Cyber Insurance Report 2017 - 2018
New cyber threats are constantly evolving and all organisations must improve their cybersecurity preparedness. While it is not possible to have complete 100% cyber security, there are some recommended measures and processes that can significantly reduce the cyber attack’s success and recovery can be effective and fast.
Operationally efficient cyber security measures and insurance when combined together produce a very workable solution. This process until recently was not clear or practically laid out by a competent insurance organisation, but recently this has changed.
The process required for the full insurance policy to operate is discussed in this report.
The process reduces an organisation’s cyber security attack risk and extensively improves the staff’s knowledge, security and IT engagement and then it offers an effective insurance policy.
This report reviews the current commercial cyber insurance situation and learns lessons from the past and thoughts on the future.
Major 2017 Commercial Cyber Security Issues that should be monitored, reduced and Insured by all Organisations
Cyber insurance focuses on the main cyber threats to business and organisations.
The four main cyber threat areas are Hacking attacks which now are 31% of the cyber security problem, followed by Malware at 27%, Employee’s lacking training 22% and specific IT weaknesses 20%.
This new cyber insurance process should include cyber training for all organisational staff and management and a cyber IT Audit, that reviews and monitors IT systems security effectiveness and suggests changes and improvements.
The IT Audit report highlights areas of security vulnerability and potential hacking concern. These vulnerabilities and new areas of threat should then be monitored, on an on-going basis, as potential attackers are currently changing and adapting to the current IT security systems.
This insurance security training, monitoring and policy is very important as it effectively covers prevention, cyber-attack and recovery. Also, because the training and assessment reduce the cyber-attack risks, often the overall costs of the cyber insurance policies could then gradually be reduced as the security assessments improve.
Executive Summary
Cyber security’s increasing prominence has spawned a new awareness of risks to business from a variety of threats, including ransomware, systems shutdown, breaking cyber law, the theft of intellectual property and customer data; operational impairment, the destruction of physical property and the exploitation of system vulnerabilities.
Despite that increased awareness, the insurance industry’s response to date has largely been directed at data-breach risk, but this is only now realised to be a relatively small aspect of cyber risk.
The broadening of the risk spectrum makes cyber risk a game-changing phenomenon that can affect numerous lines of insurance coverage as well as escalate costs and losses far beyond those of a typical privacy breach.
The more positive news is that more comprehensive coverage is getting closer, since the insurance industry has signaled that it is willing to deploy its risk-financing capacity behind the right framework. This will give CFOs and financial risk managers the appropriate tool to use in tandem with the controls that are being deployed by their operational risk management peers.
However, what is clear is that much more work and understanding is required by the individual business about its internal IT structure, its employees, their security risks and the exposures to the industries and services that the business is working within and where its exposure for risk exists.
What has become apparent is that current insurance policies do not adequately cover cyber risks.
Recent work in Cybersecurity is often aimed at Cyber-Attack detection, reduction and elimination of Cyber-Attacks. However, it should also analyse the potential risks and understand the changes that are taking place internally within your organisation and the broader legal issues that will affect your area of business.
In a business environment that seems chronically susceptible to breaches, purchasing cyber-risk insurance may sound like common sense. Yet despite the historic increase in data breaches in 2016, more than 42% of large corporates and two-thirds (67%) of small and medium-sized businesses (SMBs) are unaware of what cyber-insurance cover they have. Only 8% of SMBs surveyed actually hold cyber-insurance.
The area of greatest concern is still the need for understanding the business’s liability for a hacker’s breach and this is cited by 31% of respondents.
A knowledge of insurance premium costs is a relatively distant second, cited by 20% of the sample, while factors such as understanding the likelihood of a breach or knowing exactly what the policy would cover lag even further behind. Almost one-fifth (19%) said that they would never purchase cyber-insurance, unless required by law.
The confusion doesn’t stop there: Only 18% of businesses are “very confident” that they understand the financial cost of a breach itself (e.g., fines, lawsuits or legal fees). A further 46% hedge their bets, claiming to be “moderately confident” that they understand the costs of a breach, while the remaining 36% (combined) are much less secure.
GDPR – Legal Regulations effective from May 2018
And on the legal front the EU General Data Protection Regulation (the “Regulation”) coming into effect on 25 May 2018, which replaces the Data Protection Act 1998 largely repeats the security principles set out in the DPA.
However, the GDPR enforces a much tougher and stricter regime, with more severe penalties for data breaches.
Given the changing security attack horizons and the new legal requirements it is now clear that Cyber insurance needs a new secure process.
An organisation needs to be monitored, employees trained and the operation needs to be connected to secure irregular [ad-hoc?] Cyber assessments that specifically review an organisation’s IT systems, reviewing the operations security systems and hacking vulnerabilities.
