Cyber insurance may be ‘vital’ but not a replacement for robust security
Garry Sidaway, SVP Security Strategy and Alliances, NTT Security
Cyber attacks are becoming increasingly significant as companies expand into new markets and territories, representing $294bn Total GDP@Risk, according to the Lloyd’s City Risk Index 2015-2025 (which highlights the economic exposure of 301 leading cities across the world to 18 threats). As a result, businesses are increasingly evaluating the relevance and importance of taking out cybersecurity insurance.
Unfortunately, it’s a fact today that the majority of organisations globally expect to suffer a cybersecurity attack at some stage. This is according to the latest figures from the NTT Security 2016 Risk:Value report. Not only at risk from a data breach, businesses also estimate that a breach would cost them upwards of £1.2 million on average to recover from.
As more organisations wake up to the fact that data breaches are increasingly likely in today’s climate, it seems that the importance of insuring against attacks is also starting to move up the corporate agenda.
According to the Risk:Value report, the majority of global organisations say it is ‘vital’ that they are insured against a possible security breach. However, less than half are fully covered for both data breaches and data loss and only a third currently see the need to take out cyber insurance.
Cyber liability insurance is a relatively new form of commercial risk, so it’s understandable why many organisations have not yet looked at it. However, it is also a minefield of ambiguity. Insurance policies can be ambiguous and complex anyway, but add in the nuances of cybersecurity, and it’s an opportunity for misinformation and misunderstanding.
There are already examples of insurers failing to pay out due to details in the small print and unclear policy interpretation. To insure a company against security breaches leaves a lot open to interpretation and insurers are not yet fully qualified to ask the right questions about often quite complex or technical issues before underwriting a policy.
More worryingly, organisations that do take out insurance often do not know enough about their own security to accurately answer questions from the insurer. Inaccurate information can void a policy and this is where we begin to see claims denied because the information supplied has proven to be inaccurate.
In addition, businesses are not really sure what it should cover and what it shouldn’t. Form our report it’s clear that there’s a lot of uncertainty. Less than half of those respondents, whose organisations have company insurance that covers a security data loss or a breach, expect it to cover legal costs for example. Something you might expect is essential given the severity of losing potentially confidential customer information.
Even less expect it to cover things like regulatory fines, something that’s becoming increasingly important with new industry compliance and regulation coming into force, and remediation fines. Covering loss of business and loss of intellectual property is even less expected, just 25% of respondents.
What’s more worrying is that when it comes to insurance validity, half of the people in the report cite lack of compliance with necessary security criteria as potentially invalidating their insurance. Just under half cite non-compliance with business policies and lack of an incident response plan as problems.
While many organisations see these as concerns in terms of invalidating insurance policies, it points to a much wider problem.
It is all too easy to look for quick fix solutions rather than focus on creating an environment built on the core principles of prevention rather than cure and building a solid information security and risk management strategy.
Having insurance to cover for security breaches and data losses is certainly an area that organisations should be addressing, however it is not an excuse to ignore basic security measures. Purchase insurance, but as a business you have to be able to demonstrate that you have put the right security controls and processes in place.
For many businesses this means putting the basics in place. An organisation serious about insuring its vital assets, must implement relevant protection measures that can be demonstrated to an insurer. This means not only assessing and reducing the risks and taking measurable steps to monitor these risks, but also being able to respond to breaches should they occur.
First, for any organisation looking to insure against potential threats, is to fully understand their risk exposure across all areas of the business, ensuring industry best practice is considered. If skills are not available in-house, take expert advice and consider a comprehensive evaluation of the business, which will highlight areas of risk, make recommendations, prioritise actions and build a strategic roadmap for continuous risk management.
Next is incident response planning, a basic security measure still being ignored by many businesses. The Risk:Value report showed that only 52% admit to having a full information security policy, while less than half have a recovery plan. Build a structured response plan that clearly articulates the approach, benefits and measures for risk reduction. Part of the plan should include the use of a specialist incident response team. Remember to regularly test the plan and improve it to reduce the risk of future incidents, as well as the business impact/cost.
Part of this relies on organisations raising awareness through education and training among employees. One of the greatest risks within any organisation, staff must be made aware of appropriate and relevant security processes and procedures and also about their role in safeguarding the business. This clearly demonstrates to an insurance broker that the organisation has taken its security seriously and has put in place many of the key basic measures.
The frequency and speed of cyber attacks is growing. General liability insurance has been proven to be insufficient to cover them, yet the impact on an organisation can be huge. This is a risk a business cannot ignore. Organisations must do everything possible to understand their risks and take appropriate steps to mitigate them, demonstrating to insurers that security and risk management are top of the agenda. In turn, the insurer can better understand an organisation’s risk exposure and create a policy tailored to that particular business.