Garry Sidaway, SVP Security Strategy & Alliances at NTT Security
The number of insurers now offering cyber security insurance policies via Lloyds of London has grown to around 70 today. But insurers often struggle to accurately underwrite and evaluate the financial impact of cyber incidents, while organisations may find their attempts to recoup losses undone by small print stipulations in complex policies.
For business it’s vital to take a proactive, risk-based approach to security, which incorporates rather than relies on cyber insurance.
While organisations come to rely increasingly on cloud, mobile, IoT and other technologies to drive growth, they’re also expanding the corporate attack surface several times over. The result is financial and reputational damage on a growing scale, driven in part by major new regulatory compliance requirements like the GDPR and NIS Directive.
Lloyds of London estimated that a major attack on one of the top three cloud service providers could lead to outages costing US firms alone $19 bn, while another industry report predicted that a global ransomware attack could lead to losses of nearly $200bn.
It is no surprise that cyber insurance is increasingly popular. But it seems that many organisations are confused about what they are (and are not) covered for. Our own 2018 Risk:Value report revealed that just 38% of global firms have a dedicated cyber insurance policy, while nearly half (45%) in the UK UK admitted they didn’t even know if their corporate insurance policy covers security breaches or data loss.
This kind of confusion is increasingly coming back to bite firms as they find policies not paying out after a major incident. For example, Mondelez is locked in a legal tussle with its provider Zurich over a pay-out related to 2017’s NotPetya ransomware worm.
These disputes are a reflection of problems on both sides. Insurance providers see a potentially huge market in cybersecurity. Yet in many ways it’s out of their traditional comfort zone, which is underwriting physical things that get lost, damaged or ill. While they’re able to put together policies quite easily for these, using actuarial data and extensive knowledge of relevant risks, it’s harder for them to define and understand cyber-related risk. Even more difficult to evaluate in financial terms is the impact of damage to reputation and customer loyalty.
Questions to ask
The resulting ambiguity and complexity can lead to the kind of claimant-insurer disputes we’re seeing on an increasingly frequent basis. But part of the problem lies with the policyholders themselves. As an organisation you must provide as much information as possible up front on your risk profile, current IT security strategy, processes and controls. It might be, for example, that a particular policy will only pay out if the organisation has a best practice, or an incident response plan in place.
There are plenty of questions you need to ask of your provider. Does the policy cover data held by third-party providers? Will it pay out even if you haven’t patched all of your systems? How about if the organisation suffers a breach caused by a security issue which predates the start of the policy, but was undetected?
It usually follows that the more comprehensive your security strategy and processes, the lower the premiums and the better the coverage. This requires organisations to be proactive. Start with an annual risk assessment to understand your exposure and follow an internationally recognised risk management standard.
Focus on fixing all known vulnerabilities in line with your risk appetite, training employees regularly in security awareness, and putting in place continuous system monitoring, network security and malware protection. Tight access controls and home/remote working policies and regularly tested incident response plans will also help, as will routine assessments of third-party risk.
It is important to remember that cyber insurance is not a “get out of jail free” card, which absolves you from investing in cybersecurity. For for a policy to be effective if the worst happens, you’ll need to have had in place well documented, best practice security processes and controls. No insurance covers you if you don’t take adequate steps to protect yourself.
According to Hiscox, just 11% of global organisations were certified as “experts” in terms of their cyber readiness. This needs to change, and it will as organisation’s approaches mature. But the industry as a whole also needs to get better at standardising language for policies, and methodologies for quantifying risk and calculating pay-outs.
The focus should be on maximising visibility into your own security processes, and using insurance as a spur to drive-up security standards inside the organisation, rather than treating it as a substitute for making improvements.