Do you need hacker insurance?
Touted as the next big thing by the insurance industry, cyber insurance is coming to your peers – but should you take the plunge?
According to media reports, the next big thing is cyber insurance, as enterprises rush to protect themselves from the negative impacts of a breach.
In a report by Bloomberg, Munich Re estimates that cyber insurance premiums could rise to between $8.5bn and $10bn by 2020 from about $3.4bn currently.
“We are optimistic that it can develop into Allianz’s and the industry’s next blockbuster,” Hartmut Mai, chief underwriting officer for corporate lines at Allianz’s industrial insurance arm, told Bloomberg. “Cyber insurance is our key growth area at the moment.”
Apparently cyber insurance varies in scope depending on the client and the provider, but typically protects against data and network security breaches and associated losses, and insurers limit their liability to between $5m and $100m per client.
As a general indicator, the massive Yahoo breach cost the company $16m for the security incidents in the year ended 2016, with $11m going to nonrecurring legal costs. Interestingly, these seem to have reoccurred, according to Yahoo’s latest US tax filing, with another $16m heading out of the door, $5m of that being allocated to the forensic investigation, while $11m was "associated with nonrecurring legal costs", according to the SEC filing. Of course this is in addition to the drop in acquisition value, which fell by $350m (£279m) after the two serious breaches were publicly admitted.
However, it does present a clear picture of rising costs, and although the breach(es) in question are among the biggest ever in terms of customer records, it’s not hard to imagine a smaller breach, closer to home snowballing costs in a similar fashion. But is buying insurance, rather than investing in a better security stance, really the best way to go?
It’s easy to see why the insurance companies see cyber as a lucrative growth market - official figures from the UK Government just last week found that two thirds of large businesses experienced a cyber breach or attack in the past year.
The Government also found that in some cases the cost of cyber breaches and attacks to business reached millions, but the most common attacks detected involved viruses, spyware or malware that could have been prevented relatively easily. Only half of all firms have taken any actions to identify and address vulnerabilities, although larger firms are more on the ball, tending to address vulnerabilities on a monthly basis. In spite of this, only a third of all firms had formal written cyber security policies and only 10 per cent had an incident management plan in place.
Ilia Kolochenko, CEO of High-Tech Bridge said: “Many large companies and organizations can be easily hacked without any expensive 0day exploits or advanced APT techniques. Companies spend millions on emerging security technologies, being partially misguided by market hype around new technologies and AI, forgetting to mitigate the very basic and fundamental risks. Comprehensive and holistic risk assessment remains vital for every company regardless its size, otherwise any spending on cybersecurity will be useless.”
So, do you really need cyber insurance? Well, while it might offset the financial costs of a one-time breach, the premiums will start escalating steeply if no remediation is taken. There is a simple formula to minimising the need for insurance in the first place (as discussed in more detail in this CSO IT security strategy post):
- Identify your digital assets. Conduct a comprehensive digital assets inventory, including software, hardware, users and data (including data in cloud and on mobile devices).
- Conduct a holistic risk assessment. Identify, assess and prioritize all cyber risks applicable to your particular company and your business processes. Involve as many stakeholders as possible, and remember that no single security standard is a replacement here!
- Make vendors compete in a result-oriented RFP. No one size fits all, and What works for others may not necessarily work for you, so don’t make a decision before you try a product in your particular business environment.
- Finally, assure continuous monitoring. It is vital for your business continuity and security to get instant notification about any changes, incidents or other anomalies in your network. Also make sure that contact details for the full range of potential issues are clear and up to date!