[BreachExchange] Cyber insurance: What and why?

Audrey McNeil audrey at riskbasedsecurity.com
Mon Mar 20 19:17:43 EDT 2017


https://www.helpnetsecurity.com/2017/03/20/cyber-insurance/

High-profile cyber-attacks are fast becoming the norm in modern society,
with 2016 being arguably the worst year for major security breaches.
National Crime Agency statistics released earlier in the year reinforced
this, revealing how last year saw cybercrime overtake more traditional
forms of crime in the UK for the first time.

Logic suggests that this trend is only progressing in one direction. Why
look to target an individual office property when entire businesses can now
be financially exploited and brought to a standstill remotely?

Although most of the headlines focus on the large scale breaches affecting
multinational corporations, a whole host of small and medium sized
enterprises are increasingly suffering from data breaches, creating a “fear
factor” among many organisations. It’s this fear factor that has led to
widespread adoption of cyber insurance. Our recent research found that UK
insurers saw a 50% rise in demand for cyber policies during the course of
2016.

The development of cyber insurance

The primary aim of cyber insurance is to protect individuals and
organisations against the financial fallout from the loss of electronically
stored information. For years, insurance has been purchased to protect
physical property from loss, theft or damage. Only recently, however, has
the importance of buying cyber insurance been fully realised, as we see the
value of electronic data far exceed that of physical property.

While cyber insurance legislation and regulation has been present since the
turn of the millennium, rapid technological development over the past 20
years has ensured this arena remain anything but static. As such, cyber
insurance has had to adapt to meet the way in which society utilises
technology as a key part of modern life. It is now being purchased to
address the concerning rise of cybercrime, which comes in various forms,
from ransomware to phishing scams through to cyber extortion and hack
attacks similar to those experienced widely toward the end of 2016.

Current policies help victims of cybercrime in various ways from a
financial perspective. This might include covering any costs related to IT
specialists, regulatory investigations or forensic investigators. Arguably
more important, cyber insurance policies help victims to manage cyber
incidents, enabling access to specialist providers who understand all
aspects of cybercrime and its consequences.

Times are changing too. When cyber insurance was first introduced,
obtaining quotes could be an incredibly tedious affair. Pre-requisites
would often include on-site audits and essay-like technical application
forms. Nowadays, coverage can be obtained in a much more efficient manner
by completing just a few questions, including key financial information,
previous loss history, and basic risk management. We now find ourselves in
a position where we have over twenty insurers offering cyber policies
across the UK, helping to further simplify the underwriting process and
drive down prices.

Furthermore, as cyber insurers aren’t yet able to calculate the
consequences of specific controls –depending instead upon standard
portfolio management techniques to cover loss ratios – cyber insurance
tends to contain fewer obligations in regards to risk management than a
typical property policy. Unlike usual property policies, which may state
clearly what type of alarm to fit or what variety of lock to have on your
doors, cyber insurance policies are much more flexible where risk
management is concerned.

Despite the advancements and increasing ease in which it can be adopted,
less than 10% of UK firms purchase some form of cyber insurance, as opposed
to more than 25% of businesses in the US. Industry experts believe this is
likely to change at an unprecedented rate with cybercrime continuing to
instil the ‘fear factor’ amongst UK businesses, and when individuals and
firms have a better awareness of how cyber insurance policies really works.

Growing market equals increasing claims

With an increasing number of policyholders – creating a fast-expanding
cyber insurance market – the number of claims is inevitably on the rise. We
handled over 200 events in the first half of 2016 with nearly a third of
these relating to data breaches, and over a fifth linked to electronic
fraud. Other instances included ransomware, malware and denial of service
attacks. Most of these attacks caused relatively minor damage so far, with
the majority tending to be less than £50,000. That being said, the
potential financial devastation for businesses is huge. One targeted attack
in 2016 cost a small business over £1m after hackers deleted all company
data having gained access to their network.

The full effects of cyber-attacks are even felt by organisations not
directly compromised. These indirect, so-called “phantom breaches”, have
steadily increased in recent times, with the Yahoo hack late last year
providing just one example. Over a billion internet users had their data
stolen, but this wasn’t the end of the story. Many customers use duplicate
passwords and usernames across a number of websites, and this enables
attackers to easily exploit other sites once they’ve carried out the
initial attack, even if those sites are themselves secure. This
demonstrates just how devastating the knock-on effects of such breaches can
be.

The responsibility of the insured party

In spite of the increasing importance of cyber insurance adoption, the
claim that “cyber insurance doesn’t pay” has often tainted the perception
of this line of cover. This follows cases where businesses fail to
correctly or fully complete policy applications leading to missing out on
insurance in certain scenarios. Too often, however, it is the insurers who
are portrayed in a negative way.
These instances of invalid claims can be reduced through effective
collaborative efforts between the insurer and insured party.

>From the insurer’s perspective, it is not about whether the insured party
has strong or weak security controls in place, but whether they describe
them accurately on the application form. This is true for any other line of
insurance – you wouldn’t say that you have an alarm in your house if you
didn’t – and this is where insureds might run into trouble. However, there
are obviously cases when the questions can be misunderstood or
misinterpreted; for example, a business might say they encrypt all their
data, when in fact it is only password protected. So, in turn, it is the
responsibility of the insurer to be asking the questions in a clear way,
and further explaining security concepts that might be complicated.

Further collaboration amongst insurers and insured parties, along with more
government proactivity, would prove hugely beneficial. The government has
certainly made a solid start. Introduced in 2014, the Government Cyber
Essential Scheme both educates companies on how to reduce cyberattacks as
well as how to keep resulting costs as minimal as possible if a hack is
successful.

Good cyber hygiene should be the first line of defence for any business.
Unfortunately, statistics indicate that the majority of UK businesses,
especially SMEs, are likely to suffer a security breach within their
lifetime. As such, we advocate a two-pronged strategy which entails
sufficiently investing in updated security and risk management practices,
alongside implementing a strong insurance policy, should a cyber-attack
present itself.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170320/b4fddd6b/attachment.html>


More information about the BreachExchange mailing list