Insurance can complement a considered cyber security strategy

Hacktivists and criminals are always seeking and discovering new ways to exploit vulnerabilities.

Although most organisations work hard to remain one step ahead of attackers, in truth we will never be able to prevent every potential attack. New threats are developing as fast as the technology to prevent them, in a worrying game of cat-and-mouse.

In light of these facts, two things are becoming clear to businesses of all types and sizes.

First, if you suffer a breach, it will cost you. According to the NTT Security '2017 Risk:Value report', an annual study of business decision-makers' attitudes to risk and the value of information security to global organisations, the average cost of recovering from a security breach for UK organisations is £1.1 million – above the global average of £1 million.

Second, you will suffer a breach. In fact, 63% of respondents in the Risk:Value report agree that a data breach is inevitable at some point. Interestingly, only 47% say preventing a security attack is a regular board agenda item, suggesting that more still needs to be done for the issue to be taken seriously at a boardroom level.

Estimates have put the global cost of online crime at more than $400 billion a year, and growing constantly. The range of threats is expanding and growing more complex, encompassing cloud technologies, applications, services, mobile devices, the Internet of Things and more.

Take it seriously

When responding to the increasing number, types and costs of addressing threats, businesses tend to follow a predictable pattern. Some deny the risk exists or question its validity. Others take token steps towards prevention that actually have zero effect on their risk exposure.

A third and growing group, however, take these threats seriously – and even after making an effort to increase their security and risk posture, consider purchasing cyber-insurance policies to offset any remaining exposure. In fact, the 2017 Risk:Value report reveals that 40% of global firms took policies out this year, with another 35% considering it.

Cyber insurance is designed to provide coverage for an organisation's liabilities – internal and external – in the event of a breach, but because this is still a new and developing market, both purchasers and underwriters face a range of new demands and problems.

"No insurance policy is a complete security solution, and it is certainly not a licence to be reckless"

For businesses, these demands include understanding the true risk, taking specific measures to address that risk, and determining exactly what an insurance policy is expected to cover.

With these in mind, it is critical that businesses take three important actions before even considering, let alone purchasing, cyber insurance.

Survey the land

Before an insurer will underwrite a cyber policy, the organisation must first show a complete understanding of their risk exposure, as well as the true need for protection.

This knowledge validates an organisation's seriousness when it comes to cyber security and will allow insurers to create a policy that is relevant to that particular type of business.

A comprehensive risk assessment, whether done in-house or by a third-party contractor, will highlight gaps in security and critical areas of risk that may need immediate attention.

The assessment will help an organisation prioritise actions and develop a strategic plan for ongoing risk management, including a timeline for required actions.

The company can then share this with a potential insurer to show it takes information security and risk management seriously – including at a senior level.

Supplement, not replacement

No insurance policy is a complete security solution, and it is certainly not a licence to be reckless.

Policies are written to avoid covering high-impact scenarios that could easily have been prevented, such as an individual sending someone a lot of money without a full vetting process or any secondary validation.

Like any other insurance policy, cyber coverage is not a replacement for preventive security measures. Therefore, insurers will demand that certain steps be taken and measures implemented prior to even considering writing a policy.

Organisations that are serious about addressing risks are those that implement a security framework that includes both technology and process controls to prevent breaches. They consider an insurance policy as a supplement to, rather than a replacement for, the risk-based security program they have put in place.

The importance of having preventive measures in place before looking to insure assets cannot be understated.

The fine print

As with any type of insurance, there are many different types of cyber policies with varying levels of coverage. Therefore, it is vital that an organisation reads the fine print and understands just what each policy covers and, more importantly, what it does not cover.

For example, 45% of respondents in the Risk:Value report said they thought poor system patching could invalidate their insurance, while non-compliance issues were also flagged by respondents as possible barriers to insurance.

"It is a good idea for organisations to hire a law firm or a specialist to review any policies"

Unfortunately, businesses often take out cyber-insurance policies without performing this due diligence or researching the range of available policies, what they cost and what they actually cover. Because this is a new and evolving area of the insurance sector, there are no standard policy language for cyber insurance in place.

One important coverage consideration is whether data held by a third party or stored in a cloud service is covered. It is also crucial to understand what actions – or inactions – could invalidate a policy.

These could include failure to follow security updates, breaches initiated from an employee's personal devices, former employees still having access to company systems or applications, as well as other factors – many of which an organisation may not even think of.

Given the complexity of these agreements, it is a good idea for organisations to hire a law firm or a specialist to review any policies.

Under seige

In the modern world, businesses of all types and sizes necessarily rely on their IT infrastructure. At the same time, given the sophistication and relentlessness of today's hackers and attackers, networks are constantly under siege.

As a result, the convenience and efficiency enabled by connectivity introduces risks like business interruption, financial loss, drops in share price, reputational damage, and more if a corporate network is breached.

In our global Risk:Value report, UK respondents predicted that a data breach would have a big impact of their organisation's revenue, by as much as a 9.5% drop – although slightly better than the global average of nearly 10%.

They also estimated it would take, on average, 80 days to recover from an attack, almost a week longer than the global average of 74.

Businesses should seek cyber-insurance coverage to supplement, not replace, strong network security technologies and practices, as well as reduce the impact of a breach. But only those companies that take these three key actions before they buy will be sure they are getting what they think they are paying for.

Christopher Camejo is director of threat and vulnerability analysis at NTT Security

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.