by Bharat Mistry
Cyber security insurance has been offered in some form or another for years. But with Lloyd’s of London recently claiming a 50% increase in demand, UK firms finally seem to be waking up to the benefits. On paper, it can provide much needed financial security in the event of a major data breach, DDoS attack or other cyber incident. But in the fast-moving world of online threats, corporate insurance policies can only go so far.
IT leaders must come to view cyber insurance as complementary to, rather than a replacement for, a comprehensive information security programme.
After a year of high profile data breaches and cyber incidents, it’s not surprising take up is quickening. Some 81% of large organisations suffered a data breach last year, with the average cost of each almost doubling from up to £850,000 to up to £1.15 million, according to the 2014 Information Security Breaches Survey. Attacks are getting more sophisticated and targeted, exploiting security gaps and underinvestment in cloud, mobile and advanced threat protection.
So the chances of being hit by an attack are greater than ever. And so are the risks emanating from data loss or damage to systems. Fines for regulatory non-compliance, damage to reputation and brand, and loss of shareholder and customer confidence are all a real and present danger.
Cyber insurance can help organisations two-fold. On the one hand it works to “cover their backs”, offering financial security in the event of a successful cyber attack. And on the other, it forces firms to improve their information security in the process, in order to qualify for specific policies and reduce premiums.
The challenge with insurance
But it’s not all plain sailing. A study of its members by global not-for-profit security group the Corporate Executive Programme (CEP) in January found that the fast-moving nature of technology raises several problems:
“There is a real challenge involved in objectively identifying companies’ needs in relation to insurance and what constitutes an effective dedicated cyber insurance product in specific circumstances. How much cover is needed, what areas of activity and risk do and should qualify for insurance, who should determine purchase and what does the ideal product look like? These are all questions that need to be answered.”
The head of Lloyd’s largest insurer, Catlin Group, even said recently that cyber security represents such a massive, systemic risk that losses are too big for the industry to cover and national governments need to step in.
Another issue raised by the CEP report is why none of the organisations surveyed involved their CISOs in cyber insurance purchasing decisions. CISOs would be best equipped to ensure that if a policy covers certain aspects of risk, then they spend any extra security budget to make up shortfalls elsewhere rather than overspend on the same risk area.
A checklist for CISOs
With the coming EU Network and Information Security (NIS) Directive and the European General Data Protection Regulation, there’ll be no place to hide for organisations with poor cyber security strategies. This is likely to spur an even greater upsurge in demand for cyber insurance.
But if you want to do it right, consider the following:
- Ensure you have systems in place to evaluate risk effectively, and feed this into the decision on which policy to choose
- Read up around cyber insurance and try to force the business to include you in the purchasing decision as a trusted advisor
- Don’t approach insurance with a tick box mentality. It’ll only work as part of a comprehensive, multi-layered information security programme
- Investigate which security technologies, such as advanced targeted attack protection, could lower the cost of premiums
- Think clearly what you need insurance for- categories of risk include for example reputation, loss of PII, cyber crime, physical damage and IP breaches
- Share threat information with insurers. It’s the only way the industry will eventually gain a better understanding of risk versus cost
- If you’re an SME, get certified with the Cyber Essentials scheme. The government recently recommended insurers use it as part of their risk assessments