You'd think, judging by much of the coverage you see in cybersecurity magazines and articles that we are in an ever-escalating arms race where the only course of action we have against threat actors is to get bigger, faster and more expensive technology. But that's like saying the only way to protect your home from burglars or a fire is alarm systems and bars on the windows.
Insurance is a viable option for transferring some of the risks away from your business. Much like traditional insurance products where you pay a premium so any losses you suffer because of an incident are covered by an insurer, you can now do the same with cyber-risks.
Meena Wahi spoke about cyber-insurance at this year's AusCERT conference.
Cyber-insurance is not a unilateral license that covers you in the event of any breach. Wahi, in discussing the recent WannaCry breach, said many companies that were affected would have been scrambling to find their cyber insurance policies and to understand what they covered.
Cyber insurance places obligations on businesses for governance, risk management and compliance said Wahi. Proposal forms typically ask for evidence of response planning and other governance processes. This is done so potential payouts are minimised.
"Cyber insurance is not just another policy. It places a lot of obligations for which there is little awareness in the market," she said.
Wahi said these policies cover both indemnity and liability. In other forms of insurance, typically only one of these is covered. Indemnity policies help cover all the costs of returning to a normal state following a breach or attack. It also covers, through the liability parts of the policy, costs associated with non-compliance that result in the breach or data loss.
Insurers, said Wahi, are trying to insure against the actions of outside forces as much as possible. By ensuring you have as many internal controls as possible, the policy can focus on supporting you in the event of an externally-launched act and not a negligent action.
It is important, she added, that proposal forms are filled out accurately. It is possible an insurer will not pay out if they were provided with incorrect information regarding security controls and compliance with appropriate frameworks and standards.
With many companies choosing to self-insure, Wahi said it is important for them to properly assess their risk appetite.
"Does the risk appetite of your business permit you to assimilate all of the costs involved in a cyber incident?", she asked.
There are many challenges in answering that question. There needs to be an assessment of how many incidents are expected, quantifying their cost, not just of losses but also of recovery, and then weighing those against the cost of insurance policy.
One of the more difficult losses to assess following an incident is the cost of the loss of reputation. Wahi said that while quantifying reputation is not possible, it is possible to quantify the costs of PR and marketing campaigns to help restore relationships with customers.
Insurers can, as part of their policy support, deliver a cyber-response team that bills their services to the insurance provider.
Another consideration, said Wahi, is where the intent of an attacker can impact what insurance policies are invoked. For example, an act of negligence resulting in a data loss that leads to financial losses might be covered through cyber-insurance. However, an identical act, this time carried out by a disgruntled employee, would be covered under criminal action insurance.
One of the issues many businesses face with cyber-insurance is that is can be an intangible investment. Adding new appliances and software may seem to be more concrete actions but insurance can have a stronger return on investment when assessed.