Should you have cyber insurance? That’s not a frivolous question any longer. The risks of ransomware, CEO fraud, data breaches or denial of service attacks are ongoing. We have the Central Bank of Ireland warning firms to assume they will be targeted.
How badly would your business be affected by an incident like those described above? The price of responding to a serious incident could potentially put a significant dent into any company’s cash reserves.
Firstly, there are the direct costs of being scammed, or of paying the ransom to make attackers stop (if you choose to do so), or the lost business as a result of system disruption. Secondly, there are the indirect costs: these include notifying staff or customers that you’ve suffered a breach, as well as the expense of engaging with external legal or technical experts to help with the investigation and clean-up.
There’s no shortage of surveys that try to put a monetary amount on the cost of a data breach. My suspicion is that it only takes a couple of very large outliers in the sample set to cause the opposite effect: the headline costs are so eye-wateringly high that business owners dismiss them and assume they couldn’t possibly apply to their own business.
A more useful guideline comes from the Federal Trade Commission in the US, which recently published a breakdown of the services that a company will need to pay for in the aftermath of a data breach. This leaves it open to companies to apply specific costs to their own situations.
One increasingly popular option for offsetting breach-related costs is to take out cyber insurance protection. As boards of directors become more aware of the extent of risk their organisations face, they’re opting to move that risk away from their balance sheet. As a quick online search will prove, there’s a growing number of general and specialist insurers that are now able to meet this need.
The consensus among many legal and risk experts I’ve spoken to is that it’s a buyer’s market right now. As more and more general and specialist insurers launch products, businesses can pick from a choice of providers.
As if to prove how this is becoming a mainstream business issue, Newstalk, an Irish radio station, carried an item on cyber insurance last month. It claimed that a typical small to medium enterprise with revenues of less than €10 million can expect to pay around €1,000 per year for limited indemnity of €500,000.
Insurance makes sense for smaller companies that don’t have the time or resources to devote to information security. It’s also starting to become a requirement for securing contracts with large organisations. In some cases, project tenders specifically tell prospective bidders that they need to have cyber insurance.
Those are two good reasons to consider taking out a policy. In practice, though, anyone shopping around will need to watch out for obvious ‘gotchas’. Earlier this year, Brian Honan had this to say about a cyber insurance policy he had just reviewed for a client: “Two exclusions in it for extortion & insider threat. So excludes most common threats”.
In a recent FICO and Ovum survey, just 31 per cent of businesses thought their premiums accurately reflected their risk. Almost as many (29 per cent) didn’t believe the assessment was an accurate reflection of their risk. The security industry is full of stories about companies buying tech that bears no relation to the actual threats they face. It appears cyber insurance also has some maturing to do.
In the FICO/Ovum survey, almost two-thirds of UK companies said they have cyber risk insurance. By extension, this means that one in three don’t. In the same survey, half of US firms said they don’t have cyber insurance, even though most expect the volume of cyber reaches to increase in the coming year.
Most experts agree that cyber insurance is one part of a broad security strategy, rather than a replacement for all of the other sensible things that companies ought to be doing anyway. In the car insurance market, we’re starting to see providers reward safe drivers with lower premiums. In the future, could we see organisations with good security policies and procedures benefiting from lower cyber insurance costs?