GENEVA -- Is it worthwhile for treasurers to purchase a cyber insurance policy for their organization? Yes—but probably not for the reasons you think, noted one expert during a panel session Monday at Sibos 2016.
Stephen Scharf, managing director and chief security officer of the Depository Trust & Clearing Corporation (DTCC), noted that businesses tend to look at cyber insurance as a good way to recoup losses. That’s the wrong mindset, he said. “At that point, it’s really more of an accounting exercise than it is something that you’re doing to ensure you have strength and stability within your firm,” he said.
Perhaps this is why a substantial number of Sibos attendees feel cyber insurance is not worth the investment. Moderator Richard Dzina, executive vice president of the Federal Reserve Bank of New York, asked the crowd whether all firms should purchase a dedicated cyber insurance policy as part of a broader risk management program, and 54 percent said no.
Nevertheless, there are benefits to cyber insurance that most people aren’t thinking about, Scharf emphasized. First, cyber insurance can help companies quantify their risk exposure. “Insurance has been doing that for hundreds of years and they’re really good at it,” he said.
Additionally, insurance can help smaller organizations that can’t afford to hire security firms to identify vulnerabilities. “The insurance carriers can come in, and they’re very passionate about finding what problems you might have because it impacts what your premiums will be,” Scharf said. “They’ll do a free set of security audits on you that will identify where there are concerns.”
Of course, there are threats cyber insurance won’t protect your business from, such as reputational risk. If your company gets hacked and it impacts your customers, cyber insurance isn’t going to help with that. “So in this day of interconnectedness and interdependencies that we have with each other, it’s not necessarily a good thing that’s going to help all of your clients,” Scharf said.
Perhaps the biggest concern about cyber insurance is that there simply isn’t enough case law yet to determine how necessary or effective cyber insurance can be. Like any insurance policy, there are multiple carve-outs that could keep cyber insurance from paying out. “They talk about having acceptable programs in place, and there’s an interesting debate as to what’s an appropriate program and what’s not—what’s considered negligence and what’s not,” Scharf said. “So if you do have a breach, the insurance companies could come in with a fine-toothed comb and say, ‘You should have patched that system, you should have changed that password, etc. Therefore, we’re not going to pay out on the claim because you should have done a better job.’ There aren’t enough lawsuits in place to really define how that will play out long-term.”