Rising boardroom interest in cyber insurance cover has been sparked by a number of well publicized data breaches and the prospect of bigger data breach penalties under new EU data protection laws.
In April, Lloyds of London said that it has seen a 50 percent increase in demand for cyber insurance products during the first three months of 2015 compared to the same period last year.
There are many ways risk can damage a company and they are all daily concerns for senior executives. Cyber, in particular, is what will continue to get the biggest headlines because the landscape changes so rapidly.
Recent events have revealed the fluid nature of the liability, the adequacy of current cyber security policies on offer and also on company management’s attitude to risk acceptance and mitigation for breach scenarios.
Understanding cyber risk and cyber insurance
Generally, cyber risks fall into first-party and third-party insurance risks.
First-party insurance covers your business’s own assets, while third-party insurance covers the assets of others – typically your customers. Insurance products exist to cover either or both of these types of risk.
The ability for both enterprises and insurers to both understand and protect against or transfer these risk is in its infancy. Cyber liability is certainly a major reputational risk, and one that needs a lot of attention. Data breach litigation and scrutiny over executives’ roles in safeguarding their companies (and customers) are in the spotlight.
There has been significant growth in market demand for data protection insurance coverage, driven in no small part by the recent surge in evolving risks that companies face. The risks involved have been seen for years as being cutting-edge, if not rather theoretical. This view has changed over the last 18 months. There has been a steady flow of high-profile losses in the press arising from data breaches.
The European market for cyber insurance, while growing, is still at an early stage and several years behind developments in America. This may be as damages from breaches are generally higher in America than in Europe as credit cards are more frequently used and court rulings on data protection historically have been stricter. But the increased interest in Europe is the beginning of a larger risk landscape emerging that is related to technology and the expanding use of social media and “big data.”
While cyber coverage has been around for about 15 years, it is now clearly being further driven forward in Europe by both regulation and the cost of breach notification.
The insurance industry has the challenge of trying to model cyber risk as to accurately cover it. Despite improvements to cyber cover, risk managers continue to worry that insurance policies may not provide adequate protection, basically due to a lack of understanding about the nature of threats.
In September, catastrophe risk modelling firm AIR Worldwide (AIR), part of Verisk Analytics, announced plans to collaborate with cyber data providers BitSight Technologies and Risk Based Security, as well as the insurance market, to build an advanced cyber risk model.
There are a few European insurers that have been at the forefront of understanding emerging risks, and have put efforts into understanding better the risk landscape due to technology and innovation. There are a number of mainstream insurance providers, including AIG, Allianz, Munich Re, Swiss Re and Zurich Insurance Group, as well as more specialist insurers like Beazley and Hiscox – all which have developed specific cyber products.
For many, they are still trying to understand and model the other risks that might emerge due to changing regulation, legislation and industry pressure. Several governments, including the UK and France, have been trying to increase awareness and good practice in this regard.
In 2014, the UK Government launched Cyber Essentials – a basic cyber security hygiene standard to help organizations protect themselves against common cyber-attacks.
Why cyber insurance?
If you suffer a cyber breach, having cyber insurance can make the recovery process as straightforward and rapid as possible (however, it is still likely to take time to recover, depending on the severity of the incident).
In pricing the insurance premium, it is necessary to identify the likelihood of a potential loss but creating a security profile of the existing IT structure usually amounts to information asymmetry (enterprise information not potentially fully available to the insurance company at the time of contracting). This can affect the insurer’s capacity to model the risk and impacts the efficiency of best determining the premium accordingly.
Therefore, insurers push for enterprises to work with an IT security solution provider to protect their own interests. This is found to be beneficial, and insurers can also include technical assistance with managing a breach as part of the insurance policy.
Munich Re has partnered with Hewlett-Packard and Swiss Re has partnered with IBM to develop solutions that offer clients cyber protection and provide support in the event of a security breach. For example, IBM will assess clients’ external and internal vulnerability to cyber-attacks and offer options for mitigating these risks.
Gearing up for getting cyber insurance
At the present time, a combination of IT security services and a specialist insurance cover is the most advantageous risk mitigation approach an enterprise can take against the unknowns of cyber risk. The IT security solution provider can assist in creating a better defined map of the specific risk profile of the enterprise. With that enterprise security mapping in hand, cyber protection can be a mix of well-documented IT security measures and a cyber insurance solution.
The rationale of working this way is it allows enterprise to get access to a set of experts at the technology solution provider, often at preferential rates organized via the cyber insurance in the event of a data breach.
The process of acquiring the cyber insurance in the underwriting process is also likely to focus on various key aspects of risk management in the enterprise. An assessment of the susceptibility of a company’s cyber-security posture looking at more than technology, but also people, processes and preparedness is quite useful. By doing so, it assists the insurer in its ability to assess digital risks from an underwriting point of view to develop a customized insurance solution and to provide the client with rapid support in its recovery after a claim.
Mandatory data breach notification regulations are in part a driver for cyber insurance as the costs of notifying affected users can be quite high. As the financial outlay of dealing with a breach gets more expensive, with the added efforts of dealing with mandatory notification, the option of using cyber insurance will become more attractive for many businesses.
Our full report on the market for cyber insurance (Analyst Insight: Risk Aversion and Cyber Insurance) will be available via this link to our website in January: http://bluehillresearch.com/author/alea-fairchild/
About the Author: Dr. Alea Fairchild is an Entrepreneur-in-Residence at Blue Hill Research. As a technology commentator, she has a broad presence both in the traditional media and online. Alea covers the convergence of technology in the cloud, mobile, and social spaces, and helps global enterprises understand the competitive marketplace and to profit from digital process redesign. She has expertise in the following industries: industrial automation, computer/networking, telecom, financial services, media, transport logistics, and manufacturing. Her clients are both commercial, government / public sector, NGO and trade associations.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Title image courtesy of ShutterStock