No business is immune to a cyber-attack. It can wreak havoc on the IT environment, and on the bottom line. Precautions to prevent it are essential, but not foolproof. As with any other kind of risk, insurance is one way of limiting the financial fallout from a successful attack. However, despite the ever-increasing incidence of cyber crime, cyber insurance is still in its infancy.
According to a white paper from SurfWatch Using Cyber Insurance and Cybercrime Data to Limit Your Business Risk, while a wide array of cyber insurance coverage options are available, they are of limited use because a standardised assessment of cyber risk does not yet exist. The white paper examines the challenges of understanding cyber risks, the importance of having the right cyber risk information, and looks at the available insurance options.
It says that difficulties in analysing risk for the purpose of setting insurance premiums have plagued the industry since its inception. “Questionnaires are frequently used to evaluate the cybersecurity of a company. However, there is no standard metric for these questionnaires. Between insurance companies, the questions and outcomes can vary significantly. Additionally, the questions may not provide an accurate measure of the actual state of a company’s cybersecurity.”
Compounding this problem is the interconnectedness of systems. “The more networks with which a single business interacts, the more risk it is subjected to. In order to get a clear picture of this risk, each third-party network must be assessed. This proves a daunting task for insurance providers ─ in particular because there remains no standard, quantifiable metric for cyber risk assessment.”
A full understanding of the cyber risks an organisation faces is important, not only if it wants to take out insurance, but to enable spending on security to be prioritised appropriately: to determine what defences merit the greatest expenditure.
The paper examines the challenges of understanding cyber risks, the importance of having the right cyber risk information, and what cyber insurance options make the most sense for a business.
It lists the four main types of cyber insurance as being:
- Data breach and privacy management coverage, which covers costs associated with managing and recovering from data breaches, including investigation, data subject notification, credit monitoring, and associated legal fees.
- Multimedia liability coverage, which covers defacement of websites, media, and intellectual property rights.
- Extortion liability coverage, which covers damages incurred from extortion. This could be used in the case of DDoS attacks that demand ransoms, for example.
- Network security liability, which covers costs associated with denial of service and third-party data theft.
However, it says all suffer from significant limitations. Cyber liability insurance generally covers the immediate effects of cyber-attacks, and, if a company is not sufficiently large to maintain investment until it has fully recovered from the consequences of a breach, the expenses could be enough to drive it out of business.
More worrying is the fact that coverage against state-sponsored cyber attacks is not available, and these attacks are on the increase. The paper quotes a transparency report published by Verizon saying this type of attack tripled between 2012 and 2013.
In April this year network security company FireEye, released a report detailing an advanced persistent threat attack group that has been operating largely undetected for a decade and that, FireEye said, was most likely sponsored by the Chinese government.
In short, there is no ‘magic bullet’ but the paper concludes: “Looking at cyber risk from a business intelligence perspective will help you understand what’s going on in the cyber world around your business, identify your potential short-term and long-term risks and balance them against the cost and value of the insurance policy.”