It’s not just a lack of cyber insurance putting businesses at risk when recovering from a cyber-attack or other cyber incident – some industry experts believe that buying the wrong policy could leave a business vulnerable
The cyber risk landscape is constantly changing, and cyber insurance providers are having to adapt their policy offerings to ensure that cover keeps pace with ever-growing threats.
A lack of cyber insurance could be financially devastating for a business, but according to the UK government’s Cyber Security Breaches Survey 2018, less than one in ten businesses have a cyber insurance policy.
The 2018 Global Cost of a Data Breach Report, conducted by the Ponemon Institute and IBM revealed the average total cost of a data breach is $3.6m (£3m) – in the US the total is $7.9m (£6m).
But it’s not just the lack of a cyber insurance policy putting businesses at risk when recovering from a cyber-attack or other cyber incident – some industry experts believe that buying the wrong cyber cover could leave a business exposed.
Off-the-shelf cover can leave companies exposed
A cyber insurance policy can come with a variety of stipulations around coverage and exceptions, but there are products that claim to protect businesses against cyber-related incidents without any tweaking.
Sarah Adams, senior account executive at business insurance specialist PolicyBee, believes that this kind of off-the-shelf cover is best suited to small businesses.
She says: “The UK’s sole traders and small businesses can buy off-the-shelf cyber insurance policies online that don’t take hours to arrange, won’t cost thousands of pounds, but still offer essential cover.
“If an organisation has a risk exposure that can’t be covered by a standard policy, there’s usually no choice but to opt for bespoke cover.
“Otherwise, an off-the-shelf cyber insurance policy is just as valuable as one designed from scratch.”
Nikolaus Suehr, CEO of insurtech company KASKO, believes that in order to limit the business interruption and reputational damage that comes with a cyber incident, companies should get an expert to check their exposure.
He says: “The first step to avoid these scenarios, is not to jump on the first cyber insurance policy that you find, but to contact a cyber risk professional.
“A good cyber professional will not only teach you which threats you can avoid yourself, but map out the steps required to minimise the risk associated.
“Sometimes it might be more cost effective to transfer the risk via cyber insurance rather than going for a zero tolerance prevention.”
Businesses might not be covered for an accidental cyber incident
Not all cyber incidents are the result of a malicious hacker – in fact, the Verizon Data Breach Report 2018 shows quite the opposite.
The report – which examined over 53,000 incidents and 2,216 confirmed data breaches – claims that only 48% of breaches involved hacking, with 28% involving internal actors.
Chris Hodson, chief information security officer of EMEA at security and systems management company Tanium, believes that cover for accidents is a vital part of the risk exposure for businesses.
He says: “Less than half of all cyber security incidents involve hacking or malware, so if you’re buying cyber insurance to mitigate the impact of information loss or business disruption, you need to consider other causes.
“If you don’t consider accidents in your risk exposure then you’re not giving your board of executives what they ultimately crave, which is the assurance that if an incident occurs, you have an effective response.”
According to Rob Smart, technical director of insurance governance consultancy Mactavish, the variation around this issue is a common cyber insurance policy flaw and something that companies often overlook.
He explains: “Cover for accidents and third party liability is very inconsistent between cyber insurance policies, despite it being a pretty large part of the risk for most companies.
“A data loss or a system shutdown could be caused by a fat finger from somebody in the IT department.
“Or if it’s an accident caused by a company’s provider – you may not have contractual recourse to them and would need your insurance to pick up the costs.”
A policy could limit a company to the legal minimum response
In the UK, the statutory legal response to a data breach includes notifying the Information Commissioners Office (ICO).
In the US, the process varies between states but usually involves reporting a breach to the attorney general or consumer reporting agencies.
An insurer will generally cover the costs associated with this statutory legal minimum response.
But some companies will want to orchestrate a public response very soon after a breach.
According to Mr Smart, the costs associated with this type of response may not be covered by a cyber insurance policy bought without any tailoring.
He says: “A company may want to notify more people than is required as the statutory legal minimum.
“It might want to immediately jump to issue a public relations response before the scope of the attack is necessarily clear, or it might even want to start offering goodwill in the form of discounts to its customers.
“Most companies will have a planned response to a cyber incident, but that won’t always match the level of response covered by a policy.”
Does every business need a standalone cyber insurance policy?
The growing threat of cyber-attacks has led to more businesses purchasing cover, and the trend isn’t expected to end.
British multi-insurer Aon predicts cyber insurance revenues of $4bn (£3.1bn) by 2021.
SME-sized companies are increasingly accepting the need to protect themselves, too, according to business intelligence platform GlobalData.
The company’s UK SME Insurance survey shows a 25% increase in small businesses buying cyber cover between 2014 and 2018.
But according to Mr Smart, not all businesses require a cyber insurance policy to protect them against these threats.
He says: “Every company in today’s world should consider its risk exposures and the impact a cyber event could have on its business – from there a decision can be made on what protection it needs.
“This could mean a standalone cyber policy, but it could also mean extending existing cover so it has very explicit cyber inclusions.
“Cyber inclusions could be negotiated within a policy covering property damage, business interruption, crime or professional indemnity.”
According to Mr Hodson, one context that does present the need for a standalone cyber insurance policy for an SME is a situation where it’s providing a service to a larger company.
He says: “We may start to see large companies that outsource a service to a smaller provider insist upon a level of due diligence to protect the data of customers.
“One element of this due diligence could be a cyber policy.”