Garry Sidaway, SVP Security Strategy & Alliances, NTT Com Security
In the latest Global Threat intelligence Report (GTIR), over three-quarters (77%) of global businesses remain unprepared and without a formal plan to respond to cybersecurity incidents. This is something of a shock, since prevention and planning go hand in hand, and we’ve already seen a number of major organisations this year suffer from serious data breaches and struggle to manage the impact, both to their reputation and their business.
While most organisations say it is ‘vital’ that they are insured against a possible security breach, according to our 2016 Risk:Value report, less than half are covered for both data breaches and data loss, and only a third globally (a quarter in the UK) see the need to take out a dedicated cyber insurance policy. Of those that do, many, unfortunately, fail to check the small print. Policies are taken out without sufficient research into what is available on the market and what they cover. The result can problematic – and often invalidated insurance.
Cyber insurance is a minefield of ambiguity and complexity. There are examples of insurers not paying pay out because of clauses in the small print or ambiguous policy interpretation. The problem is that cybercrime is a relatively new form of commercial risk, and insurers need clarity on the questions they should be asking about an insured party’s security before underwriting policies.
Plus, the companies looking to take out insurance often do not know enough about their own information security to answer questions accurately from the insurer. Inaccurate information can void a policy, and we see claims denied because information supplied is inaccurate.
While our own research shows that many organisations are aware that not complying with business policies or not having an incident response plan could invalidate their insurance, it’s still too easy for them to look for quick fix solutions rather than focus on building a solid information security and risk management strategy. Just because cyber liability insurance is now available, it is not an excuse to ignore basic security measures and carry on regardless.
Businesses need a different approach. Buy insurance, but ensure that you can demonstrate that you have put the right security controls in place, as well as appropriate internal and external processes and procedures, including a fully tested incident response plan – this way you know what is being insured. Worryingly, our 2016 Risk:Value report showed that only just over half (52%) of businesses say they have a full information security policy, while less than half have a disaster recovery plan.
Any business serious about insuring its vital assets, should invest in implementing relevant protection measures that can be demonstrated to an insurer. This means assessing and reducing the risks, and taking the appropriate and measurable steps to continuously monitor these risks. Only then can an insurance broker begin to understand the company’s risk exposure and create a policy tailored to the business.
It is worth remembering that cyber insurance is only likely to provide financial compensation as well – and that is probably limited to specific areas, such as legal or remediation costs. It is far more difficult to insure against the intangible consequences, such as future revenue impact or brand equity, for example, as these are much harder for an insurer to quantify.
It is almost impossible to put a price on the loss of customer trust or reputation. There is a strong relationship between security and trust – and it is very hard to put a financial value on that once it has been broken.
The following five steps will help organisations better prepare for taking out cyber insurance:
- Assessing your risk exposure – understand their risk exposure across all areas of the business, ensuring industry best practice is considered
- Incident response planning – create a structured response plan that clearly articulates the approach, benefits and measures for risk reduction.
- Reducing your risk – If you can see yourself as an attacker sees you, you will be a step closer to protecting information assets and you can demonstrate to your insurer that you have robust security measures in place
- Managing your risk – If a company can proactively demonstrate that it is taking the right steps, it sends a clear signal to insurers that IT security is being taken seriously.
- Being proactive – Organisations must be proactive to mitigate risk, demonstrating to insurers that information security and risk management is top of the agenda.