If your business works with an Insurance Broker, then chances are you’ve had a discussion about “Cyber Insurance”.
What is Cyber Insurance?
The past 10 years have seen massive changes in the way that companies communicate and do business. Many businesses have undergone some form of digital transformation which (should have) created improvements to their innovation, convenience and efficiency.
However major incidents (such as the 2017 Ransomware attacks) have highlighted the digital security and privacy protection risks that come with such an increase in reliance on these new digital technologies.
While not a substitute for investing in cyber security and risk management, insurance coverage for cyber risk can make a significant contribution to the management of cyber risk by promoting awareness about exposure to cyber losses, sharing expertise on risk management, encouraging investment in risk reduction and facilitating the response to cyber incidents.
– OECD, Enhancing the Role of Insurance
The goal of cyber insurance is to transfer some of the risk of a security breach to insurance. The trouble with damage from cyber attacks is that the damage is often intangible (i.e. data vs. physical damage).
It’s important to make a distinction between what is preventable and what is beyond the control of the business.
Does Cyber Insurance simply encourage attacks?
Using Ransomware as an example of a cyber attack, victims can either pay the attacker a ransom or restore files from backup. With advice from law enforcement occasionally becoming a little confusing, insurance suddenly pops up and makes the whole process a little more official.
When covered by an insurance policy, the victim doesn’t seem to really care if they pay the ransom as the money is simply reclaimed from the insurer. The recovery and cleanup costs might also be covered by the insurers, so besides from some business interruption – you’re right!
But it’s hard to argue that this doesn’t encourage attacks to keep coming. $500 last time? With insurance policies advertising much bigger payouts, why not just up the ransom accordingly? What does the attacker have to lose?
But none of this is the insurers fault.
Cyber crime exists because it works
For as long as there’s multiple gaps in an organisation’s security, cyber criminals will exist to try and exploit them. Right now the state of play is simple: there are so many gaping holes in so many businesses that it’s almost too easy.
These gaps include:
- Lack of training
- Lean IT & security staff
- Lack of Incident Response Plans
- Inadequate Layered Security
- Ineffective backup systems
and the list goes on. While individuals and organisations will naturally differ on some of the finer points, the overall picture ends up looking pretty much the same across the board.
“The majority of breaches worldwide occur at companies with 1,000 employees or less because they’re low-hanging fruit for hackers,” explained Ed McGuire, director of specialty insurance at FBinsure. “These companies have minimal IT staff and moderate budgets.”
When you assess these points as a whole, however, it’s hard not to think that Cyber Insurance is merely a natural response to filling gaps that should be filled with people, process and/or technology (otherwise known as a Cyber Resilience Policy).
Addressing the vulnerabilities
It’s true – the vast majority of all data breaches today are the result of human error. Let’s face it: not all employees are that great with computers. They might be able to use a computer to perform the specific tasks required for their job, but most are not trained well enough to be able to identify phishing emails.
So your first step should be to start training your staff in security practices. We’re all really good at safety training for physical harm – why not so for digital?
(Ping me if you want some uber-cool drink coasters for your staff)
Larger organisations might be able to afford the luxury of specialised and dedicated cyber security trainers but can smaller businesses? There are some IT providers out there that have security baked-into their IT packages and there’s a bit to consider.
Training doesn’t solve everything – it’s all part of your layered defense strategy. There will always be clever and sophisticated attacks that get through your technological and human defense mechanisms. Your goal should be to make sure the obvious and plentiful threats are not getting through.
Layered Security Strategy
If you want to communicate with the world, you’re going to need to have some open channels. Given that – there’s no such thing as being 100% secure. It simply can’t exist as of right now.
But there are effective security strategies out there for organisations. They don’t have to break the budget (you could even DIY cyber security if you wanted to), they don’t have to be overly complex – you just have to realise that there are options out there in the first place!
Have you ever been so confused in a buying process that you ended up buying nothing at all? It’s pretty common with cyber security offerings.
Is prevention cheaper than insurance?
Some insurance policies might insist that you have certain technologies in place in order for a claim to be processed. It’s then arguable that perhaps you should save money on the insurance premium and focus your efforts on reducing your overall risk.
If the insurer doesn’t require a minimum level of cyber resilience in place you’ve got to ask how seriously they are taking the threat. Are they unaware of the risks or are they jamming their policy so full of exclusions that they know they’ll rarely have to pay out?
Are you insuring against the right threats?
Understanding all of this, you can understand why cyber insurance is a rapidly growing market. There certainly appears to be a market for cyber insurance if the scenarios are “just right”, meaning there’s a careful balance between having the right level of investment in your own internal security measures and insurance coverage for business interruption.
IT departments and outsourced IT security providers can’t protect you from all cyber attacks. Nothing can if you want to still communicate with the outside world.
An important distinction
Just because you have an IT department or outsourced IT provider doesn’t mean you’re safe. You can’t simply assume that they are doing everything possible. Is it their fault if they’re not recommending improvements if you haven’t created the right culture for that?
So much depends on the skills of your management team to understand that Cyber Risk is not an IT issue, it’s a business issue: So said PWC in 2015, but was anyone listening?
Will insurers actually pay out on a claim?
When do you think an insurer will check and test that you have adequate controls in place? That’s right: when a claim is made, not before offering insurance.
Cyber insurance is not General Insurance
It’s common for businesses to believe that they had coverage for cyber attacked under their general insurance policy.
Property, casualty and professional indemnity policies are carefully worded (check for policy updates if you’ve had the same coverage for a long time) to explicitly exclude data security breaches and other cyber attacks.
General liability policies will generally list only injury/damage to “tangible” property is covered. It’s easier to put a price on a glass window than it is on a database that has grown from 1,000 to 1 million customer records in a year.
Where Cyber Insurance may have a place
The clean up. And that clean up process is made a great deal easier if you have an Incident Response Plan in place.
The following are some costs that may be associated with dealing with a cyber attack:
- Notifications: In Australia, if you experience a notifiable data breach you must report it to the OAIC
- Business interruption: if your business stops as a result of an attack then you’ll stop earning revenue but your operating costs are likely to continue
- Investigations: if it’s not immediately clear how the attack affects your business, or if it’s actually stopped, you may need to pay specialists to investigate
- Crisis management: your reputation will take a hit if you lose customer data or fail to deliver for clients due to an attack. You may have PR costs to consider
Conclusion of holding a cyber insurance policy
While having cyber insurance can be a great idea, it’s also important to adequately address the risk by implementing proper training, testing, and education. This should include a cyber risk strategy that reviews the value of the data, type of data, and exposure to the data.
Do you need cyber insurance? In time, yes, but your highest priority must be to ensure you have enough proactive and reactive measures in place to help minimize your risk exposure.
In the event that a cyber attack occurs and you need to make a claim, you will need to prove that you and your business did everything possible to prevent the attack in the first place.
Are you comfortable that you can do prove that?