Cyber insurance is a topic that typically flies under the radar when discussing the economics of cyber attacks. However, with the new year well under way, many believe that 2016 will see it take the spotlight.
With high profile cyber attacks exponentially increasing over the past year, cyber insurance premiums have skyrocketed. Insurers are significantly increasing premiums for certain companies, leaving 'high risk' organisations scrambling for cover.
There are even some cases where insurers are limiting the amount of coverage to $100 million. With the rate at which cyber attacks are growing in both volume and complexity, it would be no surprise if this year sees firms exposed to losses that end up costing more than twice that.
From a technology perspective, it’s been predicted that cyber insurance requirements will be the key driver of cyber security improvements throughout 2016. Evidently, now is the prime time for organisations to ensure that they are well protected without having to dig too deep into their pockets.
Challenges in the digital age
One of the key reasons for the soaring premiums over the past year has been the growing underwriting challenges facing the insurance industry for cyber security.
Today, cyber criminals are an increasingly diverse and sophisticated group, displaying a greater variety of motives and desired destructive outcomes as they go after both traditional (financial services, retail, government) and non-traditional (power plants, consumer sites & applications) victims. Criminals are becoming more sophisticated, employing a wider range of attack methods that are ever-evolving technically.
With the underlying risks changing so rapidly, it is becoming extremely difficult to keep up risk analysis for underwriters and business alike. Even when an organisation is more serious about purchasing cyber insurance, companies themselves have difficulty in presenting a picture of their risk that is relevant to underwriters. There is a fundamental lack of understanding regarding the exposure at all levels, and the uncertainty is pushing premiums to an all time high.
So how can organisation’s reduce the cost of cyber security insurance? Generally, having a robust and well tested security programmes and response plans in place that is superior to competitors tends to result in lower premiums. This would usually be reflected in an organisation’s ability to demonstrate proactive and effective strategies to protect customers from malicious attacks.
While risk analysis is generally proving difficult for underwriters, organisations that are able to show they are taking a proactive stance to address the impact of cyber crime and fraud, for example a company using an email security solution to secure and authenticate its email channels, will benefit from lower cyber insurance premiums.
Clearly, this shows a healthy understanding in the insurance industry that proactive protection means less risk – even if that risk is not fully understood. However, businesses should not think they are protected simply because they have cyber insurance.
The reality is that while insurance will put some money back into the organisation after a breach or attack, it will not restore consumer confidence nor stop the regulators monitoring your organisation.
Ultimately, an organisations’ primary concern should be protecting customers and employees. Insurance policies will cover some financial expenditure related to dealing with a data breach, but it does nothing to protect customers’ data.
Some people think cyber risk is solely a financial issue, these people are completely missing the boat. If they care about the financial issue, they must do a cost-benefit analysis.
No one says they have great health insurance and decides not to care about their health, so it’s important we don’t treat cyber insurance the same way, it is a worthwhile investment to get cyber insurance, but it is not the solution.
You’re not covered (in terms of data protection), you just get some lost money back. The actual impact on the business is far greater than the financial costs – it’s your brand, your reputation, government oversight, and your job if you get breached. There’s no CEO job insurance.
Sourced from John Wilson, CTO, Agari