Cyber insurance scepticism leaves firms open to impact of attacks

Distrust of insurers is leaving businesses vulnerable to the effects of cyber attacks, a KPMG survey has revealed

Distrust of insurers is leaving businesses vulnerable to the effects of cyber attacks, a KPMG survey has revealed.

Nearly 80% of organisations belonging to KPMG’s International Information Integrity Institute (I-4) do not have cyber insurance in place.

Belief that insurers will not pay out on a claim is the top reason information security heads are not buying cyber insurance, the survey revealed.

This is despite 79% believing that cyber security threats are likely to increase over the next year and 74% regarding organised crime and state-sponsored activity as the biggest threats.

For those I-4 members whose businesses have purchased cyber insurance, 48% think the policies may not pay out if they need it.

“It is worrying to see that so many businesses would rather risk having no insurance in place to protect themselves against a threat they believe is very real,” said I-4 head Mark Waghorne.

“It is also disappointing that cyber insurance is viewed as providing little comfort to those who have it, as almost half don’t believe they would be compensated properly if push came to shove.”

According to the survey, about a third of respondents believe the market for cyber insurance is not yet mature enough.

Waghorne said insurers will need to deliver more comprehensive packages to convince the business community that they can and will protect against losses on cyber crime.

However, he said discussions during a later debate at the most recent I-4 Forum showed that the availability of specialist, focused cyber-related insurance has much improved during the past year with clear evidence that carriers do pay out.

“This indicates that those organisations which have avoided cyber insurance in the past should perhaps revisit their positions,” said Waghorne.

UK lag behind US in taking out cyber insurance

In February 2015, a study by The Corporate Executive Programme (CEP) revealed UK companies are lagging behind US companies in taking out insurance to cushion the financial impact of cyber attacks.

Only 13% of large and mid-sized companies in the UK with annual turnover of $1m to $1bn have dedicated cyber insurance, the study showed.

Some 40% of US companies polled said they had dedicated cyber insurance, indicating greater familiarity with cyber security product offerings than their UK counterparts.

Overall, only 20% of respondents said their organisation had dedicated cyber cover – an equal number had no cover at all.

In November 2014, the UK government joined forces with the insurance industry to improve how UK businesses manage cyber security risk.

The initiative builds on the government’s 10 Steps to Cyber Security and the Cyber Essentials Scheme as part of the UK Cyber Security Strategy.

The UK government believes working with the insurance industry to develop a comprehensive cyber security insurance model will encourage private sector firms to manage cyber risk.

However, the government has emphasised that cyber insurance does not replace the need for good cyber security practice.

Insurance cannot mitigate against reputational loss

Security professionals have also warned businesses not to rely on cyber insurance, pointing out that insurance cannot mitigate against reputational loss.

They said businesses should instead aim to be smart with their approach and consider the people, process and technology elements when it comes to responding to cyber threats.

Read more about cyber insurance

However, MWR InfoSecurity director Alex Fidgen believes the insurance industry does not have the skills to accurately assess cyber risk without partnering with specialist organisations because the issues that need assessing are deeply technical in nature.

He said the industry as a whole needs to take an asset-based approach to cyber defence, rather than a blanket approach, which would allow organisations to concentrate their defensive spending better.

“But insurance companies would still struggle to assess the effectiveness of these defences without specialist services,” said Fidgen.

“One answer could be for the insurance companies to formally link with industry bodies such as Crest to define a basic approach that could start to be used to assess risk, and then apply suitable premiums. A company which could show that it had achieved a better level of defence could then argue for its premium to be lowered, in line with the industry standard,” he said.

The findings of the CEP study support the need for improvements in the cyber insurance industry to encourage best practice by organisations in information security.

For example, the study revealed that only half of organisations with cyber insurance conduct thorough checks to confirm continued insurance cover through the supply chain.

The CEP study also indicates a need for information security heads to increase their knowledge of cyber insurance, with most heads of information security interviewed saying they did not have knowledge of the types of dedicated cyber insurance products available.

CW+

Features

Enjoy the benefits of CW+ membership, learn more and join.

Read more on IT risk management

Join the conversation

3 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Given that there have been various reports saying that the losses from cybercrime could be such that underwriters are not willing to take it on, this is perhaps not surprising. This whole area is surrounded in fog. Should it be made compulsory? http://bit.ly/1zo0KPC #idg in association with #dell

Cancel

It is important to note what the new generation of cyber insurance policies cover and what they do not. Many of them cover the cost of managing an incident in accordance with the plan that was agreed as part of the policy. That plan may well include include the use of named public affairs, law firms, forensic experts and credit control organisations acting as a pre-agreed team, using the material that the victim has routinely logged to help them identify who was responsible (and who aided and abetted them), not "just" the damage done and remedial action necessary. The policy is designed to reduce the consequences of the attack and enable legal (civil not "just" criminal) action against the attackers, as opposed to covering the "losses". Policies to cover the latter may well be prohibitively expensive or even impossible to obtain. This may well help explain the "scepticism" - especially because "fines" for lack of PCI-DSS compliance or the loss of credit card facilities (for example) may well no longer be insurable.

Cancel
I can see it now.. Just another method for insurance fraud. Take out a large policy, then hack your own system. It will be interesting to see how this works out in the near future. It seems like the insurance is a safety net for companies who may not want to take the initiative and protect their systems from the start.
Cancel

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close