Organisations are coming under increasing pressure to take out cybersecurity insurance cover. Also known as cyber risk insurance, it’s now a prerequisite in some public sector tenders. Bidders that don’t have it won’t win the deal. In other cases, private sector contracts require it.
Let’s look at this from two perspectives: the tendering organisation, and the business carrying on its normal operations. From the point of view of a business or public sector organisation that’s preparing tenders, asking for cybersecurity insurance by itself is a strange approach when you think about it. When I see this in a request for proposals, my instinct is to think that this hasn’t been thought through. Surely it’s more important to know that a potential supplier has applied effective security controls to try to prevent a breach, rather than verify that it will receive a payout if it has one.
What tenders need to ask about security
In reality, the tenderer should be asking every bidder questions such as:
- Is it certified to an independent security standard like ISO 27001?
- Does it carry out regular security audits or checks (ideally by a separate third party)?
- Are there policies and procedures in place to ensure good governance of information security?
By contrast, large organisations tend to do this right. It’s common for multinationals to ask potential suppliers to answer questionnaires about security. Often, they also want bidders to produce supporting documents like the executive summary of a penetration test report.
Sometimes, contracts or proposals ask suppliers for both cybersecurity insurance and documented security controls. That is a more sensible approach, provided procurement teams give greater weighting to the latter. Effective security management is better than any insurance policy. Tenderers should check the controls an organisation has in place to protect sensitive company and personal data, and the systems which process that data.
Why cybersecurity insurance is not the same as security
Now for business: apart from cases where cybersecurity insurance is obligatory, is it worth investing in on its own merits? There is a place for good cybersecurity insurance in the mix of insurance cover a business may require. Like all insurance, though, there is good and bad.
You could argue cybersecurity insurance is useful because it makes people think of business risk, not just IT problems. Ultimate responsibility for data breaches rests with the board and the CEO. Insurers know this and will say it’s a significant business risk not to have cover if a breach happens.
That may be true, but the danger is, some companies could think a cyber risk policy by itself is enough. However, this approach treats security as a tick-the-box exercise. Insurance cover should never be a substitute for making an investment in the appropriate security controls for your business, based around technology, people and processes.
What to do before choosing an insurer
Before deciding which insurance provider to work with, a useful first step is to carry out an internal risk assessment. Depending on the level of security and risk management expertise in the business, this exercise might involve an external provider to carry out the assessment.
At the end of this process, the business will have playbooks outlining how different types of security incidents could affect its operations. Depending on the severity, a serious breach could lead to a few weeks’ downtime. In that case, then a cybersecurity insurance policy might help to cover the loss of revenue as well as the cost to put the business continuity plan into action such as spinning up new servers to replace the ones affected by the breach.
Of course there’s small print
Just be sure to read the small print. Some policies exclude claims for extortion and fraud, which rules out payouts for ransomware attacks and invoice re-direct scams. Yet these are two of the most common forms of security breach.
In 2019, the US food company Mondelez sued its insurance provider Allianz for refusing to pay a $100 million claim for ransomware damages. Mondelez had 1,700 unusable servers and 24,000 laptops that were permanently broken after NotPetya struck. Zurich claimed the ransomware was “a hostile or warlike action” by a government or foreign power, and therefore not covered.
What’s more, cybersecurity insurance may not necessarily cover all breach-related costs. Norsk Hydro suffered one of the world’s biggest ransomware infections in 2019. Months later, it estimated the financial impact of the cyberattack in the range of NOK550-650 million (€54-64 million) in the first half year. Yet its initial insurance compensation was a fraction of that amount: NOK33 million (€3.2 million). Although the company said further compensation would be recognised “when deemed virtually certain”, it’s a cautionary tale.
Questions to ask your insurer
If you do decide to take out a cyber risk policy, do some due diligence of potential insurers first. Use the following questions as a guide:
- Will the insurance company expect you to pay a ransom if you suffer a ransomware attack?
- If so, would this be acceptable to your board of directors? (For obvious reasons, law enforcement bodies oppose the paying ransoms for decrypting data and systems, because it funds criminality)
- How does the insurance company assess a claim, using what metrics?
- How many claims has it rejected and why?
- What types of breaches does it not cover?
- What security measures will the insurance company ask you to have?
The first point hints at the fraught relationship between cyber insurance and ransomware. The insurance provider Hiscox found that just over 58 per cent of its customers pay. A separate study for Marsh McLennan, a cyber insurance broker, arrived at a similar figure of 60 per cent for its clients in North America. But even where victims pay, there’s no guarantee they will get all their data back. In a global survey by Sophos, those that paid only recovered 65 per cent of their data. In 29 per cent of cases, half the data remained inaccessible even after handing over money.
The final point is an important one. Just like having an immobiliser and alarm on your car can reduce your motor premium, your cybersecurity insurance provider may well ask you what extra security checks you’re carrying out. Your company may deemed to be at risk from phishing attacks for instance, so the insurance company may require that you carry out annual awareness training and simulated phishing exercises. Where there’s due diligence on both sides, that’s where the cover tends to be strongest.
It can’t be said often enough: cybersecurity insurance is not a shortcut to good security, any more than having car insurance makes you less likely to have a crash. Before shopping for quotes, remember that simply having appropriate and effective security controls in place around your people, processes and technology, plus robustly structured business continuity and breach management plans, is really the best insurance you can have.
John Mangan is Head of Sales and Marketing with BH Consulting