NTT Security has warned that 66% of UK businesses are not insured against information security breaches and data loss. The details emerged earlier this year in the company’s Risk:Value report (registration required). What makes this surprising is that the majority of those interviewed said insurance against attacks was ‘vital’.
Cyberattacks continue to grow and so do the risks of a breach. For UK companies, there is now the added problem of GDPR. Prior to May 25, 2018 the maximum fine for a UK company was £500,000. For organisations such as Dixons Carphone, that has been a relief. Now that GDPR is in full swing, fines are likely to be higher. Organisations also have to react faster and report breaches to both regulators and customers.
Cyber Insurance is not a magic bullet
Cyber insurance has been around for some time and is on the rise. NTT Security says that: “The number of insurers now offering cyber insurance via Lloyd’s of London has leapt to more than 70, nearly double the number a few years ago, while insurance giant Allianz predicts that global cyber insurance premiums will grow to $20bn by 2025, up from around $3-4bn currently.”
This shows that while respondents to the Risk:Value report may be laggards, others are clearly taking cyber insurance on. But what are they getting for their money? This is a very important question. Unlike household insurance or contents policies that are generally easy to read, most cyber insurance is an add on to existing policies. As such, it often carries a number of disclaimers and riders that may mean it is worthless when required.
According to Kai Grunwitz, Senior VP, EMEA: “While cyber risk insurance should be put in place to help mitigate the potential fallout of a data security breach, a policy must not be seen as a ‘get out of jail free card’. Cyber insurance must be complementary to an effective risk-based information security strategy, not a replacement for it. You wouldn’t expect your house insurance provider to pay out if you were burgled when the doors and windows are left unlocked. So don’t expect a payout – or indeed an insurance policy – if you haven’t put in place the right processes and policies.”
Why you need the right policies
In April, US based National Bankshares Inc released its first quarter earnings. It contained an important reference to two breaches it had suffered. The bank had expected those to be covered by its cyber insurance policies. Its insurer, Everest National Insurance, disagreed.
The attacks on bank systems allowed money to be stolen via ATM machines. This is a common attack against banks. Everest had inserted clauses into the cyber security contract to exclude thefts via ATMs. The result is that it is refusing to pay out over the two attacks.
This sends out a warning to companies. They need to look closely at cyber insurance policies and make sure it has cover for any exclusions.
Gunwitz commented on this saying: “Insurance companies are experts in managing and evaluating risk. In this example, we’re in a grey area, because the attackers have “tricked employees into opening emails” with what appears to be a phishing attack, like you see with ‘CEO fraud’ and other social engineering-driven phishing attacks. Without having more background information on the incident and the details of the insurance policies, it’s hard to make a final statement if the debit-card or cybercrime riders should come into play.
“However, the key question for the bank is, have they done everything necessary to protect their critical data? A lot of companies expect a cyber insurance policy to cover weaknesses in their cyber defence and awareness strategy. People are still the first line of defence! Companies must do their homework and work on the security basics to protect critical data and comply with all the necessary industry regulations and compliance requirements. Cyber risk insurance will not compensate for holes in an organisation’s security processes and infrastructure – even if it seems so at the first glance.”
What does this mean
Cyber security insurance should be treated as a business necessity. Failure to have it will make any fines levied by a regulator pale into insignificance. The costs of cleaning systems and dealing with customer claims will be many times that of a regulatory fine. Cyber insurance is designed to cover those costs. Get it wrong, however, and you could be left with a multi-million pound bill.