Northdoor’s Tony Russell on the opportunities and challenges for insurers

Cyber

IT security breaches will continue to rise this year, and organisations will consistently face growing numbers of sophisticated, persistent threats to their corporate data, writes Northdoor IT consultant Tony Russell.

Data is becoming more and more crucial to organisations, and threats to that data must not be taken lightly.

Increasingly, organisations are turning to cyber security insurance to help mitigate the risk of loss of data and brand. The term ‘cyber security insurance’ is a catch-all term for policies that cover hacked computers, virus attacks, denial-of-service attacks, copyright infringement, web content liability and other technology-related areas. 

Businesses are beginning to rank cyber-security risks as greater than natural disasters and other major business risks, and while only 31% of companies are insured against data breaches, a growing number of companies are exploring insurance against this, according to the findings of a survey by Experian Data Breach Resolution and the Ponemon Institute. 

The consequences of security breaches are greater than or equal to a natural disaster, business interruption, fire or other disaster, as stated by 76% of respondents. However, on average, respondents say there is a nine per cent likelihood that their organisation will experience the predicted maximum financial impact during a data breach.

In the US, where companies are obliged to inform authorities of online attacks, the cyber insurance market is already highly developed and is valued at €960 million per year. Europe is still a long way off that, but as the vulnerability window continues to increase, we will see companies here begin to play catch-up with the US.  

At the moment, cyber liability insurance cover can include:

  • Data breach/privacy crisis management cover. For example, expenses related to the management of an incident, the investigation, the remediation, data subject notification, call management, credit checking for data subjects, legal costs, court attendance and regulatory fines.
  • Multimedia/media liability cover. Third-party damages covered can include specific defacement of website and intellectual property rights infringement.
  • Extortion liability cover. Typically, losses due to a threat of extortion, professional fees related to dealing with the extortion.
  • Network security liability. Third-party damages as a result of denial of access, costs related to data on third-party suppliers and costs related to the theft of data on third-party systems.

2014 is going to be a pivotal year for the cyber insurance market in the UK.  Whilst this is positive because organisations are beginning to face up to the need to mitigate losses from cyber security incidents, it will create an enormous challenge for insurers who will find it very hard to accurately predict the probable maximum loss.  

Even though cyber liability insurance has been around for 10 years or so, many insurers who have offered this have not sold a single policy, and, in many cases, may not have understood the risk that they were actually underwriting.  A key reason for this is the lack of available data for underwriting purposes. In fact, many insurers fear a so-called ‘cyber hurricane’ will overwhelm them before they build up sufficient reserves to cover possible future large losses. 

At the end of the day, the risks associated with cyber insurance are not that well understood. There is not a lot of historical information that insurance companies can call on to quantify their risk.   They are effectively underwriting cyber risks blindfolded.

What is needed is a process whereby insurers – and their customers - can sensibly understand and assess the risk.  Ideally this would include the creation of best practices and a clearer understanding of the kinds and amounts of loss that cyber incidents can cause.  

One obvious way to do this is for insurers to insist their customers undertake continuous assessments, audits and post-breach protection.  This will ensure they understand current trends in security threats, but also identify vulnerabilities within their existing infrastructure.  With this knowledge in hand, insurers can more accurately identify the risk.  

When it comes to cyber security, insurers have an ever-growing adversary on the other side – and this makes it hard for them to predict what they might be liable for. Regular testing of cybersecurity defences is critical to ensure an organisation’s defences are as robust as they can possibly be. And for insurers, understanding the nature of their client’s risk – and the robustness of their defences – is the only way they can be sure that they are accurately assessing the risk.