Cover can be a powerful tool to mitigate risks – but we must have realistic expectations
Interest in cyber insurance is growing. In November, Inga Beale, chief executive of specialist insurance market Lloyd’s, said the cover was becoming a “must buy” for businesses.
“The use of technology means that the risk of cyber attack is going to be one of the key risks that all businesses face and really they are going to be buying insurance to protect themselves against it like they do the other perils,” she said.
Businesses increasingly agree. One recent survey found that 80% of companies with more than 1,000 employees purchased a stand-alone cyber security policy in 2016.
“Awareness, increased availability and contractual mandates are just some of the reasons that have contributed to the significant increase in organizations purchasing stand-alone cyber insurance,” noted RIMS, the risk management society.
Already well established in the US, cover is set to become increasingly popular in Europe, particularly with the implementation of the General Data Protection Regulation in 2018. Its provisions for mandatory notification of people affected by data breaches – similar to those in place in most US states – can result in substantial costs for business, and are expected to be a key driver for uptake.
It’s not just notification costs, however, but a whole range of first and third-party losses that the insurance covers. For example, insurer AIG has revealed that ransomware and other cyber extortion attacks account for 20 per cent of its claims.
Mind the gaps: cyber and social engineering
While it is hard to argue with those that say cyber insurance is an increaingly valuable tool, however, it’s not a panacea.
For a start, as uptake grows, it’s uncertain how much of the vast cyber exposure potentially in the economy insurers will be comfortable covering. Beale herself has called on the government to help collecting data about cyber attacks. At the moment, she suggested, the industry remains slightly unsure of the risks.
“We’d love to have the data to build up a fair pricing model,” as she put it. As demand for the insurance grows, it will be interesting to see just how much appetite insurers have for these risks.
Second, the insurance won’t cover all the exposures. For instance, while social engineering attacks like “Fake President” frauds are often considered alongside other cyber risks, they are not usually be covered by cyber policies. Instead they must be picked up by crime policies, which only a minority of businesses take out. In fact, cyber insurance will rarely cover the theft of money, whether there is a computer involved somewhere in the process or not. Instead, the cover is focussed on the costs around a data or network breach. Buyers need to carefully consider their requirements.
Finally, even where cyber is the right insurance, it doesn’t eliminate the need for decent security systems and procedures. Indeed, as insurers become more wary of their own exposures they are increasingly likely to insist on it.