Kathryn Pick examines the recent growth of cyber insurance and the impact of this new but quickly developing form of indemnity.
Companies across the globe have been facing an increasing threat of being attacked by cyber-criminals. From hacks on British Airways passenger data through to ransomware threats targeting the NHS, the corporate network is a prime target.
What’s more, as we have seen in the headlines, the financial impact of these attacks can be huge – even catastrophic – to a firm.
In October 2018, Tesco Bank agreed to pay out £16.4m as part of a settlement with the Financial Conduct Authority over a cyber-attack in 2016, but even bigger sums have been brought.
Tools to protect a business have long been a feature in a boardroom conversation, but in recent years, the extra layer of protection offered to a company’s wallet by cyber insurance has become the new topic.
So what benefits can cyber insurance bring to businesses in the Wild West of cybercrime, and are there any downsides for those looking to invest in the new protection?
It allows an organization to identify the potential impact of an outage, data breach, or other financially damaging event caused by a security issue
What is Cyber Insurance?
For those new to the topic and asking what cyber insurance actually is, Daniel Kennedy, research director for information security at 451 Research, describes it as simply a “form of risk transference” for a business.
“It allows an organization to identify the potential impact of an outage, data breach, or other financially damaging event caused by a security issue,” he says.
“Then, they can build an ability to leverage and pay for outside forensics services/expertise and financial recompense to their set of planned responses.”
So, whilst you put locks on your doors to protect your worldly possessions, you still make sure your home insurance is up-to-date in case burglars successfully break in. Cyber insurance offers you that same reassurance for the precious goods locked in your data center.
A 2018 report from IDC by analyst Sabitha Majukumar recommends that over the next 12 months, businesses consult with risk management professionals and financial analysts to determine whether it is the right move to make. Then, within the next 24 months, have their policy implemented and ready to give that double lock safety assurance.
Why Has it Grown in Popularity?
According to The Betterley Report, a cyber/privacy insurance market survey, the compound annual growth rate of cyber insurance globally was 31% between 2010 and 2017, so it is clearly a hot area. The worldwide market is also estimated to be around $4bn, with 90% of the premium income underwritten in the US.
A survey by the Department for Culture, Media and Sport in the UK found that around 9% of businesses have cyber insurance, and this figure grows to 24% for large businesses.
However, Juergen Weiss, managing VP of financial services at Gartner, says this is much smaller than across the Atlantic, estimating only between 5%-10% of the market is bought on British shores.
“There is also less understanding about the complexity of cyber insurance,” he argues. “A recent survey from the DAS UK Group, a UK legal expenses insurer, and HSB Engineering Insurance showed that nearly one-third of UK brokers admit to having only a ‘poor’ or ‘very poor’ understanding of cyber-risks and cyber insurance.”
Although, the market, and in turn the understanding of it, is only predicted to rise, with Allianz and other brokers estimating it will reach around $20bn come 2025.
Even with that trajectory, Weiss says: “You need to be aware that cyber insurance represents only a small fraction (less than 1%) of the global insurance premium volume.”
Be that as it may, why is it on the rise?
Weiss says the reasons are pretty obvious, naming Europe’s General Data Protection Regulation (GDPR) as a key factor.
It may have only come into force in May this year, but the new rules enforcing CIOs to have tight consent management processes and effective data rights management systems to protect what the EU considers their “most valuable asset” (data) come with stiff penalties. Those found to be in breach of the new regulations can be fined up to 4% of annual global turnover or €20m – whichever is greater – and as much as 2% for not having their records in order.
Joseph Ahern, cyber policy adviser at the Association of British Insurers, says: “GDPR has raised the profile of information issues such as security, and also increases the potential cost of data breaches to businesses.
“The greater maturity of the US cyber-market is intrinsically linked to the passage of mandatory breach reporting laws in the vast majority of US states. By premium, around 85% of cyber insurance is written globally for US risks.”
Then there is the financial pain already being felt by firms. Thousands of attacks are being launched on networks daily, and according to Statista, the average cost of cybercrime in the US alone last year was over $21bn, which makes the need for cover an obvious one.
