Computer users spend over £150 billion a year on products and services that do not always protect them and their customers from on-line attack and fraud. They spend barely £7 billion on cyber insurance for when they fail. By contrast spend on fire protection and fire insurance are about the same. Spend on theft protection and insurance are also about the same. The big difference is that we know what we have to do in order to get fire and theft insurance – i.e. precautions, alarms, fire doors, locks etc. to reduce the likelihood and limit the damage.
Underwriters have are said to have well over £20 billion available to cover more cyberinsurance. But most organisations are uninsurable. They may spend large amounts on security products and services but they do not do that which reduces the risk of a successful cyberattack, limits the consequent damage and/or facilitates “asset recovery” (including to help track, trace and sue those responsible, if this is likely to be cost effective).
Last week I attended a discussion on follow up to the DPA paper on “Cyberinsurance as a catalyst for good security practice“. The meeting brought together those working on common “guidance” for cyber policies, those selling the policies and those advising on risk and/or auditing security. We also had some perceptive inputs from the head of one of the UK’s largest (in terms of organisations, networks and end-points monitored) Security Operation Centres. The discussion was crisp, candid and shorn of jargon. It covered the current state of play (including forward plans), why things are as they are, what is being done by whom and the points of leverage. There will be a report for DPA members and observers .
The discussion brought home to me why we have made so little progress in helping the average Director or Business Owner make sense of the current cacophony of “awareness” messages and marketing hype for security products and services – from encryption, filtering and penetration testing to threat intelligence. Too many players benefit too much from allowing Directors to waste their organisations’ time and money to little practical effect with fragmented approaches. Too few would benefit from the expediting the rationalisation and simplification of joined-up guidance that would expedite maturity, insurability and radical risk reduction.
In the event of fire and theft there is clear guidance as to what the customer needs to do in order to obtain insurance cover and make a successful claim if things go wrong. That guidance is based on a distillation of practical experience. Consultants and vendors tailor their offerings and sales messages around what the insurers expect to see done in order to reduce/manage risks before they will cover them.
In the area of cyber risk that guidance is only now being drafted. At the current rate of progress it is likely to be agreed sometime in 2021.
But it is being drafted in the terminologies used by insurance and security professionals and their lawyers. It is likely to be unintelligible to the rest of us. More-over the pace of agreement is determined by the priority being given to the exercises by those with necessary expertise.
Political and regulatory interest is likely to complicate and delay the process. There are too many conflicting agendas – both national and international.
Progress will be expedited as leading insurers perceive the potential for more business, and for that business to be more profitable, because risks will fall as organisations do what is necessary to become insurable.
There is obvious benefit from an exercise to produce interim “laymen’s guides” covering what is likely to be agreed – with the aim of helping provide more profitable insurance at lower cost to organisation which better manage risk and are therefore less likely to make claims.
The next meeting of the DPA cybersecurity group is expected to bring together those major insurers, security organisations and enforcers who are happy to task their staff to work together accordingly. I am now only a member of the DPA advisory board but my current work on community safety has led me into the areas of “reporting” and of “victim support” (including business victims, large and small). I look forward to seeing practical progress, led by the insurance industry – as they have led the way in the past on other areas of risk – from fire brigades and safety at sea to product liability of all kinds … but no (yet) software and cyber).
DPA Groups are driven by their members. Those wishing to join this one, perhaps using the DPA offer of a taster session before paying the subscription, should contact DPA and request an invitation.