Connect with us

INSURANCE

Getting the most out of cyber risk insurance

Cyber-attack

Garry Sidaway, SVP Security Strategy & Alliances at NTT Security

Garry sidaway

Garry sidaway

The number of insurers now offering cyber security insurance policies via Lloyds of London has grown to around 70 today. But insurers often struggle to accurately underwrite and evaluate the financial impact of cyber incidents, while organisations may find their attempts to recoup losses undone by small print stipulations in complex policies.

For business it’s vital to take a proactive, risk-based approach to security, which incorporates rather than relies on cyber insurance.

Changes

While organisations come to rely increasingly on cloud, mobile, IoT and other technologies to drive growth, they’re also expanding the corporate attack surface several times over. The result is financial and reputational damage on a growing scale, driven in part by major new regulatory compliance requirements like the GDPR and NIS Directive.

Lloyds of London estimated that a major attack on one of the top three cloud service providers could lead to outages costing US firms alone $19 bn, while another industry report predicted that a global ransomware attack could lead to losses of nearly $200bn.

It is no surprise that cyber insurance is increasingly popular. But it seems that many organisations are confused about what they are (and are not) covered for. Our own 2018 Risk:Value report revealed that just 38% of global firms have a dedicated cyber insurance policy, while nearly half (45%) in the UK UK admitted they didn’t even know if their corporate insurance policy covers security breaches or data loss.

This kind of confusion is increasingly coming back to bite firms as they find policies not paying out after a major incident. For example, Mondelez is locked in a legal tussle with its provider Zurich over a pay-out related to 2017’s NotPetya ransomware worm.

These disputes are a reflection of problems on both sides. Insurance providers see a potentially huge market in cybersecurity. Yet in many ways it’s out of their traditional comfort zone, which is underwriting physical things that get lost, damaged or ill. While they’re able to put together policies quite easily for these, using actuarial data and extensive knowledge of relevant risks, it’s harder for them to define and understand cyber-related risk. Even more difficult to evaluate in financial terms is the impact of damage to reputation and customer loyalty.

Questions to ask

The resulting ambiguity and complexity can lead to the kind of claimant-insurer disputes we’re seeing on an increasingly frequent basis. But part of the problem lies with the policyholders themselves. As an organisation you must provide as much information as possible up front on your risk profile, current IT security strategy, processes and controls. It might be, for example, that a particular policy will only pay out if the organisation has a best practice, or an incident response plan in place.

There are plenty of questions you need to ask of your provider. Does the policy cover data held by third-party providers? Will it pay out even if you haven’t patched all of your systems? How about if the organisation suffers a breach caused by a security issue which predates the start of the policy, but was undetected?

It usually follows that the more comprehensive your security strategy and processes, the lower the premiums and the better the coverage. This requires organisations to be proactive. Start with an annual risk assessment to understand your exposure and follow an internationally recognised risk management standard.

Focus on fixing all known vulnerabilities in line with your risk appetite, training employees regularly in security awareness, and putting in place continuous system monitoring, network security and malware protection. Tight access controls and home/remote working policies and regularly tested incident response plans will also help, as will routine assessments of third-party risk.

It is important to remember that cyber insurance is not a “get out of jail free” card, which absolves you from investing in cybersecurity. For for a policy to be effective if the worst happens, you’ll need to have had in place well documented, best practice security processes and controls. No insurance covers you if you don’t take adequate steps to protect yourself.

According to Hiscox, just 11% of global organisations were certified as “experts” in terms of their cyber readiness. This needs to change, and it will as organisation’s approaches mature. But the industry as a whole also needs to get better at standardising language for policies, and methodologies for quantifying risk and calculating pay-outs.

The focus should be on maximising visibility into your own security processes, and using insurance as a spur to drive-up security standards inside the organisation, rather than treating it as a substitute for making improvements.

Continue Reading

Recent Posts

Protecting against man in the middle attacks with dynamic linking 28 Protecting against man in the middle attacks with dynamic linking 29
FINANCE1 week ago

Protecting against man in the middle attacks with dynamic linking

By David Vergara, Senior Director of Product Marketing at OneSpan In recent years, the booming growth of mobile applications has...

The Case for Banks to Digitally Transform: Iterating out of lockdown 30 The Case for Banks to Digitally Transform: Iterating out of lockdown 31
BANKING1 week ago

The Case for Banks to Digitally Transform: Iterating out of lockdown

By Sudeepto Mukherjee, Senior VP, Banking EMEA & APAC, Publicis Sapient. Before COVID-19 disrupted every imaginable part of society, banks...

Difficulties of Getting on the Property Ladder Post-Pandemic 32 Difficulties of Getting on the Property Ladder Post-Pandemic 33
LIFESTYLE1 week ago

Difficulties of Getting on the Property Ladder Post-Pandemic

There is a lot of talk about what’s going to happen to the housing market over the next few months....

Russian Doll: Building digital capabilities into a bank’s core 34 Russian Doll: Building digital capabilities into a bank’s core 35
BANKING1 week ago

Russian Doll: Building digital capabilities into a bank’s core

By Ian Johnson, Managing Director of Europe, Marqeta COVID-19 has left its mark on every industry, and banking is no...

How the US and Europe's COVID-19 Responses Have Affected Exchange Rates 36 How the US and Europe's COVID-19 Responses Have Affected Exchange Rates 37
TRADING1 week ago

How the US and Europe’s COVID-19 Responses Have Affected Exchange Rates

In living memory, few events have thrown the reputations of different countries and regions under such intense scrutiny as the...

Recognising the surprise PE investment potential in southern Africa 38 Recognising the surprise PE investment potential in southern Africa 39
INVESTING1 week ago

Recognising the surprise PE investment potential in southern Africa

By Martin Soderberg, partner at SPEAR Capital. An event of historic significance passed largely unnoticed in the world’s media recently,...

Why Banking is experiencing a second wave of transformation 40 Why Banking is experiencing a second wave of transformation 41
BANKING1 week ago

Why Banking is experiencing a second wave of transformation

By Keith Pearson, Head of Financial Services EMEA, ServiceNow The financial landscape has seen significant changes in the last six...

Making your mark: an introduction to trademarks 42 Making your mark: an introduction to trademarks 43
TRADING1 week ago

Making your mark: an introduction to trademarks

By James Turner, Director at  Turner Little  Are you looking to protect your brand? The chances are, you are –...

Tax evasion, avoidance and efficiency: which are legal? 44 Tax evasion, avoidance and efficiency: which are legal? 45
FINANCE1 week ago

Tax evasion, avoidance and efficiency: which are legal?

By James Turner, Director at York-based Turner Little Tax is a subject close to the hearts of most individuals, and...

Financial services firms must ‘cut the cord’ in order to weather the COVID-19 storm 46 Financial services firms must ‘cut the cord’ in order to weather the COVID-19 storm 47
TECHNOLOGY1 week ago

Financial services firms must ‘cut the cord’ in order to weather the COVID-19 storm

By Graham Brooks, Strategic Account Director, Cradlepoint This year, the financial sector’s plans have been thrown off course by a...

Strange new world: What next for banks? 48 Strange new world: What next for banks? 49
BANKING1 week ago

Strange new world: What next for banks?

By Simon Wilson, Director, Payment Solutions, Icon Solutions What’s next for banks in this strange new world we find ourselves...

Alone together: How to maintain a positive company culture while working remotely 50 Alone together: How to maintain a positive company culture while working remotely 51
BUSINESS1 week ago

Alone together: How to maintain a positive company culture while working remotely

By Paul Rowlett, from branded corporate gift specialist EverythingBranded, shares his tips for keeping staff morale and engagement high while...