Whether it be from hackers, careless employees, malicious insiders or ransomware (pick your own threat list) – organisations are under increasing risk of cyber attack. And, wherever there is a risk – there’s the option of insurance.
Cyber insurance, also referred to as cyber risk insurance or cyber liability insurance coverage (CLIC), has been around for over a decade. Now, as cyber threats grow, cyber insurance looks set to join other business insurance policies in the risk management toolkit. But, can it really adequately compensate against the consequences of an attack?
Why have it?
Cyber insurance is designed to support and financially protect an organisation if it experiences a data breach or is the subject of an attack by a malicious hacker. The business case is compelling – no matter how good you think your cyber defences are, an attack (with a hefty price tag) could happen to you.
A UK Government survey estimated that in 2014 81% of large corporations and 60% of small businesses suffered a cyber breach. The average cost of a breach was £65K – £115K for SMEs and £600K – £1.15M for large businesses. In 2015 the Ponemon Institute estimated the average UK cost had risen to £4.1M. And then there are the high profile attacks – such as TalkTalk last year, estimated to have cost the company around £60M.
Cyber criminals are interested in any organisation that stores and maintains customer or personal information, collects online payments or simply has a website. That’s virtually every business – big and small. When you factor in the multitude of devices that now connect to business networks – the risks are very real. Consider the consequences – business interruption, income loss and particularly reputational damage – plus any legal or regulatory costs.
What does it cover?
There are a number of cyber insurance providers and, as with all business insurance, cover will vary. Cyber insurance risks fall into two categories – first party and third party risks. Products exist to cover either or both of these types of risk.
First-party insurance covers an organisation’s assets and may include:
- Damage to (or loss of) digital assets such software programmes or data.
- The business interruption caused from network downtime.
- Cyber exhortation – such as a third party threat to damage or release data if money is not paid. This is typically known as ransomware and it’s growing at an alarming rate. See Ascentor’s article on protecting against ransomware for SMEs .
- Customer notification expenses – there may be a legal or regulatory requirement to notify them of a security or privacy breach.
- Reputational damage from a data breach that results in loss of intellectual property or customers (but, as we discuss below – can this ever be measured?)
- Theft of money or digital assets – caused through theft of equipment or electronic theft.
Third-party insurance covers the assets of others, typically the customers of a business and may include:
- Security and privacy breaches. For example, expenses related to the management of an incident and its investigation and remediation.
- Multimedia/Media liability cover. Third-party damages covered can include specific defacement of a website and intellectual property rights infringement.
- Loss of third party data. For example, payment of compensation to customers for denial of access, and failure of software or systems.
What doesn’t it cover?
While cyber insurance will indemnify the organisation against many of the above and make the recovery process easier, the real and long term cost of reputational damage is almost impossible to value. The fact that some policies include support for crisis containment and public relations show what an achilles heel reputation damage can be.
Once a cyber attack has happened, and perhaps especially in a case where existing measures were seen to be poor, how long will it take for customer confidence and trust to be repaired? How do you value a lost customer over time and indeed put a price on the customers you might have had – or the contracts you might have won?
It is also difficult to put an accurate value on the damage to future revenue from intellectual property loss. And what if your cyber attack is found to come from a country? The insurance industry is debating whether state-sponsored cyber attacks, wherethey can be identified as such, are covered by cybersecurity insurance policies.
Finally, always check the policy exclusions, terms and definitions. All policies have these and you should be aware of the ‘small print’ to avoid the risk of discovering you don’t have the cover you thought you had. For example, is there a limit on the amount of time it takes to be aware of and report the attack – some malware can be present months or even years before it’s discovered.
Buying cyber insurance
Just as you have an idea of the assets you’d want covered in other forms of insurance – the same applies with cyber insurance. So, before you buy, a good first step is to create a cyber risk profile for your organisation and a list of expenses you want to have covered in the event of an incident.
Selecting the right cyber insurance policy for your organisation is a very complex exercise, which is why a specialist broker may be helpful, as they are likely to know the products that suit your needs. You can find brokers specialising in cyber insurance through the British Insurance Brokers’ Association (BIBA) .
But isn’t prevention better than a cure?
Cyber security insurance is a part of the risk management toolkit but, just as you’d have home insurance in place – you’d still not want an incident. The same applies to your cyber resilience. Buy the insurance if you consider it a prudent investment – but don’t forget to keep the front door locked.
So, as well as putting adequate insurance in place, it is important to manage your own cyber risks. Fortunately, basic measures can defeat the majority of basic attacks and there are a number of ways that you can achieve better cyber resilience.
Get Cyber Essentials – a basic cyber security hygiene standard to help organisations protect themselves against common cyber attacks. Cyber Essentials accreditation is a good first step in becoming cyber resilient. Ascentor’s guide to Cyber Essentials will show you the steps to certification.
Adhere to GCHQ’s 10 steps to cyber security – originally published in 2012 and now used by around two thirds of the FTSE350.
Spring clean your cyber security – this article from Ascentor contains 5 basic security measures that can help prevent most basic cyber attacks.
IA Inside – a process from Ascentor to help buyers and suppliers make cyber security holistic, integrated and effective throughout the project lifecycle.
Cyber insurance is a valuable part of your risk management strategy, particularly in relation to the financial costs of any cyber attack and its immediate aftermath. But, it’s a complex area and you need to be clear on what you want cover for – and also make sure you scrutinise the exceptions so that you don’t get a nasty surprise in the event of any claim.
As risk management and cyber security specialists, we believe that much can be done to put your cyber security house in order so that you stand a better chance of not having to claim. With the long term impact of reputation damage impossible to measure, isn’t it better to be cyber resilient than picking up the pieces, even if you are insured?
For further information
If you have found this article of interest, the Ascentor blog regularly carries articles about Information Assurance (IA) and cyber security issues. You might also like to keep in touch with Ascentor by receiving our quarterly newsletter .
If you’d like to discuss how ourconsultants could advise on any aspect of IA and cyber security, please contact Dave Jamesat Ascentor.
Email: [email protected]
Office: 01452 881712