With litigation on the rise, the range of coverage options for cyber insurance has expanded. Yet experts believe a gap remains for covering intellectual property (IP) loss or theft.
“If you lose some of that IP, it could have massive ramifications. Right now we’re not at the point of being able to get that type of coverage,” Terry Rice, Merck & Co.‘s [MRK] chief information officer, said at a Wednesday Security Innovation Network panel held at the National Press Club.
Only 40 percent of mid-to-large companies in the United States purchase cyber insurance. Merck is among the minority, but Rice said the expansion of the firm’s business into emerging markets where IP laws are scarce has placed extra pressure on safeguarding its pharmaceutical research.
A company can acquire insurance for loss of a third-party’s IP, but there are very few providers who will insure the company against the loss of its own IP. If a company were the steward of another company’s ideas as part of a supply chain or outsourcing, it could purchase insurance to protect itself against lawsuit from the original firm should there be a breach.
However, insurers are wary of providing first-party insurance for IP because that requires assigning a monetary value to designs and products. Insurance companies find it difficult to assess the value of these assets without seeming arbitrary.
Companies are also typically unwilling to share their trade secrets with insurance firms. This further reduces the possibility of assigning a fair value.
“No one knows a product better than the company and their lawyers,” said Peter Foster, a senior vice president at insurance brokerage firm Willis North America.
While intellectual property remains a sticky issue, cyber insurance against other potential breaches has evolved rapidly over the past several years. Cyber insurance now extends to full network insurance, including items such as transactions between a point of sale terminal and an acquiring bank. Protections against privacy liability for health or personally identifiable information loss, cyber extortion and network inaccessibility due to attack can all be acquired, Foster said.
“More and more we’re seeing that wall being broken down between tangible risk and the intangible risk that it is cyber,” Foster said.
Rice said Merck has taken cyber insurance a step further by integrating it as part of an enterprise risk management (ERM) strategy.
“I don’t think it’s the panacea for all things cyber…but it is a very beneficial tool,” he said.
Merck created a collective team to look at network risk across all facets of its business, especially as the firm grew into new markets. Rice emphasized finding the correct broker who understands the intersection between IT and privacy challenges.
Despite this progress, factoring cybersecurity technology into insurance remains fuzzy. Firms may use firewalls and mitigation software, but insurance companies do not prescribe what protections a firm should take.
“They are not in a position to say here’s the new technology that you need to learn,” said Charles Kallenbach, chief legal officer for Heartland Payment Systems, Inc.
Kallenbach, whose firm suffered a major breach in 2008, said insurance companies will do a review and compare it to industry standards for cyber technology. However, this process is fungible.
Rice said he hopes the Cybersecurity Framework from the National Institute of Standards and Technology (NIST) will encourage more concrete industry standards. The voluntary Framework, whose final version will be released in February, outlines cyber best practices for critical infrastructure. Liability protections and cyber insurance have been proposed as potential incentives for private firms to comply with the Framework.