Companies Are Buying Cyber Insurance 'in mad panic'

Uploaded on 2018-01-24 in NEWS-News Analysis, FREE TO VIEW, BUSINESS-Services-Financial

With cyber-attacks increasing in frequency and severity, many companies are turning to insurance to cover their mounting losses. But can insurers quantify the risk accurately and could insurance lead to corporate complacency?
Many firms feel like they're under siege.

Cyber-attacks are coming thick and fast and the tools at the hackers' disposal seem to be getting more, not less, powerful.
Estimated annual losses from cybercrime now top $400bn (£291bn), according to the Center for Strategic and International Studies. The cost in lost productivity of last year's WannaCry ransomware attack alone was estimated at $4bn. So many businesses are buying cyber insurance "in a mad panic", warns Charl van der Walt of SecureData, a cyber-security company.

"Unfortunately this will mean that businesses of all sizes will seek out the minimum cyber-security investment laid out by insurers, government, and regulators, rather than going above and beyond to protect their own, and their customers' data."

Ransomware attacks, whereby criminals break in to your network, encrypt all your data, then demand money in return for the decryption key, are particularly virulent. Firms have even been stocking up on Bitcoins, the hackers' cryptocurrency payment of choice, to pay the ransoms. It's not just the immediate ransom costs they have to worry about. There are the costs of investigating and closing the breach, legal and public relations costs, the damage to your share price as consumers and clients lose confidence, and the loss of business resulting from a damaged reputation.

There are also potential regulatory fines to pay, particularly when the European Union's General Data Protection Regulation (GDPR) comes into force in May. Under the new rules your firm could be fined up to 4% of turnover or €20m, whichever is the greater, if regulators think you haven't protected customers' personal data adequately.

The average cost of a cyber breach was $349,000 in 2017, according to NetDiligence, whose data is based on actual cyber insurance claims. For a big company the average cost was $5.9m.

But US retailer Target, which had more than 40 million customer credit card details stolen in 2013, had to fork out $279m in total as a result of the breach, says specialist insurance market Lloyd's of London in a report compiled with consultancy KPMG and international law firm DAC Beachcroft. Around $100m of that was on lawsuits.

Telecoms company TalkTalk suffered losses of nearly $100m after its breach in 2015, says Lloyd's, and this included a £400,000 fine from the UK Information Commissioner's Office.

So it's perhaps little surprise that interest in cyber insurance has spiked recently.

The number of insurers offering cyber insurance via Lloyd's of London has leapt to more than 70, nearly double the number a few years ago. And insurance giant Allianz predicts that global cyber insurance premiums will grow to $20bn by 2025, up from around $3-4bn now. 

One insurer, Hiscox, says it has been enjoying robust growth in its cyber insurance business, particularly following the TalkTalk breach and as GDPR approaches.

"We're seeing annual growth of around 40% in cyber," says Gareth Wharton, chief executive of cyber at the insurer. "We expect to have taken around $100m in premiums in 2017."

But how do insurers know how to assess cyber risk accurately and set the right premium levels? "Cyber isn't like car or house insurance where the risks are known and the products haven't changed that much," says Mr Wharton. "The types of risk are changing all the time and there's no easy way of quantifying the cost of stolen data." So it's up to the insurer to make sure the client is an acceptable risk, he says.

"Firstly we need to understand how seriously the board takes cyber-security," says Mr Wharton. "Does it have a disaster recovery plan and how often does it test it?" 

The firm checks obvious security measures, too, such as the presence of antivirus and firewall protection, the frequency of software updates and data back-ups, and whether critical data is encrypted, he says. 

"We're trying to be a partner with our clients, not just a seller of insurance, so we offer free cyber security training as well. We have a responsibility to drive up standards and encourage better practice."

While there are several recognised ISO [International Organisation for Standardisation] standards covering various aspects of information security, there isn't one catch-all standard that global businesses can adopt to help insurers assess their cyber risk. 

The UK government insists that any company it does business with has to conform to the Cyber Essentials standards set by the National Cyber Security Centre. That's a start at least. "One of the biggest issues in cyber insurance is how to price it effectively and cover indirect as well as direct costs a company suffers following a cyber-attack," says Nik Whitfield, chief executive of Panaseer, a cyber risk assessor. Firms seeking insurance would be happy to be assessed in the hope of securing lower premiums, he argues.  

"Such a service would be the equivalent of a telematics box in your car which tells the insurance company how well you're driving."

But if firms see cyber insurance merely as an excuse to skimp on their cyber-security defences, they could find themselves in trouble, he warns. "Businesses must understand that cyber insurance is not a silver bullet, you don't get car insurance and drive like a maniac," he says.

BBC:    Image: Nik Youngson

You Might Also Read: 

Cyber Risk Insurance: A View From The Prudential Regulation Authority:

Insurance Will Reduce Cyber Losses:

Cyber Security Insurance:

 

 

« What Is Fog Computing?
World Economic Leaders Fear Increasing Cyber Attacks »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall And Why Does It Matter

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall And Why Does It Matter

See how to use next-generation firewalls (NGFWs) and how they boost your security posture.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

2|SEC Consulting (2-SEC)

2|SEC Consulting (2-SEC)

At 2|SEC Consulting, we deliver an end-to-end service of cyber and information security solutions which are tailored to each client’s exact security needs.

Herjavec Group

Herjavec Group

Herjavec Group's Managed Security Services practice defends your organization from increasingly sophisticated, targeted cybercrime threats.

Vera Security

Vera Security

Vera is a data security platform that provides 360-degree visibility and control over critical business data, anywhere it's shared or stored.

Progress Flowmon

Progress Flowmon

Progress Flowmon (formerly Flowmon Networks) provide high performance network monitoring technology and behavior analytics to enhance network performance and deal with cyber threats.

Cyber Academy

Cyber Academy

Cyber Academy is one of the first institutions in the SE Europe region that provides a hands-on program in cyber security, blockchain and AI.

Data Terminator

Data Terminator

Data Terminator provide a comprehensive range of secure data destruction equipment and services are in compliance to US Department of Defense (DoD) and National Security Agency (NSA) standards.

Kindus

Kindus

Kindus is an IT security, assurance and cyber security risk management consultancy.

Ribbon Communications

Ribbon Communications

Ribbon Communications delivers global communications software and network solutions to service providers, enterprises, and critical infrastructure sectors.

guardDog.ai

guardDog.ai

guardDog.ai has developed a cloud-based software service with a companion device that work together to simplify network security.

Conversant Group

Conversant Group

Conversant Group is an IT infrastructure and security consulting company, providing technical, organizational, procedural, and process consulting internationally.

MDSec

MDSec

MDSec is a consultancy with a passion for information security. Our consultants specialise in application, mobile and hardware security and targeted red team attacks.

Celebrus

Celebrus

Celebrus Fraud Data Platform, by D4t4 Solutions, works with existing fraud structures to augment functionality and turn fraud management into true fraud prevention.

Rausch Advisory Services

Rausch Advisory Services

Rausch delivers solutions that address compliance, enterprise risk, information technology and human resource capital.

Avocado Consulting

Avocado Consulting

Avocado helps clients deliver with certainty on their complex IT change, with technology services that automate, monitor and optimise.

Obrela Security Industries

Obrela Security Industries

Obrela Security manage cyber exposure, risks and compliance. We identify, predict and prevent cyber threats in real time. As a service, personalised, on demand.

RIoT Secure

RIoT Secure

RIoT Secure AB is a technology enabler within the IoT industry - created with a vision to ensure security technology exists in the foundations of software development for IoT solutions.