Is cyber-insurance an enterprise essential in a data breach age?
- Summary:
- Increasingly high profile data breaches have been encouraging insurers to shout about their new shiny, specialist cyber-insurance policies lately. But with a market still so immature, are they really worth forking out money for
While the insurance industry has started making a lot of noise about cyber-cover over the last 18 months or so, it seems that the din is only likely to grow louder over the year ahead.
This is despite the fact that such offerings have actually been around for at least a decade under the mantel of general liability or business interruption insurance, although they previously did not exist as separate, dedicated products.
But this situation means that between 25% and 35% of organisations already have some sort of cyber-insurance in place, says Juergen Weiss, managing vice president of Gartner’s industry research group, who values the total market at around $1.7 billion last year.
Unsurprisingly though, adoption rates tend to be highest among financial services firms, telcos, pharmaceutical companies, utilities and healthcare bodies, which all hold lots of sensitive customer data.
But interestingly, it is the US that is currently by far the single largest market for such offerings. This is due to the introduction of data breach notification laws in all but three of its 44 states - which make it necessary to inform customers if a security event has occurred – and the litigious nature of its culture, which means that organisations struggle to cope with the high levels of costs involved should a security incident occur.
According to the 2014 Cost of Data Breach Study: Global Analysis undertaken by research body the Ponemon Institute, for example, the average outlay for dealing with each such event last year was $3.5 million, an increase of 15% on the previous 12 months.
But the US-centric nature of the industry could be about to change if the European Union does finally introduce its much-anticipated new data protection legislation in 2016 or 2017, complete with data breach notification laws of its own.
Value for money?
Other drivers for international growth are the high number of mega-incidents that took place last year, including the well-publicised data loss events at Japanese electronics firm Sony and US retailer Home Depot.
They have inevitably led to the issue being catapulted up boardroom agendas across the world as understanding of the financial and brand impact of such attacks mounts.
Nonetheless, it is only over the last few years that insurers have spotted the potential for creating dedicated, specialist cyber-products at all – although the expectation now is that they will form part of a huge future market currently experiencing “double digit” growth rates, according to Gartner’s Weiss.
But such growth still does detract from the high levels of scepticism out there, with the big question at the moment being, is cyber-insurance actually worth the money?
One of the key concerns here is that the market is still far from mature. One of the ways that this scenario manifests itself is in big differences in the nature and quality of policies, which can be subject to high numbers of restrictions and exclusions.
Such a lack of “level playing field” means that the sector is often very confusing for customers, according to Mike Gillespie, founder and chief executive of information security consultancy Advent IM. He explains:
There are a range of policies, but no real benchmark and so it’s very hard to compare them effectively.
Immaturity
Moreover, a lack of clear standards in defining information security risk in an insurance context mean that too many insurers offer one-size-fits-all policies based on information provided by customers on forms that are often extremely basic – either that, or bafflingly in-depth. Gillespie lays out the challenge:
To get car insurance, you need a valid driving licence and to declare any points so that they can work out how safe a driver you are. It all goes into a matrix and they calculate the premium from that. But there are no such models for cyber-insurance at the moment.
To make matters worse, IT and information security experts are also frequently simply not included in discussions. But as Mark Brown, executive director of cybersecurity and business resilience advisory at management consultancy Ernst & Young, points out:
Information security professionals really have to be involved as they understand the technical component of risk. The problem is that you can struggle to find many who truly understand business risk and business value chains so it’s difficult.
Another challenge, says Neil Hare-Brown, chief executive of risk management consultancy Storm Guidance, which advises insurers, brokers and customers on all matters cyber-insurance, is professionals’ widespread antipathy to the concept. He explains:
A lot of infosec people are pretty averse to insurance as they don’t think it’s needed. They don’t have any experience of business insurance, which has traditionally been handled by finance directors and company secretaries. So their only experience is of car or house insurance and they’ll say things like ‘it doesn’t pay out’. But it’s simply not true.
A useful tool
In a bid to do something about the situation in the UK, the government has now decided to get involved – a scenario that may well force information security professionals’ hands in future.
As an extension of its Cyber Essentials accreditation Scheme (CES) to encourage businesses to put basic security controls in place, the government has started collaborating with insurers to develop a more effective cyber-security insurance model.
Compliance with CES standards is already mandatory for government departments and all suppliers of IT services to the public sector, and over time their remit is expected to expand to cover cyber-insurance as well.
In the meantime, industry-chaired working groups, which include government representatives, have now been set up and will explore how best to:
- use insurance to drive better cybersecurity practice, especially in small-to-medium enterprises
- model the potential impact of cyber-attacks on UK business and how insurers are likely to respond
- explore the role of insurers in reducing the impact of cyber-attacks on critical national infrastructure.
The working groups are due to report their findings to the Cabinet Office by April. And there is widespread agreement that such activity is positive – as long as it acts as a supplement to, rather than a replacement for, traditional information security controls. Gartner’s Weiss explains:
I think it is worth looking at insurance if you treat risk management from an holistic perspective by examining the risk of occurrence versus the impact. But in no way should it replace good risk management – it’s a complementary addition.
Advent IM’s Gillespie agrees.
Insurance is a useful tool in a toolkit. Everyone can see the reasons for having it, but it can’t be at the cost of ensuring that you have good quality processes, policies and controls in place. The danger is that you buy the premium and forget to do the foundation work, but unfortunately, on their own, they’re just a waste of money.
My take
Caveat emptor.