UK lags US in cyber insurance, study shows

UK companies are lagging behind US companies in taking out insurance to cushion financial impact of cyber attacks

UK companies are lagging behind US companies in taking out insurance to cushion the financial impact of cyber attacks, a study has shown.

Only 13% of large and mid-sized companies in the UK with annual turnover of $1m to $1bn have dedicated cyber insurance, according to the study by The Corporate Executive Programme (CEP).

Some 40% of US companies polled said they had dedicated cyber insurance, indicating greater familiarity with cyber security product offerings than their UK counterparts.

Overall, only 20% of respondents said their organisation had dedicated cyber cover – an equal number had no cover at all.

In November 2014, the UK government joined forces with the insurance industry to improve how UK businesses manage cyber security risk.

The initiative builds on the government’s 10 Steps to Cyber Security and the Cyber Essentials Scheme as part of the UK Cyber Security Strategy.

The UK government believes working with the insurance industry to develop a comprehensive cyber security insurance model will encourage private-sector firms to manage cyber risk.

Reputation not protected by insurance

However, the government has emphasised that cyber insurance does not replace the need for good cyber security practice.

Security professionals have also warned businesses not to rely on cyber insurance, pointing out that insurance cannot mitigate against reputational loss.

They said businesses should instead aim to be smart with their approach and consider the people, process and technology elements when it comes to responding to the threats they face.

A risk-based approach to cyber security is aimed at enabling businesses to ensure they are dealing with the largest and most dangerous issues first.

“Even if your organisation has breach insurance, when a breach occurs, it's typically a career-ending move,” said Simon Crosby, co-founder and chief technology officer at Bromium.

“Nobody wins a promotion because the firm was saved financially when the tabloid front pages crow about a breach,” he said.

Crosby said customer loyalty depends on defending the enterprise: “Simply purchasing insurance and hoping for the best is not a viable path. Instead, organisations need to get serious about cyber defence.”

Martin Lee, cyber crime manager at Alert Logic, said cyber insurance has its place, but it is as an adjunct to best practices.

“Most people would rather stay in a building with a sprinkler system than one that just has good fire insurance. Similarly, most people would rather do business with an organisation that has a good cyber security implementation rather than one that just has a good cyber insurance policy,” he said.

Managing risk a priority for all

Focusing on the 87% of UK firms and 60% of US firms that did not have dedicated cyber insurance, Tim Erlin, director of security and risk at Tripwire said this demonstrates a clear need for cyber insurance, coupled with a market under-served by existing products.

“One of the most effective ways that information security can get more involved in the business is to understand how cyber insurance works, what it covers and why it is a difficult problem to solve,” he said.

Erlin said risk transfer, rather than mitigation with tools, is fundamentally a business problem, and therefore it is not surprising that retail, an industry hard hit by cyber attacks, has the highest rate of cyber cover.

There is a clear connection between predictable, measurable impact of a data breach and adoption of cyber insurance

Tim Erlin, Tripwire

The CEP study shows that the retail sector had most organisations purchasing cyber cover (37%), followed by the finance sector (25%), marketing (13%), consultancy (13%) and manufacturing (12%).

“There is a clear connection between predictable, measurable impact of a data breach and adoption of cyber insurance,” said Erlin.

“When insurance providers can estimate impacts accurately, they can build profitable policies that meet market demand,” he said.

However, Erlin said organisations should be sure to read the fine print on what risks they are transferring with these policies.

A quarter of organisations polled said they had suffered a business-impacting cyber incident in the past year, and 30% of these had dedicated cyber insurance.

“This means insurance companies are not managing their risk properly – they either implicitly encourage organisations to be less diligent or they do not check the posture of organisations which sign up for cyber insurance properly,” said Amichai Shulman, chief technology officer at security firm Imperva.

“Cyber insurance is one piece in the puzzle of managing information security risks in an organisation, but if a company’s head of information security is not taking part in the decisions about cyber insurance then the organisation is bound to over-spend and under-spend on the other pieces of the puzzle, providing an overall ineffective risk coverage,” he said.

The CEP study found that the legal department was most likely to make cyber cover purchasing decisions, and had done so in half of the companies where such cover existed. The head of risk and the board of organisations were involved in only 25% of decisions. Heads of information security appeared to have little role to play in purchasing decisions, the study said.

Shulman said that if the cyber insurance policy covers certain aspects of the risk, given the existing posture of existing systems, for example, the head of security is better off spending additional funds in the security of new systems rather than existing ones.

“Or if the costs of investigating a breach are covered by the policy, then the head of security should limit the funding of projects aimed at making this task more cost effective,” he said.

Risks and premiums

Despite the growing adoption of cyber insurance, some have suggested that the current model is not fit for purpose.

According to Alex Fidgen, director at MWR InfoSecurity, the insurance industry does not have the skills to accurately assess cyber risk without partnering with specialist organisations because the issues that need assessing are deeply technical in nature.

He believes the industry as a whole needs to take an asset-based approach to cyber defence, rather than a blanket approach, which would allow organisations to concentrate their defensive spending better.

“But insurance companies would still struggle to assess the effectiveness of these defences without specialist services,” said Fidgen.

“One answer could be for the insurance companies to formally link with industry bodies such as Crest to define a basic approach that could start to be used to assess risk, and then apply suitable premiums. A company which could show that it had achieved a better level of defence could then argue for its premium to be lowered, in line with the industry standard,” he said.

But others have proposed a more radical approach, such as the head of the largest Lloyd’s of London insurer, Stephen Catlin.

Speaking at an insurance industry conference recently, he said cyber attacks are now so dangerous to global businesses that governments should step in to cover the risks.

The founder of insurer Catlin Group said cyber security presented the biggest, most systemic risk he has come across in all of the 42 years he has worked in insurance, according to the Financial Times.

He pointed out that cyber risks are difficult to model and that vulnerability in widely-used software or internet architecture can bring down systems globally.

Catlin said governments have already had to establish state-backed schemes to provide terrorism cover, such as Pool Re in the UK, but he said cyber security presented an even bigger threat than terrorism.

The findings of the CEP study support the need for improvements in the cyber insurance industry to encourage best practice by organisations in information security.

For example, the study found that only half of organisations with cyber insurance conduct thorough checks to confirm continued insurance cover through the supply chain.

The CEP study also indicates a need for information security heads to increase their knowledge of cyber insurance, with most heads of information security interviewed saying they did not have knowledge of the types of dedicated cyber insurance products available.

Read more on IT risk management