With annual losses from cyber crime estimated to be topping $400bn (£291bn), you would think organisations are flocking to insurers. However, NTT Security found that only one-third of senior executives in the UK admit their companies are insured against information security breaches and data loss.
This is despite the fact that 81% agree that it is ‘vital’ their organisation is insured against information security breaches.
>See also: Cyber-insurance can reshape the way organisations do security for …
According to the latest Risk:Value report from NTT Security, the security company, which looks at the attitudes of 1,800 global senior decision makers from non-IT functions to risks to the business and the value of information security, reveals that UK businesses would have to spend on average £1 million to recover from a breach.
The insurance sector is seeing growth. The number of insurers now offering cyber insurance via Lloyd’s of London has leapt to more than 70 – nearly double the number a few years ago. While insurance giant Allianz predicts that global cyber insurance premiums will grow to $20bn by 2025, up from around $3-4bn currently.
>See also: What sectors are investing the most and least in cyber security?
Kai Grunwitz, Senior VP EMEA, NTT Security, said: “While cyber risk insurance should be put in place to help mitigate the potential fallout of a data security breach, a policy must not be seen as a ‘get out of jail free’ card. Cyber insurance must be complementary to an effective risk-based information security strategy, not a replacement for it. You wouldn’t expect your house insurance provider to pay out if you were burgled when the doors and windows are left unlocked. So don’t expect a payout – or indeed an insurance policy – if you haven’t put in place the right processes and policies.”
Unclear policies
Matthew McKenna, VP EMEA at SecurityScorecard, believes many companies are lagging behind because cyber insurance policies are unclear.
He said: “When it comes to cyber insurance, the policies being provided are usually quite descriptive as to what they do and do not cover. The challenge may come however in the SMB segment where organisations don’t necessarily have dedicated cyber security professionals. Here is where making security understandable for those who are seeking cyber insurance is important.”
>See also: Enterprise-wide changes coming to address cyber risk
“Third party risk is an interesting topic for cyber insurance underwriting that will certainly evolve as this space matures. Currently cyber insurance underwriting is more focused on the entities themselves being insured, however underwriting takes numerous variables into consideration, and the third-party risk will certainly be a factor for the underwriting process, in particular for larger enterprises.”
“Security ratings is one of many variables utilised in the underwriting process. Things such as the company itself, the overall industry risk, responses from questionnaires issued, etc. are all factored in, in addition to security ratings. Each area is weighted accordingly to the overall risk being assessed. As the security ratings industry matures, more weight will certainly be lent to the information security ratings provides. When it comes to SMBs, insurers are less focused on assessing the individual risk of each individual company and more on managing the overall risk of the portfolio. Therefore, security ratings is one of many factors the underwriters look at to set the correct cyber insurance premiums.”
>See also: The era of cyber attacks: AI’s role in cyber insurance
