Cyber-insurance: no replacement for locks on doors
Cyber-insurance: no replacement for locks on doors

Some might describe cyber-risk as the most complex threat facing businesses today, and it's also the fastest growing. In the past year alone, we've seen several of the world's leading corporations, such as Sony Pictures, eBay and JP Morgan, fall victim to attacks, suffering devastating reputational consequences and heavy financial losses as a result.

From the Board of Directors and CEO, across the CRO, CISO, CIO and CTO, executives across the organisation are focused and committed to ensuring their organisation has the requisite people, tools, and systems needed to manage and mitigate the threats at hand. As a most pressing issue and top of mind concern, even the UK Government has made several proactive attempts to get involved by providing cyber-security advice to businesses and citizens alike.

Most recently, the Government published a report focussing on the role of cyber-insurance. The report uncovered some alarming statistics, for example that 98 percent of large UK firms lack insurance to help them recover from a serious cyber-attack, despite 81 percent of them having suffered a breach in the past 12 months. However, while these headline figures seem shocking, they are very much taken out of context, and paint an inaccurate image when it comes to the cyber-security focus and preparedness of UK companies.

The statistics suggest that nearly all large UK firms aren't prepared or capable of recovering from the threat of cyber-crime, citing their lack of the necessary insurance to cover potential losses. In reality, however, many firms are already heavily invested in preventative measures, a factor that isn't considered in the report. Companies are very focused on understanding and preventing cyber-crime and are very aware of the potential negative impact of suffering a data breach. Most firms don't view cyber-insurance as a top priority, rather, it's the preventative and proactive cyber-security measures that take precedence. Just as you wouldn't rely on house insurance over locking your front door, stopping criminals from getting in and causing damage in the first place shows better threat understanding and management.

Cyber-insurance should only ever be a part of a more holistic security strategy and, even then, it isn't always easy to make the case for its inclusion in a firm's overall cyber-security strategy. Some of the biggest challenges include confusion about cyber-insurance policies and what is covered, and uncertainty regarding the likelihood of a cyber-attack and the potential financial and reputational losses associated with an attack. 

Afterall, the biggest risk facing any company is reputational, a risk for which a definite financial figure is nearly impossible to calculate. It's therefore difficult to see how providers can provide appropriate cover without charging high premiums that reflect significant levels of uncertainty. Indeed, speciality markets do exist, such as those that protect against catastrophic events, so called ‘acts of God', and it could be argued that insuring against reputational risk belongs in the same category. To some firms, the impact of a large data breach could be catastrophic, and many have gone out of business as a result. Furthermore, it's not just the company's reputation at stake, but also its employees'. For example, Gregg Steinhafel left his position as CEO of Target following the huge data breach last year, in what became one of the most highly publicised breaches to date.

Ultimately, companies can't take out an insurance policy and then become complacent in their cyber-defence. Insurance is an after-the-event measure, which means a data breach has to have already taken place for it to have any effect. In conclusion, cyber-security is going to continue to be a focus for every organisation around the world, no matter the size or industry. My advice for companies seeking to bolster their cyber-risk management programmes is to build a holistic and forward-looking cyber-security programme that not only focuses on building defensive measures against security breaches, but is also capable of forecasting potential security threats and alleviating those risks before they cause serious damage.

Contributed by Piyush Pant, vice president of strategic markets, MetricStream