An independent public sector security interest organisation has carried out a study into the factors impacting corporate attitudes toward dedicated cyber-insurance. The not-for-profit Corporate Executive Programme (CEP) examined what it denotes to be ‘large' (US$ billion revenue) and ‘mid-sized' (US$ 1 million to US$ 1 billion) enterprises in the US and UK.
Across its sample, the CEP found firms' purchasing strategies towards security protection insurance typically differ dependent upon company size and vertical industry sector - plus, also crucial were aspects of ‘management style' and geographic location.
Punitive penal measures
The studies ‘findings' suggest that the US has higher levels of dedicated cyber-insurance cover than the UK (40 percent versus 13 percent). For the survey's methodology, the US was considered separately because of the more punitive measures in existence there relating to information security breaches. For example, 47 US states now have breach notifications in force.
This higher-level national approach to penal measures is implied to have a ground level affect on the way individual firms develop their own security personality.
Blind faith down the supply chain
Although every company across all territories in the survey had third party and/or outsourcing deals in place; of the companies with cyber-cover, only 50 percent did thorough checks to confirm continued insurance cover exists throughout its supply chain.
The retail sector saw the highest number of organisations purchasing cyber-cover (37 percent of those with dedicated cyber-insurance in this survey), followed by the finance sector (25 percent). Self-insurance was mostly done by the manufacturing and finance sectors. Companies with decentralised risk functions seemed to be more likely to have dedicated cyber-insurance than those with centralised functions (31 percent versus 15 percent).
People, processes and workflows
Darren Anstee, director of solutions architects at Arbor Networks has suggested that defending today's threats is not all about technology, “There needs to be at least as much focus on the people, processes and workflows that are involved,” he said. “As the costs around successful cyber-attacks, and thus the business risks, become more widely appreciated it is hoped that organisations will invest to raise their security posture.”
CEP states that the apparent trend for lower levels of dedicated cyber-insurance in European may change with the pending EU data breach notification rules for data controllers under the draft General Data Protection Regulation and the proposed cyber-breach notification rules for critical infrastructure providers under the draft Network and Information Security Directive. These changes could become a catalyst for an upsurge in cyber-cover in Europe.
Well, if even the CISO doesn't know…
Looking at other summary findings, 25 percent of respondents said their organisation had suffered a business-impacting cyber-incident within the last year; and 30 percent of these had dedicated cyber-insurance. Companies that had experienced an incident and had insurance cover had had this cover before the incident. But, crucially, most heads of information security interviewed did not have knowledge of the types of dedicated cyber-insurance products available to them.
In terms of the gap between security insurance and security protection technologies, Benny Czarny, CEO and president at OPSWAT points out that organisations may be slow to institute cyber-insurance because of the difficulty in calculating the risks and balancing those against the cost of the premium.
More directly, Martin Lee, cyber-crime manager at Alert Logic, is at pains to point out that cyber-insurance should not be seen as a replacement for the implementation of an effective cyber-security strategy. “In the same way that fire insurance is no replacement for a fire alarm and fire extinguishers, companies considering taking cyber-security should ensure that they have necessary cyber-protections in place first,” he said.
CEP's report is entitled ‘Risk Mitigation through cyber-insurance Current Business Practices'. The investigation postulates when handling the cyber-insurance factor, there is a ‘worrying trend' for heads of information security not to be involved in purchasing decisions, considering they are perhaps best placed to understand the level of risk present that needs to be insured against.