For nearly all companies, a certain amount of risk is part of the price of doing business. Whether it is the risk of a building burning down, an employee committing fraud or a cyber attack knocking out IT systems, some problems just are not predictable, and the best you can do is take out insurance to mitigate against damage.
And when it comes to cyber attacks, there is usually quite a bit of damage. According to IBM Security and the Ponemon Institute, the global average cost of a data breach in 2020 will be around $4 million (€3.65 million). A lot of people have been hit in the last few years, and it seems like it is a problem that is not going away anytime soon.
Despite this, PwC says that less than a third of companies have cyber insurance, a statistic that seems set to change in 2020 due to growing awareness of the scale of problem presented by cyber security breaches.
“Cyber is now a key risk for all organisations as digitalisation and the security of information is an essential part of almost every business model, be it a spreadsheet of customer information, an online booking system or an entire IT platform. The down time of customer-facing or backend systems can hugely impact operations,” said Michelle Boland, cyber team leader for AIG Ireland.
“Intensifying regulations means there are tougher notification requirements after a cyber incident and more scrutiny on how incidents are handled, and this is raising the stakes for all businesses. You are probably familiar with other forms of business insurance like liability, property and so on, but these do not fully protect against the evolving threat that cyber brings.”
Cyber insurance can cover the financial costs associated with a breach or suspected breach of data, as well as first party costs including event management, data restoration, financial costs to third parties, network interruption, data protection investigations and cyber extortion.
“Let’s look at an everyday example. Take a retailer with 20 stores throughout the country, one month before Christmas – sales and online orders will be at their seasonal high. For many retail companies in this position, it is finally time for the business to make money,” said Boland.
“But imagine that when upgrading IT storage, the retailer suffers a serious cyber attack that encrypts all of its files, including those held in the cloud. The shops will still be able to trade using manual tills but the attack will leave the company unable to replenish stock in stores and process online orders. This in turn will lead to major business interruption.”
Cyber Insurance can cover companies for damages arising out of a data breach or a security failure like this. According to Boland, some of the major cyber risks AIG’s clients are insured against are incidents like business email compromise, ransomware, data breaches by hackers and employee negligence.
“We also help protect our clients should they fall victim to an attack by providing them with access to vendors that offer specialist IT, forensic and legal support to mitigate any form of cyber losses. We’re in the business of risk management and to put it simply, we have to keep up with the greatest risks facing organisations in this changing environment,” she said.
“Traditional risk includes things like fire, flood, trips and slips and so on but cyber has been on our radar for over 20 years and continues to become more prevalent and sophisticated year on year in the risk management landscape. Cyber-attacks are the fastest growing, and perhaps most dangerous threat facing organisations today.”
According to Dani Michaux, head of cyber for KPMG, a serious issue for companies thinking of taking out cyber insurance is working out exactly how exposed to risk they are.
“A lot of the time, companies haven’t even thought about cyber insurance, especially smaller companies, and the reason is that they haven’t really come to terms with the level of cyber risk exposure that they have,” she said.
“If you compare this situation to fire insurance for example, all companies understand the need for it. They know they have a building and they know they’d be unable to operate if the building burned down. Therefore, they insure against that risk. But if they don’t understand their cyber risk exposure, then it doesn’t occur to them that this is a risk in the first place.”
For companies that do ‘get it’ and have thought through the consequences of suffering a cyber incident, the next question is how best to approach the issue in their portfolio of insurance. For example, can they even get the insurance they need?
“Are you fully clear about this? What exactly are you looking for? Are you afraid of an inability to meet potential ransom demand payments, or inability to meet third party class action lawsuits against you? Again, it comes back to understanding of exposure and how it’s linked to the business. Once the company understands this, then the question becomes about quantums,” said Michaux.
Over the last four and half years, according to Michaux, insurance companies have seen a lot of growth in the number of cyber incidents taking place and in particular in the number of ransomware incidents that have occurred.
As a consequence, the use of forensics has grown and the granularity with which insurance companies are seeking to understand the problem has increased. Many companies are also under the impression that their existing insurance policies will cover cyber-related incidents, but this is often not the case. In fact, many insurance companies have started to explicitly exclude cyber claims under traditional policies.
“There have even been cases in the US and Australia where insurers have not paid out on claims in cyber insurance policies because they’ve suggested that the incidents were actually acts of war, and as a result not covered. If you have a nation state or a state actor carrying out an attack, then you can see where the problem arises,” said Michaux.
