Cyber-Insurance is an immature market
Wallix admit that while there is an increased take-up of cyber-insurance it is still a relatively immature market. This is where the whole issue of cyber-insurance is laid bare. At present there are no standard cyber-insurance contracts and despite the claims of take-up by Wallix very little work appears to have been done on the details of what would constitute an effective policy.
We looked at 20 different insurance company websites and typed in the phrase cyber-security. What was evident is that much of what is on offer is covered by existing insurance policies. Where they were differences specific policies they didn’t spell out terms and conditions such as audits, security processes and corporate responsibility.
They also contained references to things like data restitution and disaster recovery. Both of these are covered by the general insurance that most companies already have. They may even have some protection to help pay for a campaign to help restore a company’s reputation. Cyber-insurance needs to go further.
As a result, it was hard to determine whether it was worth trying to buy what can best be described as nascent policies or whether, as a large company, you would end up trying to negotiate a bespoke policy by selecting from a menu of things to be covered. This is not going to fly at most large corporates and for smaller firms who are often the soft underbelly, it will leave them at the mercy of brokers who know even less than they do.
That issue of smaller forms is also worth highlighting. IT security vendors accept that they are a major cybersecurity risk and recently HP admitted to industry analysts that despite having a solution to investigate the cybersecurity of smaller partners in the supply chain less than 15% of large enterprises were interested in it. One positive that cyber-insurance could deliver is by requiring larger companies to deal with this threat even if it is by having workable policies rather than deploying tools or manpower.
At present, companies have some protection built into their general business insurance for things such as the restitution of data and the basics of disaster recovery. They may even have some protection to help pay for a campaign to help restore a company’s reputation.
Time for a grown-up discussion on cyber-insurance
What is needed is a grown-up discussion from the IT and insurance industries to help define what a cyber-insurance policy should contain and how risk and costs will be assessed. Talk to IT managers at conferences and there is a general distrust of the insurance businesses around the subject of cyber-insurance. That needs to be resolved quickly and publically.
Companies understand insurance in general, how it works, how it affects their business and how to calculate risk. What they don’t have at the moment are quality numbers around the cost of dealing with a cyber incident that could then be used to assess risk and what needs to be covered. The insurance industry itself seems to be a little in the dark as well with only a few specialist insurers such as Wallix doing any real research.
In the press release Wallix has laid bare the state of awareness over cyber-insurance. It asks the question whether the problem is complacency or naivety and admits that the responses it received were “surprising and frankly alarming”. This is not the sort of language one expects in this type of report.
The survey does look at two different markets, UK and France. While there are some differences between the two as highlighted in the report, the overall mentality of “why would be need this” seems to be the same in both countries.