Garry Sidaway, SVP Security Strategy & Alliances at NTT Security
Cybersecurity insurance has risen in just a few years from something of a fringe industry to one set to be worth $14 billionglobally by 2022. The number of new insurers offering cyber policies via Lloyds of London has grown to around 70 today. Yet in many ways the sector is still in its infancy. Insurers often struggle to accurately underwrite and evaluate the financial impact of cyber incidents, while organisations may find their attempts to recoup losses undone by small print stipulations in complex policies.
To ensure your business doesn’t suffer the double blow of a major incident which turns out not to be covered, it’s vital to take a proactive, risk-based approach to security which incorporates rather than relies on cyber insurance.
Risk is everywhere
Digital transformation is helping organisations around the world become more efficient and get closer to their customers with agility and innovation. Yet as they come to rely increasingly on cloud, mobile, IoT and other technologies to drive growth, they’re simultaneously expanding the corporate attack surface many times over. The result is financial and reputational damage on a growing scale, driven in part by major new regulatory compliance requirements like GDPR and NIS Directive.
Lloyds of London claimed in 2017 that a major global cyber-attack could lead to losses of as much as $121bn, double that of Superstorm Sandy. A year later it estimated that a major attack on one of the top three cloud service providers could lead to outages costing US firms alone $19bn. Then earlier this year, another industry report predicted some fearsome figures: this time estimating that a global ransomware attack could lead to losses of nearly $200bn.
Against this backdrop it’s no surprise that cyber insurance is becoming more popular. One 2018 report claimed that 90% of UK firms have some form of insurance in place to cover cyber losses. Yet take-up is patchy across the globe and many organisations are confused about what they are covered for. NTT Security’s 2018 Risk:Value report revealed that just 38% of global firms have a dedicated cyber insurance policy. What’s more, nearly half (45%) of UK respondents admitted they didn’t even know if their corporate insurance policy covers security breaches or data loss.
This kind of confusion is increasingly coming back to bite firms as they find policies not paying out after a major incident. Virginia-based First National Bank of Blacksburg sued its insurer last year for just this reason, while Cadbury’s owner Mondelezis locked in a legal tussle with its provider Zurich over a pay-out related to 2017’s NotPetya ransomware worm.
An industry matures
These disputes are a reflection of problems on both sides. Insurance providers see a potentially huge market in cybersecurity. Yet in many ways it’s out of their traditional comfort zone, which is underwriting physical things that get lost, damaged or ill — like cars, houses and pets. While they’re able to put together policies quite easily for these, using actuarial data and extensive knowledge of relevant risks, it’s harder for them to define and understand cyber-related risk. Even more difficult to evaluate in financial terms is the impact of damage to reputation and customer loyalty.
The resulting ambiguity and complexity can lead to the kind of claimant-insurer disputes we’re seeing on an increasingly frequent basis. But part of the problem lies with the policyholders themselves. As an organisation you must provide as much information as possible up front on your risk profile, current IT security strategy, processes and controls. It might be, for example, that a particular policy will only pay out if the organisation has a best practice, certified incident response plan in place. -.
Time to get proactive
There are plenty of other questions you need to ask of your provider. Does the policy cover data held by third-party providers? Will it pay out even if you haven’t patched all of your systems? How about if the organisation suffers a breach caused by a security issue which predates the start of the policy, but was undetected?
It usually follows that the more comprehensive your security strategy and processes, the lower the premiums and the better the coverage. This requires organisations to be proactive. Start with an annual risk assessment to understand your exposure and follow an internationally recognised risk management standard. Focus on fixing all known vulnerabilities in line with your risk appetite, training employees regularly in security awareness, and putting in place continuous system monitoring, network security and malware protection. Tight access controls and home/remote working policies and regularly tested incident response plans will also help, as will routine assessments of third-party risk.
Most importantly, it’s crucial to remember that cyber insurance is not a “get out of jail free” card, which absolves you from investing in cybersecurity. Quite the opposite: for a policy to be effective if the worst happens, you’ll need to have had in place well documented, best practice security processes and controls. No insurance covers you if you don’t take adequate steps to protect yourself. .
It’s still early days, for both sides. According to Hiscox, just 11% of global organisations were certified as “experts” in terms of their cyber readiness. This needs to change, and it will as organisation’s approaches mature. But the industry as a whole also needs to get better at standardising language for policies, and methodologies for quantifying risk and calculating pay-outs.
But for now, the focus should be on maximising visibility into your own security processes, and using insurance as a spur to drive-up security standards inside the organisation, rather than treating it as a substitute for making improvements.