Earlier this year Lloyd’s of London reported a remarkable figure that the cyber insurance market grew by 50% in Q1. Despite this growth, the Corporate Executive Programme (CEP), found that 40% of major US companies have cyber insurance cover compared to 13% of UK businesses.
While this is encouraging, it begs the question: are companies starting to look for an easy way out of transferring their cyber risks or are they savvy enough to take early advantage of potentially loose underwriting policies that may exist in a relatively immature market that is growing rapidly. Either way, the opportunity window is closing rapidly and companies need to act fast.
Cyber insurance is more of an art than a science. The industry still needs to build the loss history databases that are needed to evaluate cyber risk effectively. Unlike life expectancy tables that have been around for over a century, cyber risk data, used by underwriters on breach likelihood and correlation with security controls and industry trends, especially in Europe, is simply not yet fully mature.
While cyber insurance is a sensible provision for any business, businesses should tread carefully and avoid viewing it as a primary solution for reducing their risk exposure. Effective systems to manage the risks of cyber threats are still required, as a rite of passage to get the insurance you require and also to protect the business against risks which will be hard to insure, such as a brand’s reputation. Cyber insurance should be part of a broader cyber risk management programme and be thought of as a last resort to cover risks relating to the most critical security incidents / impacts that the business simply cannot mitigate through other means.
Before taking out home insurance, most of us don’t think twice about adding protection measures to our homes to reduce the likelihood of a break-in and to reduce our premiums. For example, putting locks on windows, installing alarms linked to the police and the use of smoke detectors. Moreover, and most importantly, we have a good understanding of the value of the goods we are looking to insure. This is critical to choosing the appropriate insurance to protect our personal “crown jewels”. It enables us to take out focused cover for high value items and gain clarity on items that may require additional protection beyond insurance, such as moving valuables to a safe bank rather than keeping them at home.
Similarly, before applying for Cyber insurance, businesses should take practical measures to manage their own cyber threats more effectively. While cyber security hygiene activities are well documented, they are unfortunately not often effectively executed. This will be critical as a primer before thinking about transferring risks onto a third party as the company will expect some commitment from you to build confidence in insuring your business.
Apart from addressing the “hygiene” factor, many companies have not taken the simple steps we take naturally in our own homes of understanding the key assets they have, where they are stored and their intrinsic value. Moreover, many have not adequately defined their risk appetite and tolerance should they experience a security breach. Having a good understanding of critical assets, their business impact and what are acceptable levels of loss are key to making a sensible decision about what to insure against and why.
Whilst adoption rates are growing but still relatively low in UK and Europe, this may significantly change as regulation continues to reform specifically in the Data Protection and breach notification domains. The barrier to entry for cyber insurance is being raised year on year and whilst initial screening questionnaires 12 months ago were fairly very light on entry-level criteria, these are becoming increasingly more sophisticated as more insurers come on board to offer services to meet growing market demand. Before giving your broker a call, make sure you address the following:
- Think carefully about what it is you want to insure– what is most critical and what are the unmanageable disastrous outcomes / catastrophes that really need to be transferred.
- Consider the type of protection you’re looking for which may include a combination of privacy liability, credit monitoring and identity theft protection costs for customers, cyber extortion, business disruption including revenue loss and additional expenses, information asset protection and recovery, and third party protection. Also clarify if you looking for first party (internal costs to your company) and/or third party (impact on other companies / individuals) insurance.
- Understand potential impacts should a cyber risk event arise and how this may affect your business. This helps to define the type of insurance and magnitude of cover required. The larger the cover requested and higher the breach impact excess accepted, the easier it may be to get the cover required.
- Gain consensus regarding threats you’re trying to insure against and check all are covered by your policy– e.g. external hacking vs a rogue internal employee attack; cover for business partners / contractors; failure of your IT vs a business partner’s.
- Shop around as terms and conditions and entry criteria may vary greatly between insurers.
Ultimately, be honest and willing to demonstrate an appreciation for good cyber hygiene to build confidence in the insurers and underwriters that you are taking cyber security seriously:
- Try not to get breached before applying for cyber insurance – similar to car insurance, you become harder to insure if you have already been exposed to an incident
- Implement and monitor a security policy governed by a risk management framework
- Carry out regular internal/external audits – IT security, resilience, disaster recovery
- Implement regular testing, secure configuration and patch management processes
- Put in place sensible security defences e.g. firewalls, two factor authentication, Anti-Virus / Anti-Malware, web filtering, logging and monitoring, data leakage, secure home / mobile working.
- Establish a security education and awareness programme
- Manage third party risks when sharing data and relying on third party systems
- Implement sensible measures for protecting sensitive data wherever it is stored, such as encrypting customer records stored or transferred on removable media
- Maintain an effective records management programme that stores only the information required for an appropriate period of time and cleanses data regularly
- Maintain asset and data inventories to know where sensitive data exists
- Be prepared to manage security incidents should they arise
- Put in place measures to manage access control for ordinary and privileged users
If you would like some to do some further reading on the Cyber Insurance industry and Security Hygiene, these articles are well worth a read: Visit HERE
www.cyberstreetwise.com/cyberessentials/
[su_box title=”About Ryan Rubin” style=”noise” box_color=”#0e0d0d”]
Ryan Rubin is a Managing Director in protiviti EMEA Security & Privacy IT Technology Consulting practice. Ryan is a member of the global leadership team of our IT Consulting business and leads the global Identity & Access Management service line.Ryan brings more than 17 years of breadth and depth of experience supervising and delivering business focussed risk, security consulting and IT assurance services to corporate clients helping to manage cyber security risk from the boardroom to the network.Prior to joining Protiviti 8 years ago, Ryan worked for a Big 4 consultancy for over 10 years in their security and IT advisory practice. Ryan has worked on both internal and external audit projects for several FTSE 100 and global Fortune 500 clients.Ryan has served clients globally across several industries providing a wide breadth of IT risk and governance related consultancy services : strategy & architecture, identity & access management, penetration testing, application and database security, infrastructure implementation, IT audit and due diligence, forensic investigations, risk management.[/su_box]
