Insuring against cyber risk

If the worst happens, what options do organisations have to protect themselves against the impact of a cyber attack?

By Tim Ferguson

Tue 19 Dec 2017 @ 10:31

It's becoming an accepted fact that organisations will be compromised by a cyber threat at some point. With threats becoming increasingly sophisticated and able to breach perimeter defences, it’s a question of ‘when’ not ‘if’ corporate networks will be compromised.

While it's becoming harder to prevent threats entering corporate networks, there are plenty of tools to ensure they are dealt with before they become a major issue.

These tools can help prevent threats progressing along the cyber threat lifecycle, or 'kill chain', in which each stage is progressively more damaging to business operations and requires a more complex and time-consuming recovery process.

Unfortunately, these tools aren't foolproof and major cyber attacks can still hit organisations that are seemingly well prepared.

As a consequence, there is a growing demand for cyber risk insurance to complement existing cover, particularly from businesses that hold sensitive customer information, rely heavily on IT systems to conduct their business, or regularly process payment information.

PwC estimates that the market for standalone cyber insurance could reach $7.5bn in annual premiums by 2020, while insurer Allianz puts the figure as high as $20bn by 2025.

What does cyber risk insurance cover?

The Association of British Insurers (ABI) defines cyber insurance as covering "losses relating to damage to, or loss of information from, IT systems and networks". Policies are available directly from insurers or via brokers, providing first and third-party cover. Many insurers also provide technical assistance for managing breaches.

First-party cyber insurance usually covers loss or damage to digital assets such as data or software, business interruption, cyber extortion resulting from ransomware, customer notification expense, and damage to reputation from loss of intellectual property and customer information or theft of money or digital assets.

Third-party cover also covers the assets of customers and can include investigation, defence costs and civil damages resulting from a security or privacy breach, including payment of compensation to customers.

Managing cyber risks

The ABI stresses the importance of organisations managing their own cyber risks as well as having the safety net provided by insurance. Organisations should evaluate first- and third-party risks associated with IT systems and networks, assess the potential events that could cause risks to materialise, and analyse controls currently in place.

It's also worth getting up to speed on developments in network monitoring and forensics, security incident and event management (SIEM) and threat detection (using machine learning and artificial intelligence). By investing in these technologies, organisations will stand a better chance of stopping threats in their tracks.

Governments are also working to protect businesses better from cyber risk. The UK government, for example, launched a cybersecurity hygiene standard called Cyber Essentials in 2014 to help organisations protect themselves against common cyber attacks. The UK also has the Cyber Information Sharing Partnership, which enables government and industry to exchange information on cyber threats.

Having the right tools in place is likely to affect the level of insurance cover provided as well as the premium. If your organisation has the tools to prevent the cyber attacks escalating, insurance companies will be taking a lower risk by providing cover.

Insurers still finding their feet

While cyber insurance is widely available, it is still a fairly new area for insurers, meaning there is plenty of scope for it to improve as insurers get up to speed with the impact of cyber threats.

Cyber risk is currently seen as the number one risk for reinsurers, according to research by PwC. This is partly because underwriters are anxious about the fact that it's a ‘constantly shifting’ risk thanks to the efforts of cyber criminals to develop new ways to wreak havoc. In addition, there is relatively little historical data to go on, meaning protection isn't as comprehensive as it will be in the future.

But while historical data on losses associated with cyber attacks is limited, it is possible to determine risk by analysing incidents that have taken place and evaluating the latest threat intelligence. This will help insurers better assess vulnerabilities and exposure when quoting on cyber risk insurance.

Insurers will soon have a better understanding of the risk posed to businesses by cyber threats. Investment in modelling and analytics will enable them to improve their offerings and provide the level of cover appropriate for the ever-changing cyber threat landscape.

In the meantime, organisations can protect themselves by making sure their internal security capabilities are up to scratch and finding the cyber insurance that best first their needs.