Cyber insurance is only part of the overall security equation
Latest statistics show that more than 28 billion people will be connected to the Internet of Things in 2017, rising to 34 billion-plus next year. Such astronomical numbers give cyber-criminals an almost infinite number of devices – often poorly protected –to target during attacks.
Globally, authorities are beginning to urge companies to boost their cyber security initiatives, and to adopt cyber insurance. The market for cyber insurance is expected to reach US$7.5 billion in premiums by 2020, fuelled by demand from the finance industry, along with a forecast of new investments from the healthcare industry.
Cyber risks will move up the list of directors and officers (D-O) insurance priorities with the expected introduction of mandatory data breach legislation in Australia in 2017, according to partners of international law firm Clyde - Co, quoted in Insurance Journal. They explained that the law would enhance the potential for financial exposure and reputational damage for the company and directors, who may also incur personal liability.
“Directors will need to ensure that robust cyber resilience frameworks are embedded in their companies, consistent with the expectations of Australia's corporate regulator,” the partners said.
It is good news that companies are taking increased measures by moving toward cyber insurance to underwrite potential losses generated from cyber attacks, such as lawsuits, investigations, and business ramifications from exposed trade secrets. Yet organisations should be aware that although cyber insurance can help to manage losses, it needs to go hand-in-hand with a robust cyber-security infrastructure in order to add real value to business.
Insuring the intangible
Cyber insurance can be likened to fire insurance, where most businesses insure and deploy significant detection, prevention and response measures such as fire suppression systems, fire resistant materials and fire drills, resulting in maximum risk coverage.
Likewise, companies should prioritise the deployment of a strong cybersecurity infrastructure that includes robust detection, prevention and incident response measures. Such a deployment will deliver an overall effective and efficient risk management plan that also lowers insurance premiums.
Financial services organisations are already making progress to support the distribution of cyber insurance. For example, credit rating services such as FICO Enterprise Security Score allow cyber insurance providers to access cyber infrastructure and measure risk exposure, as well as forecast the likelihood of cyber security incidents in order to tailor policies and premiums for companies with different needs.
The next step is for the governments to support the cyber insurance ecosystem through the enforcement of mandatory and regulatory laws on cyber security. Such legislation can benefit the industry as a whole as it ensures a minimum standard for any given company's cyber infrastructure, which enables cyber insurance companies to lower their premiums.
As cyber insurance can be a reasonably large investment for organisations, it is essential for companies to enforce strong cyber security fundamentals and best practices to maximise their dollars. For example, the financial industry is governed by mandatory laws that require banks to retain sensitive customer and transaction information, resulting in higher premiums.
However, for businesses that do not depend on transactions, holding customers' payment information is counter productive. These companies should consider outsourcing payment methods to third-party providers, which will minimise large amounts of risk.
A strong cyber security infrastructure mandates the deployment of more than just antivirus software and firewalls. Cyber criminals have long advanced their methods of attacks beyond these traditional line of defences and companies need to beef up their cybersecurity technology. Today both public and private sectors should look to Next-Generation Antivirus (NGAV) and Next Generation Endpoint Security (NGES), which deliver full visibility to drive their detection and response strategies.
Just as companies conduct regular fire drills to ensure that employees know how to respond appropriately to a fire incident to minimise damage, they can similarly apply routines to a cybersecurity incident response plan. Employees at the IT frontline should be trained to minimise and contain the initial signs of a cyber intrusion, preventing it from escalating to a major breach.
Only with these preventive and risk minimisation measures in place can cyber insurance truly bring value to an organisation's overall cyber security management plan.