In the first of a four piece series on cyber security we take a deep dive into the world of cybersecurity insurance, or lack there of it. Be sure to follow our ‘Cyber Serious’ series over the next few weeks.
Needing insurance, much like cybersecurity services, is like needing a parachute; if it isn’t there the first time you won’t need it again.
It’s every business leader’s worst nightmare. You’re commuting to work all happy and jolly having dropped the kids off at school for another day. An email comes over your phone titled ‘urgent’. There has been a malware attack with a significant amount of data hacked from your company and there is nothing you can do about it. The data is now in the hands of criminals.
What do you do?
Without taking a step back and understanding why breaches happen, and what organisations must do to prevent them (we’ll cover that later), what would you do if this had happened to you? Most business leaders would first turn to their solid and reliable insurance policy and access funds to address a business crisis, however most will be shocked to discover that their insurance does not cover a cyberattack.
Until very recently, policies bought with certain insurers, unless you have a specific cybercrime insurance policy, may not see you covered. The most damaging incident that can happen to most large organisations in 2019 is going uninsured.
Even though the probability of a cyberattack is higher than say, an office-based workplace accident, the level of cover most CEOs put against the organisation’s reputation, customer trust, customer data and information, and the organisation data and information, is tiny.
And it’s not just the CEO’s fault. Those who do want to buy cybercrime insurance require a level of coverage that many individual insurers are unwilling to take on, as insurers just can’t assess the risk.
Many insurers refer to hazards they can’t assess risk on, as they are so uncertain and infrequent, as ‘acts of God’. With cybercrime it’s the opposite, they’re so common but the damage they will do is unknown in its seriousness.
Global insurance organisation, Munich Re, estimates that the cybercrime insurance market will double by next year from a combination of increasing numbers of connected devices and the subsequent surge of complex risks associated with such systems.
Munich Re board member, Torsten Jeworrek, commented recently in a statement that Munich Re believes: “The economic cost of large-scale cyberattacks already exceeds the losses caused by natural disasters. When small and medium-sized enterprises are affected, such attacks can soon threaten their very existence.”
So what can you do to keep the wolves from the door?
Of course, prevention is your best insurance policy and having a strong cybersecurity prevention program is the most important. This entails constantly monitoring your protection, looking for weaknesses before criminals do, and ensuring they are not exploited. Employ someone whose sole goal is to protect your organisation, or enlist expert assistance – recognise the importance of unknown vulnerabilities.
Cybersecurity is a proactive and continuous process, and if a company finds itself on the wrong side of this, in a reactive, damage minimisation process then it’s not good.
But no matter how good you think your process is, insurance is a necessary backstop, so what must you consider?
- Have you assessed your risk? Do you know that the policy will cover you for the risk you have? Don’t leave it to the insurance company to assess your risk for you.
- Are you meeting the required governing standards for your industry? If you’re not up to a specific standard this, at best, could void any claim you make, and at worst will leave you wide open for attack.
- Do your research into which policy is right for you. How transparent is it and does the level of cover meet the cybercrime protection that your organisation has?
- Learn to navigate today’s cyber insurance market. It’s complex and security leaders who learn the nuances will be in a better position to choose the correct policy. It’s a maze of interworking providers and partners. Brokers, consultancies, underwriters, cyber risk scoring providers, incident response teams, carrier panels, post breach services, reinsurers, legal services, the list goes on.
- Check the details of the policy, double check them, then check them again! Even a slight change in policy definition between, say, computer fraud and cyber fraud could limit your cover and mean millions of dollars of liability.
Let’s also mention the existing flaws in the cybersecurity insurance industry. Most insurance claims are limited to attacks and unauthorised activity, and do not include coverage from accidental errors and omissions. So, when an insurance company is deciding whether or not to pay out a claim, it may point to a factor such as human error and refuse to pay out the claim for a hacked computer system.
Another major shortcoming is that most claims are limited to only paying out losses that have happened during a network interruption, and not for the entire period that the business has been affected. So, if a cyberattack happens on a weekend, but the business is incapacitated for a week afterwards, the claim would only cover the weekend of the attack, and not any business interruption later, of which there is probably plenty.
Now take a deep breath, talk to the right people and always get expert advice when deciding on an insurance policy and remember, prevention is always better than insurance.
Interested in knowing more? Next up in our ‘Cyber Serious’ series we ask, what is the economic impacts on business from cybercrime incidents? Follow KJR on LinkedIn to see it first.
KJR offers comprehensive cybersecurity services, learn more here.