Logo

Cyber insurance: the shift from luxury to necessity

It’s undeniable that cybercrime is quickly becoming one of the biggest threats to businesses today. By Aleksander Jarosz, Threat Intelligence Analyst at EclecticIQ.

The number of cyber-attacks taking place has steadily been increasing over the last couple of years, and the pandemic has hugely accelerated this. For example, a recent report from IBM found that the number of ransomware attacks in the second quarter of 2020 more than tripled compared to the previous quarter.

The pandemic is forcing change within organisations across all sectors, and in many cases, this can be seen in the rapid rise in the number of employees having to work remotely. Employees working from home and accessing files on both corporate and personal devices significantly increases the risk of cyber threats to businesses, and hackers are taking advantage of this. As a result, it’s more important than ever businesses take the necessary precautions to protect themselves against the wide range of scams and hacks that are frequently being experienced by organisations across every sector.

One risk management solution available is cyber insurance. It’s been around in the UK since the mid-2000s, but for many businesses is still a relatively new area and one that is not widely understood. Due to the significant increase in cyber incidents around the world, the cyber insurance market is expected to grow by 33% annually over the next five years. However, for this to become a reality there needs to be a cultural shift in the way that cyber-attacks are viewed. While cyber criminals are becoming increasingly intelligent and creative with their scams, in contrast, security budgets are being slashed and teams are being stretched and placed under increasing strain. Businesses need to understand that while preventative cybersecurity measures are essential, they also need to accept that cyber-attacks can and will still happen. Therefore, organisations need to consider what method of protection will be in place in the event of a breach.

This article will discuss the specifics of cyber insurance and the pros and cons of investing in it.

What is cyber insurance?

Cyber insurance is usually a standalone policy offered by an insurance company to protect a business or an individual. This form of protection identifies the specific financial costs which may arise out of a potential cyber threat and transfers the costs to an insurer. Cyber insurance largely covers damage across two areas; direct or first-party losses resulting from a data breach, and third party costs such as customers or service providers who have also incurred costs as a result of the incident.

The coverage that is provided will vary depending on the different insurers and products being offered. However, in general, cyber insurance packages include cover for:

1. Business interruption and data restoration costs

2. Legal costs relating to the data breach, either by incurring regulatory fines, or potential lawsuits

3. PR costs to deal with any reputational damage that a large scale cyber-attack may cause

4. Costs incurred as a result of the forensic analysis of a cyber-attack

What kind of exemptions exist?

If companies are looking to invest in cyber insurance, they need to ensure they’re being thorough and reading the fine print before committing to a policy. As with any kind of insurance, certain cyber policies will have exemptions which may put the customer at risk of not being covered during a major attack. For example, a common exemption phrase used by insurers is “acts of war”. In 2017, the US pharmaceutical group, Merck was subject to a cyber-attack which crippled more than 30,000 laptops and desktops, as well as 7500 servers. Merck was denied over a billion dollars in coverage due to insurers claiming the “acts of war” clause had been breached.

A less common but equally important exemption to be aware of is policies which only cover “non-targeted cyber-attacks”. While these policies are relatively rare, they’re worth mentioning due to the frankly useless nature of them.

Another cause for concern is around the variety of attacks that cybercriminals can currently employ which reinforces the importance of finding the right policy with the appropriate cover for your company. Driven by forums on the darkweb, cybercriminals are now able to access better tools and malware, which has led to the capabilities of the average ‘hacker’ growing extensively over the last few years. Businesses need to be especially aware of the various attacks at play and choose coverage accordingly.

What are the alternatives to cyber insurance?

There are several arguments which are regularly used against cyber insurance as a form of protection. For example, if a company experiences a cyber-attack that places malicious code within the network, baseline recovery costs are immediately incurred, whether this is in human labour or new software or hardware. However, cyber insurance policies typically only cover costs beyond this ‘baseline’ and subsequently cyberattacks remain expensive. Cyber insurance should not be viewed as a cure-all solution, and the goal should still be to prevent cyberattacks. Since this is not always possible, adopting security practices alongside cyber insurance is still the best option.

Additionally, in the event of a data breach, the company under attack can often suffer significant reputational damage. If an insurer pays out, then businesses can use this to recoup costs relating to Public Relations and other reputation management tools as mentioned above. Unfortunately, in many cases, the damage is already done, and any current or potential future customers may be put off or have lost trust in the business.

While this is certainly a valid argument, it fails to factor in that cyber insurance is the only cyber protection strategy which does exactly what it says on the tin. Cyber insurers are not trying to claim that a data breach won’t happen under this strategy, or that insurance should be viewed as an alternative to cyber security measures. Cyber insurance should be used in conjunction with cyber security and other risk management strategies. Despite this, it’s important to remember that however much money or resources companies invest in cybersecurity tools, these are preventative measures, and a data breach can obviously still occur. Therefore, businesses must invest in cyber insurance, as in the event of an attack, many other cybersecurity strategies will be redundant at this point.

Given the increased risk and scale of cyber incidents, businesses now need to be considering not whether they should invest in cyber insurance, but instead what kind of policy is right for them. The appropriate coverage on a cyber insurance policy can now mean the difference between a company surviving a cyber-attack or going under because of it.

By James Preston, Security Architect for ANSecurity.
By Tod Beardsley, research director, Rapid7.
By Richard Hutchings, CTO at Littlefish.
For a long time many have thought of identity security as a necessary burden. All those passwords, a...
At a recent forum of senior CTOs, CISOs and analysts, several participants expressed a dislike for t...
Turning privacy and governance into competitive advantage. By Joe Gaska, Founder and CEO of GRAX.
Ever since Snowden revealed the extent to which US intelligence agencies can so easily access our da...
By Peter Carlisle, Vice President, nCipher Security.