CBROnline’s April Slattery on some of the key reasons cyber insurance is worth a closer look, as cyber risk grows.
The average hack cost businesses £857,000 in 2017, according to PwC’s Global State of Information Security Survey 2018.
It is clear that the problem of cyber security is not going away.
And with our recent report showing the extent of sensitive personal and commercial data leaking online, preparation is vital.
Cyber insurance may seem to some like shutting the stable door after the horse has bolted, but here are five good reasons it is crucial.
1 – It Can Cover Financial Losses
“A good cyber insurance policy should address business losses from the many impacts of a cyber breach, including data loss, business interruption and reputational damage,” Luke Brown, VP EMEA at WinMagic told Computer Business Review. He added: “[However] organisations should be working to minimise both the chances of a breach and the impact should a breach occur.”
It’s a point echoed by Andrew Lloyd, President at Corero Network Security, who told Computer Business Review: “Just like buying fire insurance is not an alternative to investing in smoke alarms or fire extinguishers, cyber insurance should not be an alternative to having adequate, proactive cyber defences. From our perspective, cyber insurance is very much a complementary, secondary investment if all else fails.”
2 – It Can Support Cyber Risk Awareness
With a significant number of businesses lacking cyber security awareness, cyber insurance is a perfect foundation for building up these missing skills – not least if companies know that poor practice will invalidate their insurance.
“[Cyber] insurance will push organisations to have baseline security controls in place,” Javvad Malik, security advocate at AlienVault told Computer Business Review.
He added: “This would include fundamental security practices such as understanding what critical assets are, enforcing strong passwords, two-factor authentication, encryption, as well as having threat detection and response controls in place. What is needed is an end-to-end data protection platform that works across all infrastructures. More importantly it must also encrypt the data, and ensures it stays encrypted until it’s needed. If a cyber-criminal does manage to get encrypted data but not the key used to encrypt it, the data is useless.”
3 – It’s not just for the Blue Chips
Cyber insurance is seen by some as a luxury for major players. Yet almost half (48 percent) of SMEs were hit by cyberattacks last year.
“In addition to adequate protection, cyber insurance has become a compelling solution that can allow small businesses to help defend against these threats. Organisations could be eligible for the reimbursement of costs related to a data breach, loss of income due to a targeted hacking attack, damage repair to systems, or ransom requests,” Nick Shaw, EMEA VP and GM at Norton, Symantec told Computer Business Review.
4 – Did Someone Say GDPR?
As GDPR fast approaches, organisations must be much more vigilant around data protection as the financial implications could prove hefty.
“There is a clear and greatly accelerated increase in requirements around data governance – the upcoming GDPR is a prime example. Companies must deploy strong protection and detection capabilities and be able to prove they did what they could to protect themselves and their systems and their customer’s/employees’/patients’ data,” Luke Brown, VP EMEA at WinMagic, told Computer Business Review.
“The impact of a cyber-attack to an organisation’s brand, reputation, and business operations can be irreparable. It’s therefore important to plan ahead and have a plan should the worst arrive. Proactive protection steps are key for SMEs who can be considered softer or easier targets of cyber attackers,” Shaw added.
5 – Yes, there are still problems…
Looking ahead, Adrian Moir, Senior Consultant, Product Management at Quest noted that there remain challenges for the industry.
“The industry chatter on the need for cyber insurance is taking off, and in six months-time, I believe we’ll either see cyber insurance take off like wildfire or completely fall flat given the difficulty in quantifying a breach’s impact. Companies will have to employ tried and true breach mitigation strategies like monitoring entire cyber environments and patching security flaws in addition to educating users,” he emphasised.
It is an outlook that is increasingly seeing insurance and cyber security companies work closely together, however.
January’s agreement between Apple, Cisco, Aon and Allianz was a case in point. This comprised a new cyber risk management solution that spanned cyber resilience evaluation services from Aon, secure technology from Cisco and Apple, and options for enhanced cyber insurance coverage from Allianz. Those signing up potentially qualify for lower, or even no, deductibles in certain cases.
Computer Business Review expects to see many more such agreements.
Just make sure to read the small print.