With cyber risks on every boardroom agenda, the moment has come for the cyber insurance sector to respond
Cyber security used to be something only IT professionals worried about. But as the world becomes ever more interconnected and the reliance of businesses on technology increases, the issue of cyber security is fast finding its way into the world’s boardrooms and senior managements’ offices. Why? The statistical evidence is clear – businesses all over the world are under attack.
There is also a misconception that cyber criminals only target large government entities and major corporations. It is not
surprising that this is the belief, as it is only the high profile incidents that are brought to the public’s attention. Incidents such as the Stuxnet malware attack on Iran’s nuclear programme, the loss of passwords at LinkedIn, the data breach at Sony or the take-down of Boeing’s website all reinforce this misconception. However, an internet security report recently issued by Symantec Corporation stated that 50 percent of all the targeted attacks were on small to medium-sized businesses. Not a fact you would readily envisage.
Smaller entities are no doubt reluctant to share this type of information. Malware, spam, scammers, hackers, bots, phishing and viruses – all phrases that are finding their way into everyday language – are increasingly becoming a thorn in the side of businesses of every size worldwide. The ability for a digital risk incident to affect reputation, brand and a company’s fundamental ability to generate revenue should not be underestimated. But unfortunately, it often is.
Another misconception that needs to be addressed is the causes of data breaches. A large proportion of incidents are indeed caused by hacking or malware. This generally involves a third party gaining illegal electronic access to a company’s network. However, what many businesses fail to recognise is the exposure that they face as a result of employee negligence, human error and the increasing reliance on portable devices.
If you are reading this on your laptop, smartphone or tablet perhaps you might start to appreciate the potential problem. The percentage of incidents that are a direct result of people losing their portable devices is staggering. One report I saw recently attributed more than 30 percent of all digital breaches to lost, stolen or discarded portable devices.
It is indeed amazing how few companies insist that their employees’ portable devices are password protected, or how few actually encrypt their data. With the Christmas ‘silly season’ upon us, hold tight to your portables!
From as early as the beginning of the new millennium, the insurance industry started to recognise the potential risks that moving to a digital world would involve. Many seasoned insurance professionals led the charge, writing new wordings and exploring how to protect an ever growing number of new risk areas – indeed, our company was born at this time.
In an industry as old as ours, any new potential risk class is bound to attract a great deal of interest. Many of the practitioners in our market believed then, and still do now, that cyber will have a similar life cycle as directors’ and officers’ liability insurance – a class that was talked about for years, but rarely purchased. Now it is a staple diet of most risk transfer programmes.
Many potential buyers of cyber in the early days, and it is still the case today, wrongly believed that traditional insurance coverages would pick up the principal risks associated with digital trading, including loss of data, reputational risk, hardware costs and third party liabilities. If this was indeed the case, then there would not be the large number of specialist cyber underwriting teams that are emerging in the market, nor the growth of specific policy wordings that are being released onto “an uninterested” world. I say uninterested, simply to highlight an interesting anomaly. The topic of cyber risk is very high profile in our sector at the moment. Every conference one attends and every journal one reads will have a plethora of sessions and articles dedicated to the topic.
The most recent 2013 Lloyd’s Risk Index even placed cyber at number three in the world’s top risk ranking table according to CEOs and their peers. But here is the anomaly – everyone is talking about the risk, but who is actually buying the insurance? Many of the corporates I interact with state that they are aware of the potential risk, but then openly admit that they are not really fully prepared in case of an incident, and that they do not currently purchase the insurance.
The main issue that needs to be addressed is the question of education. There is a need to assist the buying community in terms of understanding the potential risk areas, as the majority of board members do not fully understand their company’s digital risks and feel that other risks warrant more attention. There is also a lack of awareness of the policy coverage available in the market.
Most buyers are not aware of the first party coverage that is afforded by the specialist cyber policies. The ability of a policyholder to utilise his insurance to cover, for example, breach notification costs, credit monitoring and forensic costs, is a powerful incentive to purchase this protection.
Cyber extortion protection and business interruption costs also add weight to the argument, as does the protection available for regulatory violations, defence costs and fines. The greatest argument of all is the cost. Compared to the potential cost of being the victim of a cyber loss, insurance premiums are relatively inexpensive. I have seen $1m limits regularly being provided by insurers for premiums of less than $1000.
There is also a gap in knowledge amongst potential buyers regarding the experienced team of specialists that will mobilise on their behalf in the event of an incident. Successful incident response, from a team of experienced practitioners, can help to manage and mitigate the post loss crisis.
Safeonline has partnered with IDT911 to provide these services, but there are a number of other providers available. Insurers are comfortable in including the fees associated with these services within their policies, which they see as a way of mitigating their loss. Providers such as IDT911 also provide daily news alerts, preventive tips, best practice guides and original research papers, thus aiding the education process.
Insurers are also willing to encourage effective cyber risk control strategies by offering premium reductions or actually paying for the provision of preventive risk tools that help to improve company security. Organisations such as RiskAnalytics, which provide software and hardware security risk management solutions that can instantly detect and stop communication between the corporate network and criminal controlled sites, are utilised by a number of major insurers and by Safeonline.
The improvement in education and understanding of digital risk within the corporate community, coupled with the fact that comprehensive cost effective insurance solutions are already readily available, means there is no reason why any organisation should be unprepared for digital risk.
Add to the mix the changing legislative landscape, which is having an ever-increasing influence on security governance, and it is clear that companies must act now. Today is the day when cyber insurance comes of age.
(This article appeared in Insider Quarterly, part of Insurance Insider)