Synopsis of the Current Situation
Cyber exposures have been included within core general and commercial insurance policies for over two decades and it was only following Y2K, the Millennium bug in 2000, that these cyber exposures started to be specifically excluded.
The realisation within the market that Cyber exposures are increasing and at present cannot be measured is leading to the emergence of a specialist standalone Cyber market which, has initially focused on high risk areas such as Healthcare, Finance and Retail, so far mainly in the US.
The UK and Europe have lagged behind with cyber insurance but this will likely change in May 2018 when GDPR, (General Data Protection Regulation), will be implemented.
Most current Cyber policies aimed at SMEs are not bespoke enough to take into account the varying nature of the exposures each business presents. The market is seen as price conscious, due to its infancy, and therefore the premiums being charged are of such a low level that the industry has no incentive to bespoke cover and this is leading to fundamental mistakes and under-coverage of entities that have Cyber exposure.
You get what you pay for, so the insurers would say, and insurers are creating policies that are designed to cover only the bare minimum of risks with high deductibles and key exclusions within them.
These policies, although expensive as a stand-alone insurance product, are only priced to provide very limited cover. Often the insured clients are not aware of what they are actually getting form their policies and most businesses are unaware of the cyber risks and their business coverage and large gaps.
Larger companies are faring slightly better, as at the more specialist end insurers can justify spending time and money on getting to know an insured’s Cyber footprint better and building a policy to cover their needs. Brokers are struggling to bring themselves up to speed and educate themselves on Cyber threats. The larger multi-national brokers are investing heavily in this space but with a focus on larger risks.
This is a sure sign of a market which is only one major loss away from a significant reputation damaging event. Insured being unable to claim for events that they thought they were insured for, will damage the reputation of Cyber insurers specifically and the insurance market in general.
There is however a new breed of insurer which is looking to focus on Cyber Insurance, bringing industry experts into the underwriting and pricing process. This, along with enhanced wordings and variable insurance coverages, is the next generation of Cyber Insurance
This tipping point feels like it is only a few (3/5) years away when businesses, which deal with large amounts of data that don’t have a full Cyber resilience strategy including a bespoke insurance policy, will be the exception not the rule.
Current Market Risk Overview
The infrastructure, the users, and the services offered on computer networks today are all subject to a wide variety of risks posed by threats that include distributed denial of service attacks, intrusions of various kinds, eavesdropping, hacking, phishing, worms, viruses, spam, etc.
In order to counter the risk posed by these threats, network users have traditionally resorted to antivirus and anti-spam software, firewalls, intrusion-detection systems (IDS), and other add-ons to reduce the likelihood of being affected by threats.
Currently IT security research efforts are centered around developing and deploying tools and techniques to detect threats and anomalies in order to protect the cyber infrastructure and its users from the resulting negative impact of the anomalies.
In spite of improvements in risk protection techniques over the last decade due to hardware, software and cryptographic methodologies, currently it is very difficult to achieve perfect/near-perfect cyber-security protection.
Cyber risks arise due to 3 essential reasons:
1. No independent sound technical/IT solutions measurements.
2. Lack of IT security education for the Management and Staff.
3. Misaligned incentives between network users, security product vendors, and regulatory authorities regarding protecting the network.
Proponents of cyber-insurance believe in the design of insurance contracts that would shift appropriate amounts of self-defense liability to the clients, thereby making the cyber-space more robust. Here the term ‘self-defense' implies the efforts by a network user to secure their system through technical solutions such as anti-virus and anti-spam software, firewalls, using secure operating systems.
Threat Sources
A Cyber-attack may involve a hacker, a virus, malware, phishing or other activity on your computer system.
Attacks can come from outside your company; examples are a virus attached to an email entering your system and computer code used by a hacking group to access your computer.
Attacks can also come from within say, by “rogue” employees. The effects of such attacks can be devastating and widespread. A single event may result in any of the following:
1. Loss or Damage to Electronic Data
A Cyber-attack can damage electronic data stored on your computers. For example, a virus damages your sales records, rendering them unusable. The problem then of recreating them is a time-consuming process that involves sifting through old invoices.
2. Extra Expenses
A Cyber-attack may cause you to incur extra expenses to keep your business operating. For instance, after a hacker damages two of your computers, you are forced to rent two laptops for your employees to use while your computers are being repaired.
3. Loss of income
An attack may also cause you to lose sales. For instance, a denial of service attack makes your computer system unavailable to customers for two days, shutting down your business. During the shutdown, your customers go to your competitors, causing you to lose income.
4. Network Security and Privacy Lawsuits
A Cyber thief may steal data stored on your computer system that belongs to customers, vendors and other parties. These parties may sue your firm. For example, a Cyber-thief hacks into your system and steals a customer's confidential file that reveals his sexual orientation.
The hacker makes that information public and your customer sues you for invasion of privacy.
