Cyber risk insurance is more than just insurance

When a Singapore company fell prey to a ransomware attack that encrypted and blocked access to its data held on 20 servers on one fateful weekend, it turned to its cyber risk insurer for help.

The insurer, Chubb, activated its appointed cyber forensics firm to work out a mitigation strategy by identifying less business-critical servers that could be restored from backups and negotiating the ransom amount with the perpetrators.

An incident response team eventually removed the ransomware from the affected servers, while a crisis management firm was roped in to assist with client communications.

Similar attacks are playing out across Singapore, but adoption of cyber risk insurance remains low among small and medium-sized enterprises (SMEs). According to a recent study by Chubb, only 34% of SMEs in Singapore are currently insured, partly because of uncertainty over the value of cyber risk insurance.

For example, it is not widely known that cyber risk insurers such as Chubb also provide access to security tools and incident response services, according to Andrew Taylor, cyber underwriting manager of Chubb in the Asia-Pacific region.

“Our policy is more than a traditional promise to pay,” Taylor told Computer Weekly. “We provide access to free tools like password managers even if you don’t have a claim.”

To help its clients shore up their cyber hygiene, Taylor said Chubb provides information on cyber security training, as well as access to security experts that offer services to simulate cyber attacks.

“We’ve created a policy that’s more than traditional insurance,” Taylor said. “We're not waiting for clients to make a claim, because we know that’s going to happen.”

When a data breach occurs, multinational firms, including SMEs, are often required to notify authorities of the breach in countries with strict data protection regulations. Taylor said this can be a hassle for SMEs that may not have access to legal experts in multiple jurisdictions.

Through a cyber risk insurer such as Chubb, SMEs would get access to lawyers to fulfil their data breach notification obligations across territories. “That’s the embedded value that SMEs get to save their cash flow, protect their business and hopefully gives them the assurance that they should spend more money to grow their business,” said Taylor.

To cater to differing risk appetites, Chubb offers a range of coverage options, with adjustable payment limits that will affect policy premiums. “We also discuss and negotiate deductibles with the broker to understand the level of risk clients want to transfer to us or take on themselves,” Taylor said.

But one thing that Chubb does not compromise on in its cyber risk insurance policies is incident response, which Taylor said cannot be excluded from a policy “because we know that’s the real value”.

Globally, the average incident response cost hovers around $420,000, with cyber forensics accounting for about 40% of that amount, according to claims statistics published by Chubb.

In addition, between 60-70% of claims involve breaches of less than 100 data records. “So, SMEs don’t need to be a lot of data to be breached to potentially cost them substantial amounts of cash flow money,” Taylor said.

There is a risk, however, for SMEs to get trapped in the checkbox security mentality, having fulfilled the security audits that cyber risk insurers would have conducted as part of their client onboarding process.

Taylor said Chubb’s cyber risk insurance policies are renewed annually, so the insurer will get to take regular snapshots of a client’s security posture, leaving no room for complacency.