Security professionals have warned businesses not to rely on cyber insurance in the face of increased cyber attacks.
The warning comes after the head of the largest Lloyd’s of London insurer, Stephen Catlin, said cyber attacks are now so dangerous to global businesses that governments should step in to cover the risks.
The founder of insurer Catlin Group said cyber security presented the biggest, most systemic risk he has come across in all of the 42 years he has worked in insurance, according to the Financial Times.
“Our balance sheets are not large enough to pay for that,” Catlin told the Insurance Insider London 2015 conference.
Analysts said Catlin’s comments underscore the reservations that insurers have about underwriting cyber security risks.
He pointed out that cyber risks are difficult to model and vulnerability in widely-used software or internet architecture can bring down systems globally.
Catlin said governments have already had to establish state-backed schemes to provide terrorism cover, such as Pool Re in the UK, but he said cyber security presented an even bigger threat than terrorism.
Fujisu enterprise and cyber security solutions architect for the UK and Ireland Rob Lay said businesses should not rely on insurance as a way of protecting themselves from an attack.
More on cyber insurance
- UK government joins forces with insurers on cyber security
- Cyber insurance complements security controls, says Aon
- It’s time to add cyber insurance to your cyber security strategy
- Cyber liability insurance isn’t worth the cost
- Security Think Tank: Cyber insurance – buyer beware
- Cyber insurance: Understanding the legal language
- An introduction to cyber liability insurance cover
- Security Think Tank: Cyber insurance no substitute for good security practices
“While insurance may help mitigate some of the financial impact of a security incident or breach, the reputational impact and the impact to the business operation cannot be mitigated with insurance in the same way,” he said.
Lay said that businesses should instead aim to be smart with their approach and consider the people, process and technology elements when it comes to responding to the threats they face.
“By taking this risk-based approach, businesses can ensure that they are dealing with the largest and most dangerous issues first,” he said.
Lay said recent Fujitsu stud on digital enablement showed that for the 12% of UK consumers who said they never use digital services, security was a top concern.
Arbor Networks director of solutions architects Darren Anstee said the costs around successful cyber attacks can be very considerable, especially where customer personal or credit information is involved.
“Unfortunately, given the value of this information, in many cases this is what attackers are after,” he said.
According to research from the Economist Intelligence Unit, sponsored by Arbor Networks, the demand for insurance products which insure against losses due to cyber attacks is growing strongly.
“However, market penetration is still relatively low,” said Anstee.
“In this year’s Arbor Worldwide Infrastructure Security Survey, only 6% of non-service provider respondents indicated that they had contracted with an insurance provider for assistance in this area, and for service providers it was even lower at 2%,” he said.
Anstee said that as the costs around successful cyber attacks – and thus the business risks – become more widely appreciated, organisations will hopefully invest to raise their security posture.
“However, defending organisations from today’s threats is not all about technology, there needs to be at least as much focus on the people, processes and workflows that are involved,” he said.
Anstee said incident responders need to be able to identify, prioritise and investigate threats as efficiently as possible, and they need access to threat intelligence and tools that facilitate this process.