Cybersecurity is a discipline is like any other management endeavour. Managers spend their working days worrying about risks to the people, processes and technologies that comprise their business.
Risk is a side effect of the trust that we place in others to achieve our aims. Securing the enterprise is the major aim of information security professionals, but healthy organisations do not grow in ‘no-risk’ conditions.
Management of risk is the primary aim of insurance, so in a world where everybody runs information security risks, it makes sense for companies to assess and cover the downside to the growth equation. Insurance is already used throughout mainstream business, from compulsory employer liability insurance, professional indemnity, export insurance, buildings insurance and many others.
Executives should learn to talk about the elephant in the room. Although managers may be reluctant to admit to vulnerabilities in cyber defences, in the multi-faceted and changing nature of cyber risks, it makes good business sense to be covered.
Insurance Company Factors
Selecting the correct insurer is critical to assuring the company and shareholders that the risk has been successfully mitigated. Due diligence checks on the insurer should be carried out to ensure that they are able to provide such assurances, including:
- Company Capability. Recent data breaches and cybersecurity incidents have produced massive claims on the ability and financial capacity of insurers to cope with large risks. Ensure your insurer is equipped to cope.
- Track Record. Does the insurer have the track record in handling potentially complex claims? This includes specialist underwriters, access to legal services and account handling expertise. As response times for cyber action are often short, you don’t want your claim to be the test bed for the insurers’ capability.
Areas of Cover
Having established that insurance is required through a reputable insurer, the levels of cover need to be calculated, and should take into account:
- Business Cover. The nature of online threats mean that it is essential that the cover you obtain is flexible to your business requirements. Business requirements cover items like reputational harms, loss of client confidence (and accounts), replacement of damaged physical equipment, and the costs of business interruptions and continuity.
- Professional Services Cover. Investigations are expensive, and hiring experts to investigate are a large part of the cost. Cover should include the costs of claims against your internal services, hiring breach investigators, instructing legal experts, and the increased costs of breach responses like forensic investigation support services.
- Extortion Cover. Whatever the rights and wrongs of paying online ransoms, some companies obtain insurance for consultants and cryptocurrency to mitigate the effects of cyber extortion.
- Digital Asset Cover. Ensure sufficient cover for hardware and systems that are damaged or compromised as a result of cyber-attacks, and the cost of disaster recovery in the event of service interruptions.
- Third Party Cover. As a result of a breach, damages and costs may be incurred due to misuse of cards, and as such, payments to card processors, brands and the affected financial institutions where agreements under legislation like PCI DSS are breached.
- Notification Expenses. The cost of legal and necessary notifications, advertising and brand protection to mitigate reputation damage and rehabilitation by ensuring compliance with the legal or other requirements.
- Support for Credit or Identity Theft. Caring for customers after a breach is essential, and the costs of this may include identity and credit monitoring services deployed on the behalf of the customer, including reimbursement and assistance in resolving any potential legal or credit bureau issues.
Cyber risk insurance can be a useful safety net for enterprises that are facing daily information threats, including extortion and exposure of customer confidential data.
Online breaches cost real losses. Responsible companies seek to eliminate and reduce the costs of a breach by implementing information security safeguards and controls to protect their reputation to ensure the peace of mind that customers expect. Even with safeguards in place, the residual risks of cyberattacks have the potential to cause financial and reputational damage to organisations.
It is in covering these residual risks that insurance has a place in corporate governance. Although some companies seek to insure against regulatory compliance breaches and the fines imposed as a result of the GDPR, responsible companies spend budget protecting data and information to ensure compliance with the law first, and use insurance as a ‘rainy day’ back up where the controls have failed to protect.
In this way they benefit from the reputation dividends of good cyber security whilst keeping insurance premiums at a minimum.