Published on the 12/09/2017 | Written by Jonathan Cotton
As threats from cyber criminals mount (or at least the perception of it), insurers prepare for boom times…
With the global cyber insurance market expected to reach $14b by 2022, and with mandatory data breach legislation coming into effect for Australia in February, insurance brokers could be forgiven for thinking they’ve got it made.
The new Australian law will require that breaches causing ‘serious physical, psychological, emotional, economic and financial harm,’ (however you care to measure those) as well as ‘serious harm to reputation’ be reported to Australia’s Privacy Commissioner within 30 days. The new law will affect agencies governed by the Privacy Act and businesses with a turnover of over $3 million per year.
So far New Zealand’s mild attempts to implement similar regulation – in 2016 Privacy Minister Amy Adams said she’d release a draft of a new privacy bill by the end of the year, but that never eventuated – have floundered.
In either case however, high profile ransomware attacks such as WannaCry and Petya have forced the issue front of mind for many business owners and insurers, smelling blood, are starting to paying attention.
There is always, of course, a frightening statistic at the ready: 88 percent of businesses are unprepared for a cyberattack says NZI, with only six percent of New Zealand SMEs having cyber insurance, compared to 14 percent in Australia. Lloyds of London says a major cyberattack could cost the world economy $121.4 billion.
“At any given moment, cyber predators can unleash a new hack to infiltrate an organisation’s system, steal or lock critical data and cause significant business interruption damages,” freeted global Risk Management Society Rims president Nowell Seaman.
“RIMS Cyber Survey shows that risk professionals continue to invest in cyber insurance products and must work in tandem with their insurers and IT professionals to help develop innovative and adaptable solutions for the next generation of cyber threats.”
The message, it seems, is loud and clear: Be afraid. Be very afraid.
But where does the truth lie? How effective is cyber insurance when it comes to breaches? Is cyber insurance essential to business continuity? Or is it all just FUD?
As usual the truth is a bit of all that.
Sure, businesses face plenty of cyber risks every day, and when it all goes wrong, things get costly. Loss of IP, business interruption, forensics costs, notification expenses, PR duties, legal costs, fines, and, increasingly, credit monitoring for affected users, can all take a heavy financial toll.
Don’t call your broker yet though. In 2017, the cyber insurance market is still an immature one and establishing a sense of proportion can be difficult.
There is precious little data available on the real scale and impact of past attacks and new threats are constantly arising and evolving. Just how does one produce an estimate for such nebulous threats? How much cover is enough? And for a reasonably complex mid-size business, just how many vulnerabilities are acceptable before insurers refuse to pay?
James Turner, writing for the Financial Review put it best:
“Got a skeleton in your IT cupboard?”
“If you have an enterprise of any size or complexity, you’ll have many.
“Unlicensed software, software not patched in either a timely manner or in accordance to the insured organisation’s patch policy, undocumented systems, inadequate (or missing) audit trails, and non-compliance to any external obligations (e.g. PCI DSS) – any of these could be sufficient grounds for an insurer to deny an obligation to cover costs.”
Many cyber insurance policies have carve-outs that could exclude paying out for a breach, warns US-based financial advisor PNC Financial Group, “dependent on determining whether the company has taken sufficient steps to manage risks from cyberattacks.”
“Some legal experts warn there isn’t enough case law experience yet on cyber insurance to determine its overall effectiveness.”
But that will hardly stop players in a market so ripe for exploitation, at least in the short term, and with media coverage of the latest exploits front page news, it’s increasingly difficult for businesses to know what is a proportionate response.
“I see a state of volatility where cyber insurance is greatly consumed during peak news cycles (sometimes hype cycles) and stagnation (or decline) during all other times, which will ultimately hurt the long-term value statement of cyber insurance,” said Robert Vescio, managing director at cyber risk advisory service SSIC.
“I see brokers continuing to control the market for short term gains, which will eventually cause the demise of many providers if (or when) there is a significant systemic event. And I see buyers continuing the same old pattern of buying insurance without understanding their risk condition, which will only lead to a disjointed and negative experience.”
With still so much unknown, it’s very, very much a case of buyer beware, at least for now.
Simply put, most business owners have no idea what the financial cost of a breach or cyberattack would be, much less whether any particular policy represents a good investment.
As more legislation passes – and the news cycle continues to do what it does – the impetus to do something, anything may increase, but not the wisdom of knowing just what it is that we should do.
Cyber insurance may well be an important piece of the puzzle, but it’s still just one piece. Understanding the threat landscape, conducting regular risk assessments, having an actual response plan in case of the worst happens and actually taking precautions against that eventuation surely must come first.