Cyber-insurance cover leaves IT teams exposed
Chris Pace argues that failure to achieve the correct balance between transfer of risk to an insurance provider and appropriate level of IT security measures, implemented and managed by in-house IT, puts companies at risk.
Chris Pace, head of product marketing, Wallix UK
The global cyber-risk insurance market nearly tripled in size in just two years when global gross written premiums grew from £565 million (US $850 million) in 2012 to £1.7 billion (US $2.5 billion) in 2014. So it's no wonder that Lloyd's, encouraged by the UK Government, (which helped sponsor a major report on the subject earlier this year, entitled ‘UK Cyber Security The role of insurance in managing and mitigating the risk') has moved swiftly to establish itself as a global centre of excellence. The assumption would be that the UK's IT industry would – in parallel – take similarly large steps so as to fully capitalise on this booming market. But it would appear that our industry is dragging its feet. And that could have significant repercussions for the future.
On the face of it, a cyber-insurance policy represents a neat way to get the IT department off the hook. Insurers are hugely competent at pricing and underwriting all types of risk. And transferring risk in exchange for a premium makes good commercial sense for any business. The ideal form of cyber-risk management then is the correct balance between that transfer of risk to the insurance provider and an appropriate level of IT security measures, as implemented and managed by the in-house IT team.
Wallix UK's hunch, though, was that those IT security measures were not being kept at a sufficiently high level and so the IT department was running the risk of invalidating the very insurance policy that they were supposed to be instrumental in policing.
So Wallix UK put its hunch to the test and carried out an online survey* amongst IT professionals to find out who in their organisation had responsibility for the purchase decision and what effect that policy then had on their own IT security policy.
Disappointingly, nearly half of the respondents did not know if their organisation had taken out a policy and a large minority (47 percent) thought there was ‘insufficient need' to do so. Over a third (35 percent) did not know which department would lead on this decision.
More worryingly, a large minority (41 percent) did not believe that their company subsequently needed to change its IT security policy. And this is where it gets truly concerning because the survey showed an alarming amount of complacency regarding two important aspects of cyber-insurance cover (both of which have the potential to invalidate the policy): making critical updates to security software and network access.
Nearly half the respondents thought it would be either quite difficult (43 percent) or very difficult (10 percent) to 'identify whether…security software fails to make critical updates'. In the event of a cyber-attack triggering a claim on the policy, this is one of the first areas that the insurance company will look at and in those circumstances, it seems that the unlucky 43 percent would have some explaining to do.
They might also need to explain why they were allowing so many people to continue to access their networks. Fifty percent of the sample felt it would be either difficult or very difficult to identify whether any ex-third party providers still had access via accounts to resources on their network; the same percentage (50 percent) thought the same about ex-employees accessing their network and an even bigger proportion (55 percent) thought the same about ex-contractors accessing their networks.
We're aware that most large enterprises now have workforces that appear to be in a permanent state of flux and can, at any one time, comprise a large number of both staff (full time and part time) and contractors. And keeping security tabs on all these is a major headache for the IT department. But we're left with the view that these security lapses create notoriously ‘porous' organisations that can, in turn, leave the company at considerable risk to a cyber-attack.
The recommendations to these hard-pressed IT departments are straight forward.
1. Get involved in the decision making process.
2. Make sure that you have a clear understanding about the limitations of your existing technology and how that may affect your cover
3. Make sure that your regular and automated security activities (updates, patches, signatures, etc) are working.
4. Maximise your own visibility. If you suffer a breach, the insurance company will want to attribute the source and the more data you have the easier your job will be
5. Know your access control weaknesses. Most cyber-insurance policies assume you have complete control and that you have visibility of every user who has access to your infrastructure
This last point is rapidly moving up the management agenda. The Bank of England's Prudential Regulation Authority recently distributed a ‘Cyber Resilience Capabilities' questionnaire to its member financial firms. Of the 28 questions asked, three were concerned with access control rights.
The historic ingenuity of the insurance industry means that it is now offering companies solutions that cover an ever broadening range of cyber-risks. This should be good news for the IT department. But all these solutions require the active involvement of those IT departments who must now ensure that their own IT security policies have been updated. The opportunity exists to closely collaborate with these cyber-insurance companies rather than be castigated by them.
Contributed by Chris Pace, head of product marketing, Wallix UK