Reading the fine print of your contract and making sure your insurance covers you for what you think it covers you for is the point here.
“Technology used to evolve in companies gradually, but we’ve seen a lot of modernisation in recent years and there has been huge levels of deployment across all sectors. We used to say that sometimes executives sleepwalk into the level of exposure they have. This was when people more or less did the same job in the same way for 20 years,” she said.
“But that’s no longer the case. The methods by which business is done have changed and technology is relied upon at all levels and at all sectors. We’re seeing data analytics and robotics, automation and AI being used more and more, and that’s new. Of course, it also changes your cyber risk exposure but while methods have changed organisations can still be a little bit slower than they should be in identifying the way this exposes them to risk.”
According to Paraic Joyce, insurance partner with PwC Ireland, a serious issue for companies in this area is that there is a lot of uncertainty in the market.
“People don’t fully understand the risks they’re exposed to and the offerings in the market are still evolving. It’s a very immature market outside of the US,” he said.
“In the US, the market for cyber insurance is considerably ahead of the rest of the world. I saw some 2017 stats recently which said that around 60% of premiums spent on cyber insurance were in the US, and while things have moved on, I’d say that’s not changed hugely.”
Part of the issue, suggests Joyce, is that brokers and insurers are more active about offering cyber insurance services in the US than compared to here. Given the global nature of insurance as an industry and the global footprint of the big companies, this is surprising.
“The insurance industry needs to become better at making companies aware of the risks they’re exposed to and the fact that these are insurable risks. This is a major issue, as many companies don’t really fully understand their exposure,” he said.
“Ironically, even though I believe every company should have cyber insurance, I’m not sure the market would be able to provide what they need. Probably a lot of companies don’t even know what they need. The reality is that it’s an evolving market and cyber insurance is an evolving product.”
According to Joyce, cyber insurance generally covers a number of things. The first is the cost of an incident happening and of recovering data.
“This is the cost of putting you back where you were before the incident. It can cover the business interruption caused by a breach, such as loss of revenue or of the business having to be closed down temporarily because of a breach,” he said.
“It can also cover the cost of any funds that you lose on transfer by there being an incident, and also, interestingly, it can cover the cost of any extortion such as a ransom that you might have to pay. I was surprised when I first became aware of this, but it is there as a thing you can insure against.”
One challenge for companies offering cyber insurance is the lack of public data available. When a company suffers a data breach, it is generally not in a rush to publicise the fact. In certain cases, the directors can be obliged to do so by regulation, but this general reluctance makes it hard for insurers to create products that are tailored to a particular customer.
Nevertheless, it is a growing market, and as press reports of security breaches continue to come, companies of all sizes are asking themselves about their levels of exposure to risk.
“It’s in all company’s interest to identify the risks to their business and if you think you have a risk, then you have to do something with that information. You can either just accept it or you can try to minimise your exposure,” said Jacky Fox, managing director for security with Accenture.
“Companies take out cyber insurance for a number of reasons, most usually because they can’t minimise it – the risk might be tied up in a core aspect of how they operate or it can actually be cheaper to transfer the risk than it would be to put in place controls to minimise it.”
According to Fox, companies do not have to be particularly large to be able to benefit from cyber insurance – an SME could do it just as effectively as an enterprise-scale company.
“Typically, when people are taking out cyber insurance, they’re actually insuring themselves against the cost of dealing with a breach, regulatory fines or getting their business back online. It’s quite a specific thing they’re insuring against,” she said.
“There are parallels between cyber insurance and car insurance. If you insure a five year old car, and something happens to it you’re going to get paid back to the value of a five year old car. It gets you back to where you were before you had the problem, and that’s the same with cyber insurance.”
“So ironically, it could be even more important for SMEs to have this in place than a large enterprise, because they might not have a full understanding of what it might cost to get them back up and running again. The more people that get into it, the more community loading there is.”
Fox reiterates a point made by others – the first step to effective mitigation of cyber risk, and the only way to make good use of insurance to do this, is to have a really good understanding of how exposed a company is to cyber risk.
“It sounds obvious, but it’s very important that companies understand what their assets are, whether that’s technology, people or intellectual property. If you don’t understand that then you can’t really look at the risks to your business and identify areas that need to be insured,” said Fox.
“It’s interesting that insurance companies are starting to use this understanding as a metric for working out what a company’s premium should be. So the better you know your company and its degree of exposure, the better you can tailor your insurance to your precise needs, and hence pay less for that insurance.”