Cyber insurance: What, when and how
High-profile hacks on the likes of Tesco Bank, TalkTalk and Sony have raised the issue of cybercrime on the business agenda. As accountants become increasingly ‘business-focused’, finance leaders are increasingly becoming drivers for cyber-attack preparation, and cyber insurance is one of the tools at their disposal.
The sheer number of organisations now relying on online connectivity to reach and serve customers means businesses of all sizes are now increasingly prone to cyber-attacks, hacks or data losses, and providing protection against the consequences of such a disaster are cyber risk insurance policies.
Compared to other types of insurance the cyber market is still in its infancy, but it is growing fast: Over in America the annual volume of cyber risk premiums has reached $3.25bn, up 18% from last year, and although UK data is harder to come by it is moving in the same direction.
A recent Grant Thornton survey of almost a thousand senior finance professionals found that 38% believed they were most responsible for cybersecurity at their organisation, but many are struggling to get to grips with their new responsibilities. So what can finance leaders do to prepare their organisation for cyber-attacks, and should they consider cyber insurance? Here are five simple points to help:
* * *
1: Calculate your risks and assess them against your business
Ask yourself one simple question - can you repair the loss? If you have existing cover many insurers may compensate you for what they know – for example damage to hardware or wages if your staff are not able to work etc. but how do you quantify reputational loss? Will you have a business going forward?
Look at the type of data do you hold. Those who hold credit card details, medical records and trade secrets are obviously among the biggest risks. Personal info like names and addresses are not good, but could be worse.
A UK government survey in 2015 found that while 90% of large organisations reported they had suffered an information security breach, 74% of small and medium-sized businesses (SMEs) reported the same. The survey also found that for SMEs the most severe breaches cost can now reach as high as £310,800, up from £115,000 in 2014. While larger companies may be able to absorb the impact, smaller ones may not survive.
2: Check your policies
A crucial question to ask insurers is ‘just what am I covered for?’ A lack of clarity in the emerging cyber insurance market means there’s little uniformity, a lack of standard terminology, confusion around identifying policy exclusions and a lack of accurate measurements and models for different types of cyber risk and their resultant financial consequences.
The rapid rise in demand for cyber insurance has led to established insurers struggling due to the lack of skills in the sector and the small amount of reliable data creating a problem for the underwriters. According to Jean-Christophe Gaillard, managing director at Corix Partners, this creates opportunities for mis-selling, as firms can end up with products they can never claim on as their policies are “riddled with exceptions”
“Insurers are flavouring their products with value-added offerings such as crisis management and legal services”, said Gaillard, “which are not insurance products and it’s difficult to gauge their value”.
A specialist agent should be able to walk you through what you should be covered for based on your business’s exposure to cyber risk. It is also vital you read the small print to understand all exclusions and how they might apply, including identifying potential holes in your cover and whether you are covered for new classes of attacks like DDoS.
3: Be prepared, stay prepared
While having a cyber insurance policy in place may provide piece of mind, having appropriate security controls in place is an absolute pre-requisite for any claim to be successful. This usually goes beyond self-certification through the government’s Cyber Essentials badge, and often requires a proper assessment of the controls in place across the organisation.
This involves approaching cybersecurity as a company-wide risk management issue, not just an IT or finance department issue. Conduct annual audits of cyber risk, preferably conducted by an outside security company or internal audit department. The board must monitor where risk levels are deteriorating or improving.
4: Empower your employees
A sobering statistic from a recent Experian Data Breach Resolution survey is that 80% of breaches the group respond have a root cause with the employee. While organisations can spend vast amounts of cash to mitigate the risks of being hacked, if the back door is left open, either by accident or design, this is useless.
Disgruntled employees have wreaked havoc in organisations like supermarket Morrisons and adultery website AshleyMadison by leaking data, while issues such as email scams where fraudsters impersonate company leaders to deceive staff into transferring money can also result in significant problems.
Putting in place strong processes, initiating regular, mandatory data protection and cybersecurity training for all staff, and limiting access to sensitive information to only those who need it is a good start, but it also falls on your organisation to follow through on new employee references to ensure all staff meet the standards you wish to set.
5: Plan your response
Your company may have a drill in place in case the building catches fire, but does it have a plan for cyber-attacks? The internet is inherently unsafe, and many businesses are now preparing for what will happen when, not if, they are hacked.
If you have a website do you take this down? If personal data is breached when should you contact those affected, what should you say and how should you compensate them? Having a plan can mean the difference between survival and failure.
After their much-publicised attack TalkTalk fronted up to the media, paid damages to users and gave them the chance to leave. They suffered significant reputational and financial damage, but continue to trade thanks in part to this action.
- Further reading: Corix Partners white paper on cyber insurance
Do you have or have you considered cyber insurance? And what steps has your organisation taken to prevent cybercrime?