With the recent spate of cyber attacks, taking out insurance seems like a great idea. There has been a jump in the number insurance companies offering cyber insurance that is designed to protect organisations from the aftermath of a breach.
But, what exactly is the purpose behind taking out cyber insurance?
According to Adrian Davis, MD EMEA, ISC2, "The basic purpose of cyber insurance is, or should be, to support the insured organisation to return to the state before the breach. It will include direct costs such as the cost of informing consumers if their data has been stolen. It will also include things such as money to buy in expert help such as for cyber forensics. In addition insurance will often help an organisation manage or reduce risk through training and advice."
To help businesses recuperate after a bruising security breach, insurance companies like Hiscox are also throwing in PR help, together with their cyber package to help heal brand reputation. But what exactly are the key points you need to bear in mind before you shop around?
Well, to start off with, according to statistics, many companies do not find out that they have been breached for a long time. The average time lapse between getting breached and realising is 256 days to be precise. So, when buying a cover, it is prudent to ask for retroactive cover too.
As was the case with the NHS employee breach in Wales, the third-party supplier (who maintained data on the geigermeters worn by staff who worked with radiation machines) got breached, so be careful to make sure that your cyber cover includes vendors and third party suppliers too who might have access to data.
The merit of getting an 'advanced penetration test' done before putting your money down for cover cannot be rated highly enough. Not only will it help you understand if there are malicious actors lurking on your systems but also help the insurance company grade and price the product properly.
And, as with any insurance product, make sure you understand the language and terminology around it well enough to win an argument in case the need arises later on. Irrespective of whether it was an insider job, accidental or malicious, make sure to ask to be reimbursed for your data.
And while we have discussed things for businesses to keep in mind, it goes without saying that insurers face difficulties too... Typical pain points would include:
- An escalating growth in demand, but a lack of relevant information, and therefore accuracy, in pricing the risk
- An awareness that earlier market higher-risk products can carry high margins, but that may be an inadequate reward for mitigation and settlements that can scale to eye-watering levels quickly
- Services that anticipate the need for a more proactive stance – protecting, managing and insuring against cyber extortion for example
- Acknowledgement that cyber-attacks are not only about IT crime anymore, but business interruption and business information risk overall
- Putting value on the very intangible but incredibly valuable concept of digital assets.
At Cyber Symposium, Inga Beale, CEO of Lloyd’s, said: “It’s [cyber breaches] one of the most high-profile risks businesses are facing at the moment and yet CEOs seem to be in denial about its impacts and their ability to deal with it. Businesses are either not looking for solutions, or if they are, they don’t know where to find them or understand the value of them. Insurers need to explain the benefits cyber insurance can bring.”
In a recently released set of survey results that compiled responses from 250 regional, national and global broking firms based in the UK, the take-away points make for interesting reading. Elliot Lane, Joint Managing Director, FWD (survey conductors) said: “Since WannaCry, there has been further cyberattacks, on Whitehall and the more virulent Petya ransomware attack. The question is what incident will be the catalyst to kick-start the market? Firms might be holding back on cyber insurance if they do not think that the right type of products are available, however if businesses are not prepared, then they could be facing significant losses. At this stage however, it appears that this is a risk many businesses are willing to take.”
In fact, Apple and Cisco recently announced that they were partnering to make it cheaper for businesses that use devices and services from both companies to get discounts on cyber-security insurance premiums.
At the launch, Tim Cook, CEO, Apple said: "The thinking we share here is that if your enterprise or company is using Cisco and Apple, the combination of these should make that (cyber-security) insurance cost significantly less. This is something we're going to spend some energy on. You should reap that benefit."
A Cisco company blog post said that there was to be 'collaboration with insurance industry heavyweights ... to offer more robust policies to our customers.' According to Csco, this move will help create ways and methods for security monitoring that is continuous and will come in handy for the insurers to make sure the systems are set-up and working as intended.
Research conducted by YouGov on behalf of insurance company Zurich has shown today that SMEs in London are worst affected by cyber breaches and almost 875,000 SMEs across the UK have been affected by a cyber-attack over the last twelve months. It also showed that of the companies that had suffered breaches, just over a fifth reported that it cost them over £10,000 and one in ten said that it had cost them more than £50,000.
In such risk-laden climate, the case for taking out cyber insurance could not be more obvious.