The following is an opinion article written by Phil Kernick, chief technology officer at CQR.
As the number of cyber attacks on organisations around the world continues to increase, many are opting to invest in specialised insurance policies as a means of protection.
The policies vary significantly in scope and cost, but all offer a level of protection should an attack occur. Policyholders hope this will be sufficient to cover the cost of remediation for affected systems as well as lost production or sales.
Cyber insurance is a relatively new field and it’s worth closely examining the policies on offer before making any investment in cover. Just as car, travel and life insurance policies have carefully worded caveats, so to do those in the area of cyber insurance.
It’s all about the risk
Insurance companies go to great lengths to ensure they don’t lose money. They take time to fully understand the extent of the risks they are covering and then price their policies accordingly.
Health insurance is a case in point. Insurance companies use everything from sex, age, location, and occupation to accurately gauge a person’s likelihood of having a heart attack. Premiums are then set at an appropriate level. Someone with a family history of coronary disease who is overweight is likely to pay more than someone without those characteristics.
When it comes to cyber insurance, however, making such calculations is more difficult. Because modern computing has only existed for about 25 years, there is only limited history on which to base predictions. Knowing how often a car is likely to breakdown or a cyclone to hit a town is one thing, but calculating the likelihood of a business experiencing a ransomware attack is very different.
The challenge is exacerbated by the fact that the number of attacks occurring is rising exponentially. Basing future projections of risk on historical data is a tricky thing to do.
It’s also impossible for insurance companies to predict how much damage or disruption might be inflicted and, therefore, how much it will cost for an organisation to recover from an attack. This makes the task of pricing an insurance policy very difficult.
Limiting the cover
As a result of these factors, companies offering cyber insurance are taking great care with the wording of their policies. Most will require an organisation to complete a detailed questionnaire about the security tools and processes they have in place. If they don’t measure up in the eyes of the insurer, cover will be declined.
Policies are also likely to contain a lot of exclusions. If core IT systems have not been patched, or security tools effectively installed, cover could be denied. Some may also reject payouts if it transpires that the attack was the result of staff not following documented security procedures.
Insurance companies are also likely to limit the payouts they make to relatively modest levels. In the case of a severe attack, the amount may not be sufficient to cover the full cost of recovery. This might come as a shock to management who have been reassuring themselves that they won’t lose out if and when a cyber attack occurs.
The role of cyber insurance cover
Interestingly, some organisations are starting to consider cyber insurance as an alternative to implementing effective security measures. They think that, if they simply put a policy in place, all can be fixed at no cost to them if an attack takes place. Unfortunately, this is absolutely the wrong way to look at it.
Indeed, organisations are likely to find it very difficult to get any cover at all unless their existing cyber security is deemed to be sufficient by the insurer. They will be required to have appropriate tools in place that are constantly managed and regularly updated. They will also need to show evidence of staff education and the implementation of policies that reduce the chance of attacks occurring in the first place.
The bottom line is that cyber insurance only works as a top-up to existing effective security measures. It is not a replacement for it in any way and should not be regarded as an easy alternative.
Cyber insurance is an area of the insurance industry that is quickly evolving. Before any policies are purchased, an organisation should carefully check that it will actually provide the level of cover that is anticipated. Thinking about this after an attack will be too late.
The preceding was an opinion article written by Phil Kernick, chief technology officer at CQR. The views expressed within the article are not necessarily reflective of those of Insurance Business.
Related stories:
Brokers urged to check business clients’ coverage
ASIC reports on cyber resilience of financial markets firms