Yet, according to an estimate by MunichRe, only 5% of these losses are currently insured. Heidi Shey, a principal analyst at Forrester, says: “Over the past year, major data breaches and ransomware attacks, such as Equifax, NotPetya and WannaCry, made headlines and affected companies globally.
“It’s these serious events that remind business leaders just how much their organizations have at stake and why they need new or more cyber insurance.
“The CEO of Lloyd’s attributes these events as the reason that cyber insurance is the fastest growing product segment at her firm.”
GDPR has raised the profile of information issues such as security, and also increases the potential cost of data breaches to businesses
What Support Does it Provide Organizations?
Kennedy says having that safety net of cyber insurance provides businesses with the ability to recoup losses from business interruptions, extortion – like ransomware – and data breaches.
“It is that last category that gets a bulk of the attention from practitioners I’ve spoken to,” he says.
“It includes things like the costs associated with forensic investigation to determine the scale of a breach, customer notification – which isn’t easy as state level breach notification laws are a patchwork of requirements – credit monitoring for affected customers, call center support, regulatory or payment card industry fines, and so forth.”
Ahern argues that cyber insurance does a great deal more than simply pay claims in the event of a breach or cyber-incident.
“It also provides practical advice and support to prevent breaches from happening in the first place,” he says.
“The exact support and policy coverage provided by insurers to their customers will differ depending on providers and the level of cover that is purchased.
“However, the core parts of cyber insurance have some common aspects, such as preventative support, beginning during the underwriting process, which provides an opportunity for firms to consider and address major vulnerabilities within their business, leveraging the expertise of their insurer.
“Support will typically continue throughout the duration of the policy through services such as online risk management support.”
However, Shey says companies must do their due diligence when finding the right fit for the business.
“There are more factors to consider than which carrier offers the best coverage for the best prices,” she says. “Assess their cyber-acumen, review their service panels, check their claim approval rates and ask to speak to a customer reference who’s been through that process.”
Majukumar agrees, adding: “CIOs should carefully evaluate whether cybersecurity insurance is appropriate for their organization. This evaluation should include an assessment of the level of risk that would be covered by the policy and overlapping coverages that may already exist.”
Is There a Potential Downside to Cyber Insurance?
Ahern simply says no, “not unless you see paying a premium as a downside – but that’s part and parcel of having a good insurance policy in place.”
However, Kennedy says that while it offers many benefits, cyber insurance is merely a piece of the puzzle for keeping yourself protected. “Policies typically have limits on pay outs, number of records/customers affected, and a myriad of other limitations to be aware of,” he warns.
There are more risks too.
“The first is of course a false sense of confidence around what cyber insurance is able to cover, and a possible de-emphasis on the due care required around detective, preventative and incident response controls,” explains Kennedy.
“Using Equifax as an example, despite multiple cyber insurance policies in place, insurance only covered a fraction of the actual breach-related costs, and could never cover things like reputational damage.”
Kennedy says there is also a question about an encouragement for the extortionists. “Today, there is a very low percentage of organizations reportedly paying ransoms for ransomware type situations. Does the advent of insurance coverage therefore make it ‘easier’ to pay an extortion? In the medical field, for example, it can be easier to pay out on even dubious medical malpractice claims today because the cost equation has shifted.
Weiss says there are problems for both buyers and sellers in the market. “Some of the issues for buyers are high premium costs and insufficient aggregate limits, confusion about terms and conditions, non-standard products, complex pre-screening and complacency. “For sellers there is the rating and pricing complexity, profitability considerations, adverse risk selection, moral hazard, reinsurance capacity, target market segmentation and the accumulation of risks.”
Shey adds that you must look hard to find the right provider for you. “Cyber insurance policies are long and convoluted, and so is the list of providers in the ecosystem,” she says. “Evaluate your broker, carrier and post-breach service options closely, and scour through your policy to minimize stringent sub limits and coverage gaps.”
We all know that ignoring cybersecurity comes at yours and your business’ peril. Now, the growth of cyber insurance is giving organizations something else to think about. It may seem like just another element on a long list, but if done right and evaluated first, it could be something to save you and your company in the long run.