Maksim Kabakou - Fotolia
Cyber insurance is a topic of great interest in business and insurance speakers are found in increasing numbers at cyber security events. Given the level of data breach and security failures we read about every day, it is natural that the business world would be turning an increasingly interested eye to its insurance cover.
There is a lot to consider when looking at cyber insurance, however. If an organisation is serious about purchasing cover, the understanding of its own cyber risk appetite, that of third parties and what precisely they are buying form their insurance, is vital.
Cyber insurance is an immature market and a lack of historical trend data – combined with a complex and rapidly evolving landscape – means it is hard for insurers to predict what the market will do and how business needs will be met.
However, one of the main areas of challenge to purchasers is the lack of consistency which makes benchmarking and selection doubly challenging. The insurance sector itself doesn’t have a whiter-than-white reputation in cyber security so, in real terms, everyone is learning as they go.
When it comes to risk, cyber insurance policies are generally not “risking” by organisation. This means that a “boy-racer” is treated the same as the “careful owner” who does 10 miles per week to the library and back.
Quite apart from the logic fail from a risk perspective, this may be leaving insurers somewhat exposed. Though the Association of British Insurers (ABI) suggests the government’s Cyber Essentials Scheme as a good start for cyber security improvement, there is no ubiquitous incentive to tighten up on cyber security.
Given that most breaches are caused by human behaviour, the “technical basics” approach of Cyber Essentials might not be enough to cover breaches caused by, for example, poor training, which then leads to a security incident.
Supply chain and third-party agreements need to be considered by partners and not just the insured. We know the implication of weaknesses in supply chain security only too well and consistency will help mitigate some of the resulting risk.
Read more from Computer Weekly’s Security Think Tank about cyber insurance
Going back to how risk is treated in cyber insurance, if a business offshores all of its data processing, is it right that this business should have the same policy and premium as a business that processes onsite?
If an organisation is seeking cyber insurance, it needs to take a risk-based approach and know its assets, its processes and risk appetite and match these to the policy, rather than the other way around.
There are constant developments in this market and, while it can be a great complement to an organisation’s posture, it shouldn’t replace good quality security training policy and processes.
If you take out dangerous sports insurance, it doesn’t mean you won’t get injured – the same thing applies to this. Remember that the insurance is to help you recover from an incident, the protection from security incidents comes from the organisational attitude and security culture.
Mike Gillespie is director of cyber research and security at The Security Institute.