Insuring Against the Cyber Risk Effectively

By Tony Russell, IT Consultant, Northdoor

Cyber security threats are increasing as quickly as businesses can implement measures against them with virtually every industry suffering a breach or targeted attack of some kind last year. There is now an overwhelming sense of not if, but when an organisation will be attacked.  This has created a boom in the cyber security market matched only by the intense efforts of cyber criminals to exploit the customer data and intellectual property that now resides on an organisation’s network.

INSURING AGAINST THE CYBER RISK EFFECTIVELY

Increasingly organisations are turning to cyber security insurance to help mitigate the risk of loss of data and brand.  The term cyber security insurance is a catch-all term for policies that cover hacked computers, virus attacks, denial-of-service attacks, copyright infringement, web content liability and other technology related areas.

Businesses are beginning to rank cyber-security risks as greater than natural disasters and other major business risks, and while only 31 percent of companies are insured against data breaches, a growing number of companies are exploring policies, according to the findings of a survey by Experian Data Breach Resolution and the Ponemon Institute.  Security exploits are greater than or equal to a natural disaster, business interruption, fire or other disaster, as stated by 76 per cent of respondents. However, on average, respondents say there is a nine per cent likelihood that their organisation will experience the predicted maximum financial impact during a data breach.

In the US, where companies are obliged to inform authorities of online attacks, the cyber insurance market is already highly developed and is valued at €960 million per year*.  Europe is still a long way off that but as the vulnerability window continues to increase, we will see companies here begin to play catch-up with the US.

At the moment, cyber liability insurance cover can include;

• Data breach/privacy crisis management cover. For example, expenses related to the management of an incident, the investigation, the remediation, data subject notification, call management, credit checking for data subjects, legal costs, court attendance and regulatory fines.
• Multimedia/Media liability cover. Third-party damages covered can include specific defacement of website and intellectual property rights infringement.
• Extortion liability cover. Typically, losses due to a threat of extortion, professional fees related to dealing with the extortion.
• Network security liability. Third-party damages as a result of denial of access, costs related to data on third-party suppliers and costs related to the theft of data on third-party systems.

2014 is going to be a pivotal year for the cyber insurance market in the UK.  Whilst this is positive because organisations are beginning to face up to the need to mitigate losses from cyber security incidents, it will create an enormous challenge for insurers who will find it very hard to accurately predict the probable maximum loss.

Even though cyber liability insurance has been around for 10 years or so, many insurers who have offered this have not sold a single policy, and in many cases may not have understood the risk that they were actually underwriting.   A key reason for this is the lack of available data for underwriting purposes.  In fact, many insurers fear a so-called “cyber hurricane” will overwhelm them before they build up sufficient reserves to cover possible future large losses.

At the end of the day the risks associated with cyber insurance are not that well understood. There is not a lot of historical information that insurance companies can call on to quantify their risk.   They are effectively underwriting the cyber risk blindfolded.

What’s needed is a process whereby insurers – and their customers – can sensibly understand and assess the risk.   Ideally this would include the creation of best practices and a clearer understanding of the kinds and amounts of loss that cyber incidents can cause.

 One obvious way to do this is for insurers to insist their customers undertake continuous assessments, audits and post-breach protection.  This will ensure they understand current trends in security threats but also identify vulnerabilities within their existing infrastructure.  With this knowledge in hand, insurers can more accurately identify the risk.   To serve this growing need, Northdoor recently acquired 24-Lockdown, a security and consultancy service specialising in the cyber risk arena.  This combination of Northdoor’s 25 years serving the London insurance market and 24-Lockdown’s experience in cyber risk means that insurers can access a unique insight into understanding, and tackling, this increasingly complex space.

When it comes to cyber security insurers have an ever-growing adversary on the other side – and this makes it hard for them to predict what they might be liable for.  Regular testing of cybersecurity defences is critical to ensure an organisation’s defences are as robust as they can possibly be.  And for insurers, understanding the nature of their client’s risk – and the robustness of their defences – is the only way they can be sure that they are accurately assessing the risk.

