Leading forecasters are predicting a boom in cyber insurance over the next few years - reflecting a growing trend as businesses invest in cover to protect themselves against the threat of cybercrime. However, businesses should not rely solely on cyber insurance or they could face additional operational, financial and reputational risk warns leading audit, tax and consulting firm RSM.
Cyber insurance generally covers the losses arising from attacks on IT systems and networks and the subsequent loss of data or operations. Its popularity has been rising, particularly after high profile breaches such as WannaCry, as businesses look to offset the risk.
‘However, cyber insurance only provides financial compensation for certain risks when the major business risks are often not insurable,’ David Morris, technology assurance director at RSM explains. ‘Policies may not cover intangible harm such as the reduction in customer goodwill or damage to the brand; and some exclude some types of major attacks like state-sponsored espionage or ransomware.
‘Another typical omission is the cost of incident management related to actually dealing with the fallout from an attack which might include additional PR and marketing spend or the use of specialist firms to fix issues. Organisations that have not checked the coverage may find that they only get some of their subsequent costs covered.’
If a business is attacked, covering the initial costs could be a significant issue as there might be a gap between the claim and the receipt of funds from the insurance company. This could potentially cause serious cash flow issues at a time when a business needs to spend money to recover systems, improve security and deal with the public relations fall-out.
In addition, claiming could be more complex than first expected. A cyber claim might be denied if the insurance company feels that the claimant didn’t do enough to prevent a cyber event. This might include failing to keep systems up-to-date with security patches or staff introducing malware because of inadequate training and education.
Cyber insurance often comes with a variety of conditional risk management requirements that need to be fully understood and implemented for cover to operate.
Risk management and the quality of the control environment is an ever-increasing factor in premium rating. Failing to maintain agreed standards will have a consequential impact on the success of any claim on the policy.
As well as hacking and ransomware, whaling and phishing type frauds are not typically covered as standard by cyber insurance so its crucial businesses check the small print. However, some insurers can provide cover for an additional cost.
‘As an additional cost, many organisations will think they are covered in the event of a breach,’ David Morris adds, ‘but this might not be the reality depending on the cover details and the parameters around claiming. In addition, significant players in the insurance market have signalled that the increasing threat of cyber-attacks is pushing up cyber insurance premiums. This naturally presents a cost issue to those organisations that have chosen to rely upon insurance as a control rather than invest in preventative controls.’
David continues, ‘Cyber insurance definitely has its place as a tool in the battle against cybercrime but is not a substitute for effective preventative and detective controls. It needs to be used as part of a suite of general and IT controls but must not be seen as a universal panacea that will cure all ills.’
Organisations that are considering or renewing cyber insurance should therefore consider the following questions:
- Does the lack of cyber insurance represent a significant risk in relation to your overall control environment?
- Does the insurance provide the coverage that is required?
- Are the expectations of the insurance company in terms of the security environment that the organisation must provide and maintain clearly articulated?
- Is the organisation able to maintain its security environment so any future claim will not be invalidated?
- What does the governing or trade body of the organisation recommend in terms of coverage?