There’s nowhere left to hide. Now that the notifiable data breaches (NDB) scheme and EU general data protection regulation (GDPR) legislation are forcing companies to reveal the true extent of their data-security deficiencies, takeup of cyber insurance is surging as businesses weigh up the very real financial risk of non-compliance.
Concerns over preparedness for GDPR, in particular, has led to cyber insurance investments by nearly 40 percent of respondents to a recent Centre for Information Policy Leadership-Avepoint survey. This level of adoption is significant given that the cyber insurance market has itself been fast evolving as global reinsurers feel their way towards something resembling actuarial certainty in the space.
There’s no telling how much the significant breaches of last year sent those actuaries back to the drawing board. Estimates suggested that high-profile breach victim Equifax, for example, had less than $US150m ($A194m) in insurance coverage but its breach is expected to ultimately cost far more than that.
And FedEx, whose run-in with NotPetya was said to have cost it $US300m ($A389m), was reportedly only considering cyber insurance after realising the horrifying magnitude of the damages.
Companies around the world are said to be doing the same, presaging a bull run for cyber insurers that are willing to take on the risk of potential nine-figure payouts. Danish insurer Tryg, for one, saw demand for its cyber insurance policy quadruple in the wake of WannaCry.
The situation in Australia has been somewhat more variable. Local insurers were behind the global curve in introducing broad cyber insurance policies, with Cyber Plus only launching a small-business insurance, security response and security software bundle after what director Paul Waite told CSO Australia was five years of market research.
“Cyber insurance has always proved tricky because there are so many moving parts,” he said, “and a lot of people particularly haven’t got a full understanding of the impact to the supply chain if a third party has a data breach event.”
A recent survey by US law firm Fox Rothschild concluded that cybersecurity insurance is “popular, but poorly understood” despite 70 percent of surveyed executives reporting their company has cyber insurance.
The firm’s analysis noted that the figure is “significantly higher than in other surveys… [and] it might… indicate that some respondents incorrectly assume cyber matters are covered under other existing commercial policies” including directors’ liability insurance and errors and omissions insurance.
Getting the risk right
If confusion about the necessary scope of cyber insurance – and the coverage already in place through other means – is widespread, the growing awareness of the potential cost of data breaches has only increased the imperative for risk managers and business executives to get across their cyber risk exposure.
The need to revisit and implement appropriate cyber insurance will also be an opportune time for executives to revisit and strengthen their relationships with CSOs and other cybersecurity practitioners, who are charged with implementing the security tools and controls necessary to meet what may be strict requirements for coverage.
If these controls are absent or inadequate, certain conditions intrinsic to many cyber insurance policies may fail to be met – potentially invalidating a claim made in the wake of a devastatingly effective cyber attack.
Paying close attention to the conditions of policies will help differentiate the many insurance products in the market, and it may also help companies pursue data-protection best practice by laying down the areas where insurance underwriters have identified the most significant cybersecurity risks.
Compliance with the Australian Signals Directorate’s Essential Eight protections is a good place to start. If a company can demonstrate close adherence to these widely accepted best practices, its case for insurance coverage will be all the stronger.
Yet maintaining adequate controls requires more than just policy compliance, notes the Australian Cyber Security Centre in its Threat Report 2017: “The initial cost of implementing robust cyber security mitigation and incident management strategies, such as ASD’s Essential Eight, may seem high or some organisations,” the report notes.
“However, it represents an important investment, reducing long term costs and risk…. Maintaining a secure and robust network involves more than performing routine system maintenance and relying on the latest software and applications for network security. Investing in trained personnel will prove more beneficial than investing in software and applications that existing personnel may not be able to support.”
Among their many criteria for cyber insurance, insurers may well expect that processes, tool investments, staffing strategies, and cyber response plans can be demonstrated to be both robust and ongoing. This may prove tricky, given that 53 percent of the executives responding to the Fox Rothschild survey said their cybersecurity and data privacy budgets are insufficient to respond to a data breach.
A change of focus
Little wonder that, as the market matures, the focus of cybersecurity insurance is shifting from remuneration to remediation. Like Cyber Plus, insurers are increasingly revising their offerings away from being purely focused on reimbursement, to providing policies that combine financial and cybersecurity protections with active access to fast response capabilities.
Over time, additional clarity around cybersecurity opportunities and responsibilities will steadily grow the market. A recent Aon evaluation of the Australian cyber insurance market presaged an uptick in insurance as awareness increases thanks to NDB and GDPR obligations, noting that the current market offers around $150m in coverage but “is on a fast moving upwards trajectory and has been growing at levels not previously seen in traditional lines of business.”
This may not necessarily translate into lower prices, Aon warns, since heavy discounting by early market entrants means that premiums are now approaching minimum levels.
Despite these incentives, Australian businesses are in the middle of their overseas peers when it comes to engagement with the cyber insurance market. A recent Aon survey notes that 48 percent of Australian companies have purchased cyber insurance, while 45 percent have not purchased cyber insurance and have no plans to do so.
This spread was much different than the 68 percent of North American businesses with insurance and 19 percent that have no plans to buy cyber insurance – but still ahead of the European market, where just 17 percent of businesses said they had policies and 61 percent said they had no plans to purchase one.
Such categorical decision-making is surprising in light of the rapid and fluid cybersecurity threat climate, which continues to evolve in the context of increased compliance. And despite the high percentage of Australian companies with no plans to buy insurance, fully 32 percent of companies said they had not conducted a cyber risk assessment – suggesting that many companies are opting out of insurance before they truly understand their actual exposure.
This is a dangerous combination – and, as many companies are learning, potentially a costly one. Yet while cyber insurance may help with the costs of getting the business back up and running, even the best policy won’t restore destroyed data or shattered corporate reputations. Whatever formal insurance policies offer, a cybersecurity-aware culture of actionable policy may – as ever – be the best insurance policy of all.