Cover can be a powerful tool to mitigate risks โ but we must have realistic expectations
Interest in cyber insurance is growing. In November, Inga Beale, chief executive of specialist insurance market Lloydโs, said the cover was becoming a โmust buyโ for businesses.
โThe use of technology means that the risk of cyber attack is going to be one of the key risks that all businesses face and really they are going to be buying insurance to protect themselves against it like they do the other perils,โ she said.
Businesses increasingly agree. One recent survey found that 80% of companies with more than 1,000 employees purchased a stand-alone cyber security policy in 2016.
โAwareness, increased availability and contractual mandates are just some of the reasons that have contributed to the significant increase in organizations purchasing stand-alone cyber insurance,โ noted RIMS, the risk management society.
Already well established in the US, cover is set to become increasingly popular in Europe, particularly with the implementation of the General Data Protection Regulation in 2018. Its provisions for mandatory notification of people affected by data breaches โ similar to those in place in most US states โ can result in substantial costs for business, and are expected to be a key driver for uptake.
Itโs not just notification costs, however, but a whole range of first and third-party losses that the insurance covers. For example, insurer AIG has revealed that ransomware and other cyber extortion attacks account for 20 per cent of its claims.
Mind the gaps: cyber and social engineering
While it is hard to argue with those that say cyber insurance is an increaingly valuable tool, however, itโs not a panacea.
For a start, as uptake grows, itโs uncertain how much of the vast cyber exposure potentially in the economy insurers will be comfortable covering. Beale herself has called on the government to help collecting data about cyber attacks. At the moment, she suggested, the industry remains slightly unsure of the risks.
โWeโd love to have the data to build up a fair pricing model,โ as she put it. As demand for the insurance grows, it will be interesting to see just how much appetite insurers have for these risks.
Second, the insurance wonโt cover all the exposures. For instance, while social engineering attacks like โFake Presidentโ frauds are often considered alongside other cyber risks, they are not usually be covered by cyber policies. Instead they must be picked up by crime policies, which only a minority of businesses take out. In fact, cyber insurance will rarely cover the theft of money, whether there is a computer involved somewhere in the process or not. Instead, the cover is focussed on the costs around a data or network breach. Buyers need to carefully consider their requirements.
Finally, even where cyber is the right insurance, it doesnโt eliminate the need for decent security systems and procedures. Indeed, as insurers become more wary of their own exposures they are increasingly likely to insist on it.