As threats grow, cyber-insurance is becoming an increasingly popular way for firms to mitigate the potential financial fallout of a serious service outage or data breach. Insurance in the sector grew 50 percent in the UK between 2015 and 2016, according to a leading underwriter. Yet as the industry rapidly matures, organisations must be careful not to view policies as a “get out of jail free card”. In fact, if companies can't first demonstrate a baseline of cyber-security best practice, they may find it extremely difficult to negotiate an acceptable contract, and even trickier to claim in the event of an incident.
The bottom line is that cyber-insurance should always be viewed as complementary to but not a replacement for an effective risk-based security strategy.
Firms under fire
Just one look at the threat landscape will confirm why insurance is becoming so popular. One cyber-security vendor alone blocked a staggering 38.5 billion threats globally in the first half of 2017. These included over 82 million ransomware threats and 3,000 Business Email Compromise (BEC) attempts. The latter has become a multi-billion-dollar business for cyber-criminals over the past few years, according to the FBI.
Companies are absolutely right to worry about the impact of a data breach – both in terms of short-term financial losses and long-term brand and reputational damage. Our 2017 Risk:Value report reveals that a business would have to spend £1million (US$1.3 million) on average to recover from a breach.
No company, regardless of its size, sector or focus, can afford to ignore the consequences of what are increasingly sophisticated and targeted security attacks, like the widespread and damaging ransomware attack we recently witnessed.
Lighting up key areas of risk
In this context, it's not surprising that cyber-insurance is growing in popularity. The same report reveals that 40 percent of global firms have taken policies out this year while 35 percent are considering it.
Yet insurers' business models are predicated on effectively quantifying risk, which means that most will be unwilling to offer coverage to an organisation which can't first demonstrate that it has a well-thought out cyber-security strategy in place. Fail to address this and your organisation may struggle to get cyber insurance, or find that premiums are prohibitively high. As with any insurance policy, you have a duty to take basic steps to mitigate the risk or you will face increasing costs in policy cover.
Nearly half (45 percent) of respondents said they thought poor system patching could invalidate their insurance. This isn't surprising, given the fall-out from the WannaCry ransomware campaign which hit organisations that had failed to patch a critical Windows flaw released months earlier. Automated patch management systems are a must given current threat levels and the multiplicity of systems modern organisations need to manage. Ageing IT systems were also pegged as a major risk to insurance contracts, once again highlighted by WannaCry, which primarily exploited unpatched Windows 7 systems close to or past their end of life.
Incident response is also a basic requirement of best practice security and will become even more important as the General Data Protection Regulation (GDPR) mandates 72-hour notifications following a breach. In fact, general non-compliance problems were also flagged by respondents as possible barriers to insurance. These challenges are only going to increase with forthcoming European legislation set to come into force in May 2018. The GDPR and NIS Directive both require organisations in one way or another to follow best practices in cyber-security, threatening massive new fines of up to £17 million or four percent of global annual turnover for non-compliance.
Employee negligence was the final major risk to cyber-insurance raised by the report's respondents. Nearly half of all breaches reported to the ICO during the period 2013-2016 came as a result of human error by staff, so it's not hard to see why well communicated policies and comprehensive training and education programmes are vital to attaining that baseline of good cybersecurity.
Security as insurance
You wouldn't expect a house insurance provider to pay out if you were burgled because the doors and windows were left unlocked. So don't expect a payout – or even an insurance policy – if you haven't taken suitable precautions to stop preventable cyber-incidents. BEC scams are particularly contentious, with cases in the US this year and last of companies suing their insurer for failing to pay out following major losses. With the bar rising all the time as to what constitutes security best practice, both firms may be left disappointed and out of pocket.
Insurance is a smart way to mitigate cyber-related risk. But even if you secure a payout, it will only cover financial loss. The impact of a breach on brand and reputation, including things like customer attrition, can be much larger and long-lasting. That's why industry best practice cyber-security in a way is its own insurance. It's certainly not fool-proof but, if followed correctly, will make serious outages and breaches a rarity.
Contributed by Garry Sidaway, SVP Security Strategy & Alliances at NTT Security
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.