The Wallix survey around cyber-insurance
This is the background against which Wallix launched its survey (registration required) of IT Pros to look at why cyber-insurance, a product that has been around for a few years now, was not a booming market. The results are worrying and should make the board of any company large or small sit up and take notice.
Some of the key messages from the survey and press release are:
- 47% thought that there was ‘insufficient need’ to invest in cyber-insurance
- 35% of UK respondents didn’t know which department would lead the purchasing decision
- 41% did not believe that their company would need to change its IT security policy when taking out cyber-insurance
- Half of UK respondents thought it would be either ‘difficult’ or ‘very difficult’ to identify whether any ex-employees or contractors still had access
These are shocking responses and it is tempting to dismiss them by assuming that the survey went to the wrong people. However, the numbers involved mean that this is unlikely to be the case. What it says about companies is that there is a substantial disconnect between the realities of business, risk and the IT department.
It is hard to see how an experienced IT director would assume there was insufficient need to invest in cyber-insurance. The same could be said for any experienced IT security expert when it comes to the 41% who believe existing security policies would meet any cyber-insurance policies.
A need to overhaul processes and how the business assesses risk
One of the key things that can be learned from this survey is that there is an urgent need for companies to look closely at their security processes. This is not just in order to improve their cybersecurity but to tighten up their basic security. There is also a requirement for corporate risk officers to take a long hard look at IT and the risk that any failure presents to the business.
Risk and IT also need to work together, engage with the business to determine the true cost of a cyber security incident. Running scenarios can help with this but until the full extent of the potential costs of an incident are realised it is unlikely that the board will take notice to realise the budget either to improve security and/or to pay for cyber-insurance.
Earlier this month Wax Digital looked at the risks of procurement, especially around IT departments. It discovered that IT was failing to carry out effective risk assessment and lacked effective tendering processes. One of the key takeaways from this Wallix survey is that over 1/3 of the respondents did not know which department would be responsible for leading any purchasing decision on cyber-insurance.
It is clear from many of the survey responses that the IT department has effectively disqualified itself given its lack of belief that there is any real requirement for cyber-insurance. This leaves the traditional purchasing teams inside companies but these will also lack much of the knowledge to understand what to insure for and at what level.
The survey did not ask why IT departments don’t believe in cyber-insurance, does the insurance itself understand the issue?
(Next: Cyber-Insurance is an immature market)