By Tony Russell, IT Consultant, Northdoor

Cyber security threats are increasing as quickly as businesses can implement measures against them with virtually every industry suffering a breach or targeted attack of some kind last year. There is now an overwhelming sense of not if, but when an organisation will be attacked.  This has created a boom in the cyber security market matched only by the intense efforts of cyber criminals to exploit the customer data and intellectual property that now resides on an organisation’s network.

INSURING AGAINST THE CYBER RISK EFFECTIVELY

Increasingly organisations are turning to cyber security insurance to help mitigate the risk of loss of data and brand.  The term cyber security insurance is a catch-all term for policies that cover hacked computers, virus attacks, denial-of-service attacks, copyright infringement, web content liability and other technology related areas.

Businesses are beginning to rank cyber-security risks as greater than natural disasters and other major business risks, and while only 31 percent of companies are insured against data breaches, a growing number of companies are exploring policies, according to the findings of a survey by Experian Data Breach Resolution and the Ponemon Institute.  Security exploits are greater than or equal to a natural disaster, business interruption, fire or other disaster, as stated by 76 per cent of respondents. However, on average, respondents say there is a nine per cent likelihood that their organisation will experience the predicted maximum financial impact during a data breach.

In the US, where companies are obliged to inform authorities of online attacks, the cyber insurance market is already highly developed and is valued at €960 million per year*.  Europe is still a long way off that but as the vulnerability window continues to increase, we will see companies here begin to play catch-up with the US.

At the moment, cyber liability insurance cover can include;

• Data breach/privacy crisis management cover. For example, expenses related to the management of an incident, the investigation, the remediation, data subject notification, call management, credit checking for data subjects, legal costs, court attendance and regulatory fines.
• Multimedia/Media liability cover. Third-party damages covered can include specific defacement of website and intellectual property rights infringement.
• Extortion liability cover. Typically, losses due to a threat of extortion, professional fees related to dealing with the extortion.
• Network security liability. Third-party damages as a result of denial of access, costs related to data on third-party suppliers and costs related to the theft of data on third-party systems.

2014 is going to be a pivotal year for the cyber insurance market in the UK.  Whilst this is positive because organisations are beginning to face up to the need to mitigate losses from cyber security incidents, it will create an enormous challenge for insurers who will find it very hard to accurately predict the probable maximum loss.

Even though cyber liability insurance has been around for 10 years or so, many insurers who have offered this have not sold a single policy, and in many cases may not have understood the risk that they were actually underwriting.   A key reason for this is the lack of available data for underwriting purposes.  In fact, many insurers fear a so-called “cyber hurricane” will overwhelm them before they build up sufficient reserves to cover possible future large losses.

At the end of the day the risks associated with cyber insurance are not that well understood. There is not a lot of historical information that insurance companies can call on to quantify their risk.   They are effectively underwriting the cyber risk blindfolded.

What’s needed is a process whereby insurers – and their customers – can sensibly understand and assess the risk.   Ideally this would include the creation of best practices and a clearer understanding of the kinds and amounts of loss that cyber incidents can cause.

 One obvious way to do this is for insurers to insist their customers undertake continuous assessments, audits and post-breach protection.  This will ensure they understand current trends in security threats but also identify vulnerabilities within their existing infrastructure.  With this knowledge in hand, insurers can more accurately identify the risk.   To serve this growing need, Northdoor recently acquired 24-Lockdown, a security and consultancy service specialising in the cyber risk arena.  This combination of Northdoor’s 25 years serving the London insurance market and 24-Lockdown’s experience in cyber risk means that insurers can access a unique insight into understanding, and tackling, this increasingly complex space.

When it comes to cyber security insurers have an ever-growing adversary on the other side – and this makes it hard for them to predict what they might be liable for.  Regular testing of cybersecurity defences is critical to ensure an organisation’s defences are as robust as they can possibly be.  And for insurers, understanding the nature of their client’s risk – and the robustness of their defences – is the only way they can be sure that they are accurately assessing the risk.