Cyber attacks have, unfortunately, become more part and parcel of the business landscape over the last few years. Attacks such as distributed denial of service (DDoS) alongside phishing and ransomware have been ramping up in recent years, with cyber criminals seeking to financially take advantage of businesses at every turn.
This is where cyber insurance comes in, with the market for cyber insurance growing over the past decade. According to figures from market research firm Vantage Market Research, the total worldwide cyber insurance market is estimated to reach just over $28 billion by the year 2028. For UK businesses, cyber insurance underwriting also roughly comprises 5% to 10% of global cyber insurance cover.
Why do companies opt for cyber insurance?
Virtually any sizable business you can think of relies on IT infrastructure. If compromised or damaged, this infrastructure will result in a range of potential business consequences including service interruption, income loss, technical damages, or reputational damage.
According to the UK government’s Cyber Security Breaches Survey 2022, 31% of businesses and 26% of charities estimate they were attacked at least once a week. One in five businesses and charities reported experiencing negative outcomes as a direct result of a cyber attack. One-third of businesses (35%) and almost four in ten charities (38%), meanwhile, experienced at least one negative impact.
While traditional insurance policies for commercial property, business interruption or professional indemnity insurance cover some aspects of cyber risk, businesses look to something more specialised to complement existing insurance plans. This is particularly true if an organisation holds sensitive customer details such as names and addresses or banking information, relies on IT infrastructure or web sites to carry out business functions, or processes payment card information.
How does cyber insurance work?
Cyber insurance is there to protect organisations from heavy losses stemming from incidents such as data breaches or cyber attacks. It covers the cost of losses related to hacking or other cyber attacks that other business insurance policies may not cover.
In cyber insurance, just with any other type of insurance, there are clauses and limits of liability. Malware is a major threat to an organisation’s cyber security posture, but some insurance plans may only have optional cover against that type of threat. Typical cyber insurance plans cover first-party and third-party risks, and should at least cover the following.
The challenge of securing the remote working employee
The IT Pro Guide to Sase and successful digital transformation
First-party risks
These risks include the loss or damage to such things as data or software applications, business interruption from a network going down and double extortion ransomware, in which hackers threaten to damage or release data if money isn’t paid to them. First-party risks also include the expense of notifying customers when there’s a legal or regulatory obligation to notify them of a security or privacy breach, damage to reputation resulting from a data breach and loss of intellectual property (IP) or customers, and theft of money or digital assets through theft of equipment or electronic theft.
Third party risks
These cover the assets of other parties, typically customers, and can include security breaches, and the investigation, legal defence costs and civil damages associated with them; multimedia liability to cover the investigation, legal defence costs and civil damages resulting from from defamation, breach of privacy or negligence in publication in electronic or print media; and loss of third-party data, including payment of compensation to customers for denial of access, and failure of software or systems.
What else do businesses need to consider?
When it comes to buying cyber insurance, organisations need to consider what it means for them, whether they need it, and whether it might be more cost-effective to mitigate risks internally rather than opt for policies to cover them.
All businesses, however, should assess the potential risks they face across the breadth of the business, and how they can work to reduce those risks.
There are several ways risks can be reduced, and thus decrease the cost of premiums. These include regular staff training to keep employees up-to-date with the latest threats, data encryption that scrambles data when stored on systems, storing portable devices such as laptops or smartphones at work to reduce the risk of leaving devices in public domains, and staying up to date with legal changes that could invalidate insurance policies.
What’s the reality of cyber insurance policies?
There can be a notable difference between what insurance companies claim cyber insurance is, and the reality once you’ve signed on the dotted line.
There are things that cyber insurance policies won’t cover but an organisation may think it would. For example, many policies won’t cover criminal acts, including theft, fraud, or robbery by employees, i.e. an insider threat. A policy may also not cover attacks orchestrated by social engineers.
Another sadly relevant point is that cyber insurance policies don’t cover acts of war; insurers may not cover costs caused by hackers acting on behalf of a nation state that’s at war. This shifts the responsibility for protecting data onto the victims.
What are the benefits and drawbacks?
As with normal insurance policies there are benefits and drawbacks to taking out cyber insurance. Of course, cyber insurance policies also have their own limitations.
Among the advantages of having cyber insurance is an enhanced standard of security, given that insurance companies are often among the forces behind the drive to improve industry standards. There are also financial incentives to improve security for organisations, as better cyber security postures can lower premiums. Having cyber insurance can increase security awareness among c-suite executives, too, and help smooth that path for security initiatives.
Among the disadvantages, on the other hand, is potentially inadequate coverage. According to Sophos research, only 64% of businesses have insurance policies that cover ransomware attacks. Cyber insurance can also be too expensive for some companies, particularly small and medium-sized businesses (SMBs). According to Reuters, the cost of cyber insurance in the US rose by 25% between the start and the end of 2021 as insurers look to deal with a series of costly claims.
Another drawback is that such insurance can limit the way an organisation deals with a data breach, creating an inadvertent vendor lock-in. For example, insurers can require the use of pre-approved vendors to deal with aspects of a breach, such as legal counsel, which the organisation may not want to use. Finally, by taking out insurance, there could be a sense of complacency that begins to spread throughout the organisation, with the mindset that because there is this safety net of a payout in the event of an incident, then there’s no need to strive to improve cyber security standards.
Ultimately, organisations would be well placed to do their own research of all the options before deciding to buy a policy. Cyber insurance can’t overcompensate for a lack of strong data protection policies and procedures. Regardless, organisations still need to improve internal privacy and security measures, or they could fall foul of regulations like the General Data Protection Regulation (GDPR). Prevention is always better than the cure, and it’s not a substitute for a suitably developed cyber security plan.
