By Scott Cutler, Director UK&I Sales at Fortinet.
For almost as long as businesses have been subject to risk, some form of insurance has existed to mitigate their exposure. The first recorded commercial insurance policies date back to Babylonian times, and in the thousands of years since, the types of business cover available have multiplied exponentially, driven by the uptake of technology.
It’s now over 20 years since the first cybersecurity policy was written. At the time, this was considered groundbreaking – although by modern standards, its scope was limited. These days, cyber insurance providers cast a far wider net. By 2025, it’s expected the global market size will grow to over $23 billion. Some policies cover the costs arising from first-party data breaches, while others cover liability for damages, providing assurance for companies who collect and store sensitive customer information. Professional Liability, meanwhile, protects businesses that sell technology services against negligence claims.
While the cybersecurity insurance market is getting more complicated by the year, the risk of cyber breaches is still growing. To get a grip on it, some forward thinking businesses are looking at digital audits to ensure that the insurance they take out will cover what they need it to. Others are working with vendors to get the right overall cybersecurity insurance policy for their business. Either way, the place of the policy holds firm.
Putting a figure on protection
Cybersecurity policies are unusual in that they’re both difficult to price and it can be hard to see exactly what they’ll provide in the event of a security incident. For one thing, it’s tough to put a figure on this sort of risk, especially since there’s very little actuarial evidence available to base policy decisions on. Accordingly, there’s no ‘standard’, and businesses may find the quotes they receive to be off-puttingly high.
Risk is also ever-changing. In an environment where new threats emerge on a daily basis, many businesses struggle to understand exactly what digital protection they need. What worked last year may no longer be relevant, making the potential benefit of cyber insurance unclear. Given how hard it is to establish the right level of cover in the first place, some even wonder if cyber insurance is akin to PPI, which was mis-sold to millions of people during the 1990s and early 2000s to cover mortgages, loans and credit cards.
Businesses are also rightly concerned about reputational risk. While you might be able to attach a numerical value to the income lost during a systems outage, reputational damage can’t be smoothed over with a lump-sum pay-out – especially since it’s impossible to predict exactly how much business you’ll lose as the result of a breach. As a result, some may avoid the hassle and cost of a cybersecurity policy altogether.
The concern is understandable. However, the risk is that businesses may end up with cover that doesn’t fit their requirements, or no cover at all. This is problematic because, despite its complications, cybersecurity insurance is an important and valuable part of an organisation’s cyber security readiness, and particularly for sectors like financial services, where the data held by businesses is extremely sensitive.
For example, although it can’t rescue a company’s reputation, insurance can at least partially provide the funds to remediate a situation, whether that’s setting up hotlines to help customers, providing financial compensation, or covering a period of business outage.
For larger enterprises, there may be a need to engage legal advisers, communication specialists, and first responders – all of which could be funded by an advanced cyber insurance policy. And – as an unexpected side effect – the process of securing insurance can even help businesses to identify gaps in their current cybersecurity set-up, as well as training gaps in their frontline cybersecurity staff.
Threat analysis: the audit advantage
While the ostensible benefit of insurance is financial cover, the act of arranging it can help businesses to protect themselves more effectively against threats. In order to receive a quote for a cyber insurance premium, businesses must undergo a threat analysis.
This audit can also go some way to preventing issues from arising in the first place, because businesses gain a valuable understanding of the lie of the land within their organisation – including where valuable digital assets sit, and which controls could be implemented in order to secure them. This sort of in-depth analysis puts businesses in a much better position to take proactive decisions around cybersecurity, highlighting any potential gaps and providing the impetus for action, including training.
The right cover for peace of mind
Securing board level approval for taking out a cybersecurity policy isn’t easy, given how confusing this particular cover type can be. Yet despite the difficulty of precisely establishing the value of cover needed, cyber insurance isn’t like PPI. And it certainly isn’t a policy that any digital-facing business should be without.
Businesses must therefore be prepared to invest in the right threat analysis process to ensure they have the correct level of cover in place and adequately trained staff to take responsibility for cybersecurity. Not only will this go some way to providing peace of mind – it might even uncover security risks businesses never knew they were exposed to.