The advantages that cyber criminals have over data protection countermeasures have convinced more companies that they need to focus on breach responses rather than just prevention.
Larry Lidz, global chief information security officer for CNA Financial Corp., said when his higher-ups first spoke with him about buying cybersecurity insurance for the company years ago, he balked at the idea. Lidz thought CNA would be better off spending the premium money on information security, he said during a panel discussion at the Advisen Cyber Risk Insights Conference in Chicago.
Lidz now counts himself among security professionals who now acknowledge that they "cannot keep the bad guys out." Hackers are very smart and sophisticated, far more numerous than cybersecurity professionals and are connected globally, he said.
Putting companies further at a disadvantage, the pool of cybersecurity professionals companies can hire to prevent and respond to breaches is small, and professionals are hard to keep once they gain work experience, according to Lidz. Rather than assume that their technology has made them impregnable, Lidz said companies should be prepared to respond to hacks. That means investing in detection, response and insurance.
"As soon as you take that principle, that they're going to get in, the choice of buying insurance makes a lot more sense," he said. CNA Financial is one of the top writers of packaged and stand-alone cyber liability insurance.
Joshua Harwood, director of risk management for Telephone and Data Systems Inc., said his company considered cyber insurance for years before eventually purchasing coverage. Five or more years ago, boards and senior management tended to be skeptical about cyber liability policies and decline out of confidence in their breach security, according to Harwood. The tables have since turned, and companies are now more willing to buy policies, and are more skeptical about the ability of cybersecurity measures to prevent hacks.
"They've been reading their journals and talking to their peers about all of these scenarios," he said.
Companies considering cybersecurity insurance are still uncertain about what the policies cover and what they would pay for, according to panelists at the conference.
Stephanie Snyder, U.S. cyber liability insurance sales leader for Aon PLC, said she continues to be surprised by the size and profile of companies that have not bought any breach liability insurance.
"It's still, frankly, an evolution," Snyder said of the cyber liability market.
