The growing threat posed by cyber-attacks, in conjunction with an increasing dependence on digital assets, has seen cyber security become a critical part of firm strategy. A company’s digital assets represent tremendous value, and the need to protect them is more critical than ever.
The overall cyber insurance market is growing at great pace, with enterprise organizations realizing that, regardless of their current security processes, security can never be 100% guaranteed. The growth of cyber insurance is related to the need to mitigate the damage from cyber security incidents.
How could we define cyber insurance?
Given the immaturity of the market in Europe, defining cyber insurance appears to be a complex and subjective issue. The coverage that is supplied is very much dependent upon the insurance company that you deal with.
It’s paramount to read carefully the terms and conditions of the subscribed product.
Early in June 2012, the ENISA (European Network Information Security Agency) did a great work defining characteristics of cyber insurance, plus highlighting the incentives and barriers of the cyber insurance market in Europe (1*).
According to the ENISA, cyber insurance is an insurance market covering first and third party risk relating to cybersecurity.
The Gartner group states that cyber insurance is a contract between an insurer and a company to protect against losses related to computer or network-based incidents.
As a nutshell, it’s possible to define cyber insurance to be a product that provides coverage against any sort of risk from electronic media such as hacking, IP infringements and data breaches.
Cyber insurance fills the gaps where traditional business insurance policies fall short.
The main issue for the customer or the insured company is that it is left in a position where it does not know what it needs to cover and how it can do so due to the absence of a standard definition.
What are the key drivers of cyber insurance adoption?
It’s not good news. Cyber attacks are global and on the rise both in the US and in Europe. Cyber attacks are growing in terms of frequency, business impacts and visibility.
The hacking of Target in 2013 is proof that any organization is still highly vulnerable. The data breach cost the Target corporation a significant drop in its profit, which was estimated around 40% in the 4th quarter of the year.
The increased digitalization of business value chains with the adoption of Cloud computing and Big Data means that one service can now hold the data of millions of customers and people and, as a result, represent a major risk if security is breached.
The EU plans future regulations and strongly focuses to protect online customer confidential and personal information. The regulation is set to impose fines of up to 5% of a company’s global turnover for serious data breaches that result from negligence.
The EU on-progress data protection regulation, combined with the threat of brand and reputation damage, will be probably key factors in the rise of the cyber insurance market in Europe over the coming years.
What are the key challenges?
Transparency between insured and insurer in their commercial relationship has to be increased to create incentives.
On the one hand, from the buyer’s perspective, premium costs are still perceived high, there is confusion about the insurer’s terms and conditions, the prescreening process is considered to be difficult and intrusive, etc.
On the other hand, from the seller’s perspective, because of the information asymmetry regarding the insured’s lack of historical data (e.g. vulnerabilities, and security incidents), rating the risk and pricing is quite complex.
For instance, to illustrate the chicken and egg problem for both sides: how is it possible to assess the value of customer data/an entire website to set up an appropriate insurance policy? Is it a mandatory pre requisite?
In order to bring more transparency, and to gauge the insured’s cyber risk exposure, it’s worth mentioning the Cyber Essentials initiative from the Cabinet Office in the UK (2*). The Cyber Essentials scheme helps businesses small and large by clarifying the basic technical controls needed to provide better protection against the most common cyber threats.
It’s all about risk management…
The financial and reputational damage that can result from a successful cyber-attack mean that cyber security is now to be considered as a business risk by the board (see https://business-digital-security.com/?p=22)
In this sense, cyber security is becoming a strategic issue and needs to be addressed with a strong and professional risk management approach, like any other business risks (strategic, financial, operational, etc.).
Cyber insurance does not, of course, remove the need for businesses to manage their risk from cyber attack. It should be seen as part of a holistic approach to cyber risk management including business controls, investment in security and education of staff and customers.
Risk management and risk transfer Cyber. For organizations to fully equip themselves in the face of a cyber security tsunami, it is critical that cyber insurance to be recognized and included as a key component of risk management and global security strategies.
As cyber-attacks continue to intensify and regulation comes into play, the EU cyber insurance market will continue to grow. However, do not wait for regulations!!
CIOs and CISOs should be the instigators internally for this approach. It is their responsibility to raise awareness in their organization.
They will have to take the lead and propose cyber insurance to the board.
It will bring more attention from the Board, maybe even more IT security budgets !
Business Digital Security Advisory
1. The ENISA survey “Incentives and barriers of the cyber insurance market in Europe”