but the prospect seeking cyber coverage could benefit by being seen as a “highly protected risk program,” commented Ken Sihle, President of Sihle Insurance Group.
Mike Ammiano, Senior Vice President at Harden in Jacksonville, explained that the network security compliance and privacy liability insurance market is expanding rapidly, and today, there is an “ample market that has actually gotten quite competitive.
“The more enlightened clients and insurers are requiring that vendors carry this coverage,” said Ammiano. “We get pushback when we require that coverage, but that is changing.”
A significant concern in the industry is the near inevitability of a criminal breach no matter the safeguards. However, firms with data surety attestations or assessments may face less risk because they may not be seen by cyber criminals as easy marks – the low hanging fruit preferred by hackers who always seek the path of least resistance.
Underwriters are getting more selective, those interviewed agreed, and data surety attestations are becoming a consideration. “An incrementally small increase in security has an inordinate impact on whether you get hacked,” Brown said.
“Without formal risk management procedures in place, you put yourself at greater risk of having a loss, and once you have a loss, your premiums can skyrocket,” said James R. Clark, Vice President at Harden in Tampa.
One of the challenges today is there is no actuarial data for cyber breaches, so ratings are more subjective than objective – but that is changing, the experts agreed. “I don’t think the market yet realizes what the true exposures are, and as of now, there is nothing that is the equivalent of an earthquake,” said Clark. “But if that happens, that’s where underwriters will get more stringent and require tighter controls.