As high profile breaches continue to attract headlines, businesses are becoming all too aware of their vulnerability to the increasingly complex cyber-threat landscape. Hackers are growing in sophistication and employees remain the weakest link in any organisation's security armoury. Indeed, a member of staff accidentally clicking on a malicious URL or opening a spoof attachment is all it takes to lead to an enterprise-wide data breach.
The financial implications of a cyber-attack can be severe and the cost of a data breach is continuing to rise year-on-year. The 2014 Ponemon Institute Cost of a Data Breach study found the average cost of a data breach to be £2.3 million; a 15 percent increase on the previous year. A dented share price, lost customer revenue and potential fines from the ICO for those that failed in their duty to adequately protect consumer data, can have serious consequences for organisations.
Cyber-insurance – also referred to as cyber-liability insurance cover (CLIC) – has been available for many years but, thanks to the rise in heavily publicised breach incidents, it is gaining renewed interest from European insurers, which sense an untapped market. Indeed, a recent Government report highlighted the lack of cyber-insurance among large UK firms and urged companies to consider purchasing insurance as a way to help manage the escalating threat posed by cyber-crime. The report found that around 98 percent lacked any insurance against the financial implications of a cyber-incident, despite the fact that 81 percent had suffered a security breach in the last 12 months.
Cyber-insurance policies are designed to cover the far reaching costs associated with a data breach, which range from notifying customers, staff and the public, to instructing a thorough forensic investigation into the attack. As with any insurance policy, the cost is heavily dependent on perceived risk which, with breach incidents commonplace today, is generally high. However, unlike with typical insurance policies, organisations are unlikely to have the expertise to conduct anything nearing comprehensive self-assessment and arguably neither do the majority of insurers. Hacking incidents can be incredibly stealthy, protracted and almost impossible to spot until it's too late.
Cyber-insurers claim to cushion the blow of an attack by protecting against the financial repercussions that follow a breach. However, there are a number of considerations for firms to consider before purchasing a cyber-insurance policy. For instance, will it cover an incident if an insurer deems it could have been identified and curtailed sooner? Will it provide good value for money in the event that a claim is accepted? As cyber-insurance is still in its infancy, it may be some time before any meaningful insight can be gleaned from the claims history of policy holders.
The significant challenge facing organisations – and inevitably cyber-insurers – today is the prevalence of zero-day exploits and continued emergence of vulnerabilities such as the now infamous Heartbleed and Shellshock flaws. The average firm is unlikely to have the in-house cyber-expertise available to accurately gauge its risk profile, given the rapidly changing threat landscape. Equally, insurance policy documents are often lengthy and complex, which may lead to crucial preventative measures or policies being overlooked, thus voiding the intended cover.
Organisations considering purchasing cyber-insurance must ensure that all policy documents are thoroughly interrogated, to guarantee that total cover is made available in the event of an attack. Businesses are also wise to ensure that the security of their corporate network is comprehensively reviewed on an ongoing basis. Preventative measures should be a priority and incident response and crisis management plans must be in place. Ensuring an efficient response to a breach and containment of the damage has been proven effective in reducing the resulting costs of a breach. Defences must be designed to detect and hunt down hackers who have infiltrated the network before they get too far up the kill chain to cause irreparable damage.
As with all insurance policies, it is vitally important for both policy holder – and provider – to know precisely where they stand. Due to the complexities of IT security, achieving clarity on cyber-insurance policies is going to be a growing challenge.
Contributed by Rowland Johnson, CEO, Nettitude