teissTalk: Transferring risk – what should your cyber insurance cover?

On 20 January, teissTalk host Geoff White was joined by James Tuplin, Head of Cyber of Mosaic Insurance as lead guest; Joe Hancock, Partner (non-lawyer) and Head of MDR Cyber, Mishcon de Reya; and Sebastian Avarvarei, Information Security Manager, Canon

Views on news

As insurers’ loss ratio is rising over 72%, the current cyberinsurance model is becoming increasingly unsustainable. Therefore, insurers tend to intensify the underwriting process by increasing premiums, shrinking coverage oradding more exclusions to redress the balance. They are also more vigilant about the security controls that their clients need to have in place (e.g., EDR and patching schedules), and they are ready to walk away if their requirements remain unmet. As a result, security/insurance are expected to cease to be an either-or-proposition rather soon. Meanwhile, the scope of liability for businesses is growing too with businesses held responsible for third party data leaks and breaches as well.

Meanwhile, the fact that insurers start to ask more accurate questions about security controls may help CISOs to get their point across to the board, finance auditors or contracting partners. Or, with proper controls in place and feeling confident about their cyberdefences, businesses can cost out the amount they pay for insurance. However, the article argues for a joint controls-as-well-as- insurance strategy.

Striking the right balance between transferring and preventing cyberrisk

There is a long-standing arms race between hackers and infosecurity experts. It started with credit card data theft, which GDPR addressed, then came ransomware, which was somewhat set back by the accelerating move to the cloud, where data is more difficult to encrypt. Therefore, now there is some shift back to data theft – but this time it’s mission-critical corporate data rather then cards.

There exists a novel legal approach to dealing with ransomware, too. In the old days, arbitration seemed to be pointless against criminals without a good amount of forensic evidence. Meanwhile, today, proving that the money these criminal entities have is dirty and the way they’ve grabbed information qualifies for a breach of confidence can empower a legal team to gain injunctive court orders to prevent financial institutions from moving funds, as well as to commit third parties to providing information. Once getting common, these developments can make criminals jittery about cashing out on their crypto assets.

As a general trend, we’ll definitely see businesses becoming more aware of what data they and their suppliers and third parties have and where this data sits, as well as an overall shift from protecting networks and assets to a focus on data.