Alternatively, a hacker steals information about a customer's upcoming merger. Because of the theft of the data, the merger falls through. The customer sues you claiming your failure to protect its data caused your customer to incur a financial loss.
5. Extortion Losses
A hacker steals sensitive data (yours or someone else's) and then threatens to post it on the Internet unless you pay a $50,000 ransom.
6. Notification Costs
The best example of this is the United States, where 46 of the 50 states have mandatory requirements for data breach notification. In the UK, the impending draft EU Data Protection Regulation includes mandatory notification of breaches, but the scale and timing of this new regulation is still to be determined.
7. Damage to Your Reputation –PR Issues
A cyber-attack can seriously damage your company’s reputation. Potential customers may avoid doing business with you because they think you are careless, your internal controls are weak or that an association with you will damage their reputation.
Background
Cyber-insurance is a risk management technique via which network user risks are transferred to an insurance company, in return for a fee, i.e., the insurance premium. Examples of potential Cyber-insurers might include ISP, cloud provider, traditional insurance organisations.
Early works in the 1990s focused on the general merits of Cyber-insurance, or protocols borrowed from digital cash to enable risk reallocation in distributed systems. In the late 1990s, when the business perspective of information security became more prominent, visions of Cyber-insurance as a risk management tool were formulated. Although its roots in the 1980s looked promising, battered by events such as Y2K and 9/11, the market for Cyber-insurance failed to thrive and remained in a niche for unusual demands. Coverage is tightly limited. Clients include SMBs (small and medium businesses) in need of insurance to qualify for tenders, or community banks too small to hedge the risks of their online banking operations.
Even a conservative forecast of 2002, which predicted a global market for cyber-insurance worth $2.5 billion in 2005, turned out to be five times too high compared to the actual size of the market in 2008 just three years later.
Overall, in relative terms, the market for Cyber-insurance shrank as the Internet economy grew. In practice, a number of obstacles have prevented the market for Cyber-insurance from achieving maturity.
Absence of reliable actuarial data to calculate insurance premiums, a lack of awareness among decision-makers as well as legal and procedural hurdles contributing to little demand. However, there is now a growing need for Cyber insurance policies even if this requirement has not been clearly reviewed and understood in most businesses.
Cyber liability is not a standard insurance product. Often, it will be tailored to meet a business' unique needs, but it protects against two types of risk – first-party and third-party risks.
From a first-party standpoint, it will cover things like crisis management, hiring a public relations firm to manage a data breach incident, costs associated with forensic analysis, the cost of repairing and restoring computer systems if there is a virus that destroys business software and data, and the loss of business income resulting from a data breach.
Current and Future Threats and Solutions
Future attacks lie with technological systems that are commonplace in business, or are now used as commonplace personal lifestyle accessories. With increased access to the Internet across new technological advancements, all of these become points for additional cyber-crime that can steal data, interrupt connection, or cause financial devastation.
For example, point of sale payment systems within large retail environments would be devastating for business if hacked, as has been seen with Target in 2014. While it is the large corporations that are mostly targeted for maximum impact, the extension of point of sale payment systems that now attach to your phone also puts the average business operator at risk.
The future of hacking will continue to see the realisation of significant disruption for maximum impact. And unfortunately, with technological advancement comes the pitfalls of this progress.
Conclusion and Solutions
Cyber-Crime is currently costing businesses around the world over $300 billion a year and Cybersecurity therefore needs to be a Main Board strategic concern. To help counter the cyber threat, Security Risks Teams should be formed that include the CIO, Strategy, IT and Development Directors as well as an independent Assessment Team who should regularly report about Cyber directly to the CEO and Main Board.
The Assessment Team should be independent of the IT department and its day-to-day operations and, on a random basis throughout the year, it should use white hat hackers to delve deep into the electronic systems looking for current and potential problems. This team should frequently report to the Board on changes of security and should produce current Cyber Reports.
An internal and external product/service development team should also frequently review Cyber opportunities and these should be reported to the Board and changes incorporated within the organisation’s strategy and tactics. [This is the first mention of cyber ‘opportunities’. I’m not sure it makes sense to include it in the conclusion when it hasn’t been discussed in the body of the report]
It is very important that there should be ongoing employee and management training about the current security measures that should be used by everyone working for the organisation. This training should not take up too much employee time but be focused on the specific areas relating to your own business IT systems and the processes required to keep them safe.
The Board should discuss worst-case scenarios with the CIO/IT Director and a review should independently take place using outside consultants to audit the organisation’s particular security threats and how to mitigate them.
If this new Cyber Insurance Policy review and monitoring is employed, then the organisations’ cyber insurance policy costs would be significantly reduced and their cyber security would be substantially improved.
For more Information Contact: info@cybersecurityintelligence.com