Cyber Security: To Insure or Not to Insure

I moved to Brooklyn from upstate New York a little over a decade ago. At the time, I was driving a Subaru Legacy. I was a sports reporter and my job required me to attend events all over the state, so a car was a requirement. But when I decided to leave the newspaper business and move to Wall Street to write about financial technology-first at American Banker magazine and then at Waters-my car was basically only useful for late-night White Castle runs.

At the same time, I had accrued more than a few speeding tickets and my insurance was getting out of hand. So I made the calculation that having a car was not worth the effort and donated it to Kars4Kids (their jingle must have been stuck in my head) and converted our garage into a pool room. I was tired of handing my paycheck over to the insurance companies.

Insurance is a lot like taxes: No one likes to pay for it, but when it pays off, you begrudgingly acknowledge the need for it. One boom sector to get into right now is that of providing cyber insurance. At Waters' inaugural Cyber Security & Risk Management Briefing, held on September 22 in Midtown Manhattan, the topic of cyber insurance was raised by an audience member.

Jonathan Dambrot, CEO of Prevalent, noted that the sector is rapidly evolving, as we're only now seeing firms getting paid after a hack, which will cause insurance firms to readjust how they create a policy.

"The insurance companies that underwrite these things are really looking at things like threat intelligence and areas to pinpoint the risk of that supply chain, whether you're using a vendor or doing it internally," Dambrot said. "So in the years to come, I think you're going to see a lot more intelligence-driven approaches to cyber insurance. We're just now starting to see people get paid out on these policies, so we'll see if they're valuable or not. Clearly they're valuable, but just how valuable they are will shape out over the next few years."

Insurance is a lot like taxes: No one likes to pay for it, but when it pays off, you begrudgingly acknowledge the need for it.

[For more on the evolution of cyber security, read Anthony's feature on the subject here.]

A Tough Call
Josh Stabiner, chief information security officer at Pine River Capital Management, said his firm decided to forgo insurance, but instead has an aggressive approach toward due diligence of third parties. Pine River also keeps a cyber security firm on retainer in case a data leak occurs.

"When we went through what it covers, it turned out that it didn't cover trading-floor losses during a cyber event. It covers the cost of performing an investigation and remediating the attack. So we said that in that situation, we have a vendor on retainer; we know what the price is going to be per hour-yeah, it might be a large number of hours, but in that event we'll absorb the cost. We took a risk-based approach: What do we think the potential cost of this event will be, what is the likelihood of this occurring, and what is the cost of the insurance? From our perspective, it just didn't work out," he said.

An audience appeared incredulous at Stabiner's comments, asking what investors would say to that response. Stabiner explained that he had been in numerous operational due diligence meetings and had filled out a lot of due diligence questionnaires, and no one had called him out. "That's the answer we provide and no one has challenged us on it," he responded.

Beef Up
Capital markets firms need to take a risk-based assessment of their cyber defenses. If they want lower insurance costs, they must pay to be more sophisticated when defending against cyber attackers.

Pine River has been able to satisfy investor queries because it has a clear cyber framework that it can articulate to clients. Others will prefer the security blanket of paying for insurance.

This is a rapidly evolving space, so no one can say with certainty what the industry's best practices are. But if you aren't having these discussions with IT and at the board level, where everyone is speaking to one another rather than having instructions handed down to them, then your firm may well make the headlines for all the wrong reasons.