Maksim Kabakou - Fotolia
Using insurance to transfer the risk associated with cyber breaches is on the increase as the costs of responding continue to rise.
High-profile attacks at Sony, Target and Home Depot were notable both in terms of the scale of the breaches and because the organisations used insurance to reduce the financial impact of their losses, despite them being relatively inconsequential in terms of their turnover.
That said, costs directly associated with a breach can be significant; the 2016 Ponemon Institute cost of data breach study put the average cost at £2.53m, a 6.5% increase over two years.
Factors to consider include investigation, remediation, regulatory penalties (with the General Data Protection Regulation potentially increasing the fees for cyber security insurance) and liability claims.
For an insurer to indemnify against a loss, they perform due diligence as part of the underwriting process. The process of assessing and quantifying the exposure to cyber security risks varies significantly between insurers, ranging from self-assessment through to independent sampling of business controls at the insured.
From the perspective of the insured, it is important that the assessment process is accurate and repeatable, as in the event of a breach failure to operate controls that have been documented as being in place may result in a reduced pay out (or no compensation at all).
When talking cyber insurance, the devil is in the detail. Companies need to read and understand the small print and consider two key points: the losses for which they want to be insured and the obligations of the insured.
Losses for which they want to be insured
It is critical to include not just the cost of remediating the breach, but also the funds needed to investigate how the breach occurred. This requires forensic skills, which usually have to be hired in at significant expense due to their relatively short supply.
Alternatively, resourcing the requirement in-house needs to factor in taking people away from their day jobs. In either case, management time and attention is required, thereby diverting it from the organisation’s core business.
All forms of breach need to be assessed for inclusion in an insurance policy, such as malicious attacks by hackers and inadvertent errors by staff or third-party suppliers and partners (as well as the possibility that these are deliberate). Similarly, a proactive decision on whether to indemnify against ransomware needs to be made.
The technology platforms need to be considered. Breaches occurring on business-critical cloud infrastructure and services are a common exclusion in insurance policies because the risk may be harder for an insurer to assess, but these platforms are central to many organisations and therefore need to be included.
Liability payments and fines resulting from an attack need to be factored in, along with legal fees. In many cases, a crisis management PR campaign and communications strategy will need to be deployed to protect or revive the brand, with costs for these potentially covered by the cyber insurance policy.
Obligations of the insured
As noted above, if controls to reduce the risk of a breach are documented as being in place but are not operational, pay outs by the insurance company are threatened.
Any organisation taking out cyber security insurance must therefore ensure that the controls that form part of the underwriting criteria are working. This should already be part of good business practise, but is worth stressing.
In addition to controls, there should be processes in place to minimise professional negligence that could lead to a breach, as this is another common exclusion in cyber security policies.
The insurer’s due diligence process will require responses to a range of questions and it is the responsibility of the insured to ensure the responses are correct. They must also notify the insurer of any changes to influencing factors, such as regulatory compliance requirements, infrastructure and material changes in risk measurement.
The cyber insurance market is changing rapidly on account of being relatively immature. This will continue as threats change and the industry works at developing robust risk assessment methods and frameworks that meets the needs of insurance companies, businesses and those potentially affected by cyber attacks.
Alex Ayers is co-founder and consulting director at Turnkey Consulting.