Cyber insurance scepticism leaves firms open to impact of attacks

Distrust of insurers is leaving businesses vulnerable to the effects of cyber attacks, a KPMG survey has revealed

Distrust of insurers is leaving businesses vulnerable to the effects of cyber attacks, a KPMG survey has revealed.

Nearly 80% of organisations belonging to KPMG’s International Information Integrity Institute (I-4) do not have cyber insurance in place.

Belief that insurers will not pay out on a claim is the top reason information security heads are not buying cyber insurance, the survey revealed.

This is despite 79% believing that cyber security threats are likely to increase over the next year and 74% regarding organised crime and state-sponsored activity as the biggest threats.

For those I-4 members whose businesses have purchased cyber insurance, 48% think the policies may not pay out if they need it.

“It is worrying to see that so many businesses would rather risk having no insurance in place to protect themselves against a threat they believe is very real,” said I-4 head Mark Waghorne.

“It is also disappointing that cyber insurance is viewed as providing little comfort to those who have it, as almost half don’t believe they would be compensated properly if push came to shove.”

According to the survey, about a third of respondents believe the market for cyber insurance is not yet mature enough.

Waghorne said insurers will need to deliver more comprehensive packages to convince the business community that they can and will protect against losses on cyber crime.

However, he said discussions during a later debate at the most recent I-4 Forum showed that the availability of specialist, focused cyber-related insurance has much improved during the past year with clear evidence that carriers do pay out.

“This indicates that those organisations which have avoided cyber insurance in the past should perhaps revisit their positions,” said Waghorne.

UK lag behind US in taking out cyber insurance

In February 2015, a study by The Corporate Executive Programme (CEP) revealed UK companies are lagging behind US companies in taking out insurance to cushion the financial impact of cyber attacks.

Only 13% of large and mid-sized companies in the UK with annual turnover of $1m to $1bn have dedicated cyber insurance, the study showed.

Some 40% of US companies polled said they had dedicated cyber insurance, indicating greater familiarity with cyber security product offerings than their UK counterparts.

Overall, only 20% of respondents said their organisation had dedicated cyber cover – an equal number had no cover at all.

In November 2014, the UK government joined forces with the insurance industry to improve how UK businesses manage cyber security risk.

The initiative builds on the government’s 10 Steps to Cyber Security and the Cyber Essentials Scheme as part of the UK Cyber Security Strategy.

The UK government believes working with the insurance industry to develop a comprehensive cyber security insurance model will encourage private sector firms to manage cyber risk.

However, the government has emphasised that cyber insurance does not replace the need for good cyber security practice.

Insurance cannot mitigate against reputational loss

Security professionals have also warned businesses not to rely on cyber insurance, pointing out that insurance cannot mitigate against reputational loss.

They said businesses should instead aim to be smart with their approach and consider the people, process and technology elements when it comes to responding to cyber threats.

Read more about cyber insurance

However, MWR InfoSecurity director Alex Fidgen believes the insurance industry does not have the skills to accurately assess cyber risk without partnering with specialist organisations because the issues that need assessing are deeply technical in nature.

He said the industry as a whole needs to take an asset-based approach to cyber defence, rather than a blanket approach, which would allow organisations to concentrate their defensive spending better.

“But insurance companies would still struggle to assess the effectiveness of these defences without specialist services,” said Fidgen.

“One answer could be for the insurance companies to formally link with industry bodies such as Crest to define a basic approach that could start to be used to assess risk, and then apply suitable premiums. A company which could show that it had achieved a better level of defence could then argue for its premium to be lowered, in line with the industry standard,” he said.

The findings of the CEP study support the need for improvements in the cyber insurance industry to encourage best practice by organisations in information security.

For example, the study revealed that only half of organisations with cyber insurance conduct thorough checks to confirm continued insurance cover through the supply chain.

The CEP study also indicates a need for information security heads to increase their knowledge of cyber insurance, with most heads of information security interviewed saying they did not have knowledge of the types of dedicated cyber insurance products available.

Read more on IT risk management