Cyber insurance not trusted by business, KPMG claims

Senior heads of security don't trust cyber-insurance products, viewing with scepticism the chances of getting a payout in the event of a cyber-attack, according to research from KPMG.

Cyber insurance not trusted by business, KPMG claims
Cyber insurance not trusted by business, KPMG claims

Based on a survey of senior information security professionals from organisations which are members of KPMG's International Information Integrity Institute (I-4), 74 percent of businesses have no cyber insurance.

Given that 79 percent of companies believe that cyber threats are likely to increase in the next 12 months, the results would be inexplicable except for the fact that at least half of businesses believe that a cyber-insurance policy may not pay out when needed.

Mark Waghorne, head of I-4, is concerned that many businesses would rather not have insurance against a threat they believe is inevitable.

He revealed that 30 percent of information security professionals in the survey believe the cyber insurance industry has yet to mature. “Insurers will need to deliver more comprehensive packages in order to convince the business community that they can and will protect against losses on cyber-crime,” Waghorne said.

Sarah Stephenson, head of cyber, technology and media E&O at JLT Specialty, told SCMagazineUK.com that she “couldn't disagree more that might not be effective”.

“Like any emerging line of insurance, there is going to be scepticism about its efficacy,” she said. “But it's been around since 2000, and while it may feel brand new, it's been paying claims and helping to mitigate the effects of cyber disruption for 15 years.”

She said there was an impression in the media that insurers weren't paying out on cyber insurance policies based on a failure to distinguish between the specialist insurance policy and more general policies like crime.

“Almost all that litigation has been with general liability and crime insurance and was not cyber specific,” she said. “The policies that aren't paying out aren't cyber policies at all.”

Cyber is still a niche sector which unlike other insurance markets doesn't have the history or case law to allow insurers and brokers to develop standardised terms and conditions. “Companies that are purchasing cyber- insurance now understand better how it's a partnership with the underwriting community, that there will be a sit-down meeting with the underwriter, broker, chief information officer and CISO to understand your cyber risk,” she said.

“They will want to understand not only your adherence to polices but also your culture. They are underwriting not only what you do today but also your ability to adapt to new risks,” Stephens said.

Waghorne's supported Stephens' final point. “Discussions during a later debate at the most recent I-4 forum showed that the availability of specialist, focused cyber related insurance has much improved during the past year with clear evidence that carriers do pay out, indicating that those organisations which have avoided cyber-insurance in the past should perhaps revisit their positions,” he said.

Meanwhile, Daljitt Barn, director, cyber security at PwC wasn't surprised by the figures which are broadly in line with other reports he's seen including a report co-authored by the Cabinet Office and insurance broker Marsh which found that 81 percent of big businesses and 60 percent of SMEs had suffered a cyber-security breach.

The report found that half of firms surveyed were unaware that cyber-insurance was even available – hardly surprising then that only ten percent of firms have armed themselves with cyber-insurance.

Barn was sympathetic with business owners who may be worried that their cyber-insurance won't cover them in the event of a major breach. With technology evolving so quickly, it is perhaps natural to question whether the details in your policy are still applicable.

However, Barn said that if organisations believed their cyber insurance won't pay out, it indicated that they hadn't done their research. “They need to understand their risk and what they are buying,” he said. “They need to ask, do some of my existing insurance policies cover me for the affects of a cyber attack? They need to understand their cyber exposure and risk and then tailor their purchase according to what they need.”

The suggestion that cyber insurance policies won't pay out in the event of an incident is not supported by the facts, he added. In the case of Target Stores in the US, they had a US$100 million (£66 million) policy which paid out. “But was it enough – we don't know,” Barn said.

Barn's advice is that when purchasing cyber insurance, understand what you are buying and scrutinise all the detail under the heads of cover. The more work your organisation does to reduce the chances of a cyber attack and mitigate the consequences of a breach, the more you will save on cyber insurance while also lessening the business disruption that simply can't be insured for.