The role of insurance in managing cyber risks
- Published: Friday, 31 July 2020 08:33
The demand for cyber insurance is increasing, but what does it protect against, and importantly, is it worth the money? Jan van Vliet attempts to answer some of the key questions businesses face when deciding if investing in cyber insurance is right for them.
What is cyber insurance and why is it important?
Cyber insurance is designed to protect a company against the financial damage that can be caused by the increasingly diverse range of cyber security threats out there today. Just a few examples of these include ransomware, hacks, data breaches, DDoS attacks and malware.
In the event of an attack, companies need as many resources as possible to deal with it quickly. This is where cyber insurance can be incredibly helpful, especially for smaller companies, by providing the support needed to mitigate the potentially devastating financial impacts of such an event.
Of course, it’s important to point out that cyber insurance should never be a replacement for a properly implemented information security programme. Rather, it should be used to complement and strengthen existing tools and strategies, giving organizations another potential option to consider should the worst happen.
What potential costs does cyber insurance cover?
Cyber insurance policies are designed to address three core types of cost, all stemming from the same basic scenario: the loss of control or access to critical data, IT, or operational technology (OT) systems.
These three costs are as follows:
Privacy liability and regulatory fines
This includes the defence and indemnification for liability to third parties for not keeping their data safe, as well as costs for regulatory investigations arising out of a data breach, including potential fines and/or penalties.
Data breach costs
This includes major costs associated with the breach itself, such as computer forensics to determine the cause and scope of a breach, legal advice, public relations consulting and the cost of notifying/providing credit monitoring for those affected.
Business interruptions and other expenses
This includes the losses resulting from unexpected downtime and lost productivity, lost business profits and expenses incurred to continue operations.
The value of cyber insurance: A tale of two cities
To understand the value (and moral dilemma) that cyber insurance can bring, here are two examples of US cities that both fell victim to cyber attacks in the last few years, but who chose different paths to resolving the incident, leading to very different outcomes.
In 2019, Lake City in Florida fell victim to a ransomware attack that crippled its government systems. Rather than pursuing data recovery options, it chose to pay the criminal’s ransom of around £350,000 via its insurance policy. The government itself was only liable for the £7,500 policy excess, with insurance firm Beazley paying the balance under the terms of the policy. It was later discovered that the decision to pay was made on Beazley’s own recommendation, after analysis suggested the work needed to recover the stolen data from data backups would likely have run into millions of dollars.
The pragmatism of such a decision is difficult to dispute in the face of the evidence. Not only was a significant amount of money saved in the long run, it allowed the government to get back to work much faster than would otherwise have been possible. Unfortunately, it also meant the perpetrators got away with both the crime itself and almost half a million dollars in ill-gotten gains.
By contrast, when the city of Atlanta fell victim to a SamSam ransomware attack in 2018, it refused to pay the £42,000 ransom demand and instead chose to recover the data at its own expense. While this decision left the criminals empty handed, it’s estimated that the total cost to the city was an eye watering £6.8 million.
Choosing the right insurance plan is crucial
For businesses that do decide to take out cyber insurance, choosing the right policy is key. When doing so, there are many factors to consider. However, the following should all play a part in the final decision:
- Does the policy cover attacks that directly target your company or any attack on which your company is a victim?
- What are the limits of the first- and third-party coverage under the policy?
- Does the policy cover social engineering (e.g. phishing) and network attacks?
- What’s the policy excess? This can vary hugely and make a big difference to your likelihood of actually making a claim in the event of a breach.
- Does the insurer offer one or more policy types? Is the policy an extension to an existing one? A stand-alone policy is the preferred choice as it’s usually more comprehensive.
Apart from the five factors cited above, it's also important to consider exactly what information needs protection and the level of coverage needed to do so. While it’s always best to err on the side of caution here, there’s no need to get completely carried away with a policy that’s far more comprehensive (and therefore, expensive) than you actually need.
It is worth noting that a number of leading insurance providers are coming together under schemes like Marsh’s Cyber Catalyst program, which allow cyber insurers to identify cyber security solutions they consider effective in reducing cyber risk. By utilizing these ‘preferred’ cyber security solutions it can limit a company’s risk and also qualify that company for more favourable terms and conditions.
The ever growing depth and breadth of cyber threats faced in the modern business landscape has seen the demand for cyber insurance rise significantly in recent years. While it should never be seen as a replacement for a robust cyber security strategy, it can provide an extra layer of protection for companies without the time or resources to recover from a major breach by themselves. However, cyber insurance does raise some difficult moral questions as well, with some arguing that it actively encourages criminals to target companies known to have it in place, in the hope of an easy pay day. Ultimately the choice of whether to invest in cyber insurance is an individual one, but it appears to be becoming an increasingly prudent one.
Jan van Vliet is VP EMEA at Digital Guardian
Jan is a seasoned senior executive with a proven track record of success in both emerging and mature markets. He is responsible for expanding Digital Guardian’s business and market share throughout EMEA, driving strategy and overseeing operations in both regions. Jan holds a Bachelor and Master of Science degree in Computer Science from the Delft University of Technology.