A Marsh Risk Management Report entitled "Benchmarking Trends: Interest in Cyber Insurance Continues to Climb", shows that the market for cyber insurance continues to grow apace. According to Marsh, demand for Cyber Risk Insurance grew by 21% across all industries compared to 2013 and early indications for 2014 appear to confirm continued growth.
Given the EU Data Protection Directive and its forthcoming translation into national laws, perhaps this increasing interest in insurance should come as no surprise. After all, once corporations are obliged to disclose data breaches and notify affected individuals, the costs of dealing with the consequences can rise sharply.
Information security professionals have been driving the message home for some time now that rather than a question of "if" it is more the racing certainty of "when" a company is successfully breached. In fact in several of my own presentations I have been encouraging CISOs, and Risk Managers to change the basic assumption behind their security architecture. To move from the assumption that you are building security with the express aim of keeping the bad guys out and rather to accept that the adversary is already within your network and that your goal is two-fold; to be aware of the intrusion as soon as possible and to make it very difficult for the attacker to leave with what they came for.
In scenarios such as this, and in an age of mandatory and costly breach notification the increasing appetite for cyber insurance is no surprise. If a risk cannot be avoided or accepted, then risk transference, or insurance, becomes the best option. Here are five key points to consider when investigating the cyber insurance market.
- Your current policy probably won't cover your cyber risks. While it may offer some cover, business interruption policies for example might cover lost profits, but will not cover the costs of cleaning up and tightening security in the wake of a breach, nor will it cover reputational damage or notification costs.
- Check yourself out before asking for insurance. A mature documented collection of security policies that are enforoceable and monitored will not only help to lower your premiums, it may well save you from being refused cover in the first place as several large UK power companies recently discovered.
- Shop around, some insurers have been offering cyber risk insurance for many years now and their offerings are mature, well-thought out and cost-effective where others are very new to the field. Premiums and coverage will differ widely as a result of this.
- Be prepared to be audited and advised. You are transferring your risk to your insurer and they will want to know what level of risk they are assuming. Cyber Risk insurance is no substitute for effective security, in the same way that your vehicle insurance is significantly reduced if you drive drunk your cyber risk policy may well mandate certain technologies or processes.
- Understand the post-event support that you are paying for as a part of the contract. Smaller enterprises may want a single point of contact and third-party agencies that handle investigation and clean-up while larger ones will prefer to use their own teams and simply take direction from the insurer. These options are not cost-neutral, every policy can be as unique as the business that it supports and your cyber risk policy should be designed to mirror the risks specific to your business. This is not an off-the-shelf marketplace.