Editorial & Advertiser Disclosure Global Banking And Finance Review is an independent publisher which offers News, information, Analysis, Opinion, Press Releases, Reviews, Research reports covering various economies, industries, products, services and companies. The content available on globalbankingandfinance.com is sourced by a mixture of different methods which is not limited to content produced and supplied by various staff writers, journalists, freelancers, individuals, organizations, companies, PR agencies Sponsored Posts etc. The information available on this website is purely for educational and informational purposes only. We cannot guarantee the accuracy or applicability of any of the information provided at globalbankingandfinance.com with respect to your individual or personal circumstances. Please seek professional advice from a qualified professional before making any financial decisions. Globalbankingandfinance.com also links to various third party websites and we cannot guarantee the accuracy or applicability of the information provided by third party websites. Links from various articles on our site to third party websites are a mixture of non-sponsored links and sponsored links. Only a very small fraction of the links which point to external websites are affiliate links. Some of the links which you may click on our website may link to various products and services from our partners who may compensate us if you buy a service or product or fill a form or install an app. This will not incur additional cost to you. A very few articles on our website are sponsored posts or paid advertorials. These are marked as sponsored posts at the bottom of each post. For avoidance of any doubts and to make it easier for you to differentiate sponsored or non-sponsored articles or links, you may consider all articles on our site or all links to external websites as sponsored . Please note that some of the services or products which we talk about carry a high level of risk and may not be suitable for everyone. These may be complex services or products and we request the readers to consider this purely from an educational standpoint. The information provided on this website is general in nature. Global Banking & Finance Review expressly disclaims any liability without any limitation which may arise directly or indirectly from the use of such information.

INSURING AGAINST THE CYBER RISK EFFECTIVELY

By Tony Russell, IT Consultant, Northdoor

Cyber security threats are increasing as quickly as businesses can implement measures against them with virtually every industry suffering a breach or targeted attack of some kind last year. There is now an overwhelming sense of not if, but when an organisation will be attacked.  This has created a boom in the cyber security market matched only by the intense efforts of cyber criminals to exploit the customer data and intellectual property that now resides on an organisation’s network.

INSURING AGAINST THE CYBER RISK EFFECTIVELY
INSURING AGAINST THE CYBER RISK EFFECTIVELY

Increasingly organisations are turning to cyber security insurance to help mitigate the risk of loss of data and brand.  The term cyber security insurance is a catch-all term for policies that cover hacked computers, virus attacks, denial-of-service attacks, copyright infringement, web content liability and other technology related areas.

Businesses are beginning to rank cyber-security risks as greater than natural disasters and other major business risks, and while only 31 percent of companies are insured against data breaches, a growing number of companies are exploring policies, according to the findings of a survey by Experian Data Breach Resolution and the Ponemon Institute.  Security exploits are greater than or equal to a natural disaster, business interruption, fire or other disaster, as stated by 76 per cent of respondents. However, on average, respondents say there is a nine per cent likelihood that their organisation will experience the predicted maximum financial impact during a data breach.

In the US, where companies are obliged to inform authorities of online attacks, the cyber insurance market is already highly developed and is valued at €960 million per year*.  Europe is still a long way off that but as the vulnerability window continues to increase, we will see companies here begin to play catch-up with the US.

At the moment, cyber liability insurance cover can include;

  • Data breach/privacy crisis management cover. For example, expenses related to the management of an incident, the investigation, the remediation, data subject notification, call management, credit checking for data subjects, legal costs, court attendance and regulatory fines.
  • Multimedia/Media liability cover. Third-party damages covered can include specific defacement of website and intellectual property rights infringement.
  • Extortion liability cover. Typically, losses due to a threat of extortion, professional fees related to dealing with the extortion.
  • Network security liability. Third-party damages as a result of denial of access, costs related to data on third-party suppliers and costs related to the theft of data on third-party systems.

2014 is going to be a pivotal year for the cyber insurance market in the UK.  Whilst this is positive because organisations are beginning to face up to the need to mitigate losses from cyber security incidents, it will create an enormous challenge for insurers who will find it very hard to accurately predict the probable maximum loss.

Even though cyber liability insurance has been around for 10 years or so, many insurers who have offered this have not sold a single policy, and in many cases may not have understood the risk that they were actually underwriting.   A key reason for this is the lack of available data for underwriting purposes.  In fact, many insurers fear a so-called “cyber hurricane” will overwhelm them before they build up sufficient reserves to cover possible future large losses.

At the end of the day the risks associated with cyber insurance are not that well understood. There is not a lot of historical information that insurance companies can call on to quantify their risk.   They are effectively underwriting the cyber risk blindfolded.

What’s needed is a process whereby insurers – and their customers – can sensibly understand and assess the risk.   Ideally this would include the creation of best practices and a clearer understanding of the kinds and amounts of loss that cyber incidents can cause.

 One obvious way to do this is for insurers to insist their customers undertake continuous assessments, audits and post-breach protection.  This will ensure they understand current trends in security threats but also identify vulnerabilities within their existing infrastructure.  With this knowledge in hand, insurers can more accurately identify the risk.   To serve this growing need, Northdoor recently acquired 24-Lockdown, a security and consultancy service specialising in the cyber risk arena.  This combination of Northdoor’s 25 years serving the London insurance market and 24-Lockdown’s experience in cyber risk means that insurers can access a unique insight into understanding, and tackling, this increasingly complex space.

When it comes to cyber security insurers have an ever-growing adversary on the other side – and this makes it hard for them to predict what they might be liable for.  Regular testing of cybersecurity defences is critical to ensure an organisation’s defences are as robust as they can possibly be.  And for insurers, understanding the nature of their client’s risk – and the robustness of their defences – is the only way they can be sure that they are accurately assessing the risk.