What does cyber insurance cover and is it worth the investment?

What does cyber insurance cover and is it worth the investment?

Sales of cyber insurance policies are increasing and have been steadily doing so over the past few years. There are now numerous specialist cyber insurance policies designed to cover the various aspects of a cyber-attack or incident, but are they worth it?

By John Higginson

Advisory Consultant

14 Aug 2018

This blog will explore the pros and cons of cyber insurance as well as what to look for if you decide that insurance is right for your business. 

Why you might wish to consider cyber insurance

Unfortunately, as was aptly demonstrated last year through both WannaCry and Petya, no-one is immune to cyber incidents, and you don’t need to be specifically targeted to fall victim. Indeed, there are many different cyber incidents that could befall your organisation; you could suffer a data breach via a hack of your systems or someone being tricked into giving out your data (known as social engineering), your data could be damaged by ransomware, or someone could just leave a laptop on a train. So insuring against all of these events is a good idea, right? Maybe…  

The case for insurance

The whole point and reasoning behind any insurance is a risk mitigation strategy and to transfer the risk, in this case to the underwriter. What is good about this approach is that the potentially significant initial financial costs involved in a major cyber incident should be covered (depending on policy wording – beware, not all policies are the same and certainly don’t all cover the same risks…). From a short term financial perspective, this can be quantitatively weighed up as an option against other risk management alternatives using normal risk formulae and can often be very cost effective, particularly in the event of cyber incident, where the insurance should cover the majority of technical, forensic and legal costs; potentially well above the cost of the policy itself. However, as with other types of insurance you need to ensure that you are compliant with security controls or standards outlined in your policy documents; to use a ‘normal’ house insurance analogy, you are unlikely to be covered if you leave the front door of your house open – unsurprisingly the same is the case for cyber insurance, so make sure you keep the doors and windows closed!

In line with this, we are seeing the insurance providers starting to request pre-insurance questionnaires around your extant controls and security measures, in order to understand the underwriting risk they are exposing themselves to and then allow them to appropriately cost a suitable policy for your business. In theory, the better and more robust your controls, then the cheaper your insurance premium will be…

The case against cyber insurance – not a silver bullet…

Whilst insurance has some positive aspects, the longer term and intangible impacts of a major cyber incident simply cannot be insured against. Reputational damage, disruption to business outputs, loss of data or intellectual property can all have a considerable impact on share price, credibility and customer confidence - these are not typically covered by cyber insurance.  As a good example of this, the TalkTalk data loss incident is estimated to have lost the company £60M in costs overall and a loss of over 100,000 customers. Secondly, any regulatory fines for any data loss, now particularly pertinent under GDPR, are very unlikely to be covered and these can be considerable, depending on due diligence in place. Furthermore, and probably the biggest argument against cyber insurance and often cited by large organisations, is that the cost of the policy could and should be better spent on IT security instead, so perhaps this strategy might be more appropriate?

Security controls instead of insurance?

Controls and technological solutions can be very good and can mitigate risks to some extent, but nothing and no-one is infallible, particularly in the fast moving technology space of cyber security, where the bar is constantly being raised, and so regardless of what controls or technical solutions you put in place, some residual risk will remain. Understanding where any gaps in your defenses are is not always straight forward, so getting some expert help here can pay dividends and allow you to make informed and cost effective business decisions to mitigate the cyber risks to your business. Regardless of whether you opt for insurance or not, it will be well worth understanding how secure your business is; if you do go for insurance, it should be cheaper; and if you decide not to, you can mitigate risk by improving security controls based on an informed and therefore cost effective basis.

So what is the answer?

Unsurprisingly, there is no simple answer and the different options that are available will appeal equally to different organisations. That said, fundamentally at the heart of this issue is understanding what threats your organisation is faced with and the effectiveness of the controls you have in place, which would then allow you to make informed decisions; basically understand the problem to deal with it effectively. On top of this, proactive planning and preparation will stand you in good stead should your organisation have a serious incident– you can’t expect a plan (if one even exists), that has been gathering dust on the shelf for some time that no one really looks at nor understands to be of much use.

Some considerations if you do decide to buy:

  • Firstly, as alluded to earlier, insurance companies are increasingly sending out questionnaires for businesses to complete prior to either quoting for, or cover commencing.
    You will need to ensure you answer these absolutely honestly, if you are not sure then either get technical help or say you don’t know – as with all insurances, failure to do so could invalidate your insurance.
  • Secondly, make sure you read the small print and understand what you are buying (and whether it is therefore worth the premium) and confirm that it fits your needs.
    Not all policies are the same and do not all cover the same things, nor to the same level.
  • Finally, ensure you understand the notification and claims procedure, most insurers would want to know as early as possible of any incident and they may well have preferred and accredited Incident Response suppliers, who will be able to assist throughout. Failure to follow the set procedure may mean you incur some or all of the costs…

Conclusions

Cyber insurance can take the sting out of the potentially huge initial financial costs of a major cyber incident, which may well be more than the premium. However, it is not possible to transfer all the risks and insure against the complex intangible and longer term impacts and so it may not necessarily be the best strategy for all organisations, where other risk management approaches may be more cost effective.  

Regardless of whether your organisation opts for cyber insurance, there are significant benefits in understanding the effectiveness of your controls and there is absolutely no substitute for being prepared and able to respond effectively. Whilst you hope to never need an incident response plan, it’s reassuring to know it’s there and that it works if you do. If you are thinking about cyber insurance make sure you dig into the weeds of the exclusions – not all policies are the same! 

If you would like some help in better understanding your threats, the effectiveness of your security controls or how prepared you might be to respond to a cyber incident, then please do give us a call.

About John Higginson

Advisory Consultant

John is a member of our Advisory team, see our Contact page for ways to get in touch.

CREST
CREST STAR
CHECK IT Health Check Service
CTAS - CESG Tailored Assurance Service
CBEST
Cyber Essentials
CESG Certified Product
CESG Certified Service
First - Improving Security Together
BSI ISO 9001 FS 581360
BSI ISO 27001 IS 553326
PCI - Approved Scanning Vendor