Should cyber insurance be mandatory?

Cyberattacks still plague the internet, leaving waves of personal and financial destruction in its path, but making cyber insurance mandatory would help with reparation, according to Richard Fry, head of information security and risk at Covea Insurance.

It rarely seems like a week passes by where a large company has not been the subject to a new cyberattack. It’s worse than it may appear. Only the big companies or major attacks are reported on, meaning there are going to be many more attacks on businesses which people never hear of. This also only accounts for attacks which are found. Some incidents can be left undetected for months.

Whether an attack has meant customer data has been stolen, or files have been encrypted until a payoff is made, or operations are completely put to a halt, a cyberattack can be detrimental, particularly for a small business.

A recent study from Beaming, an internet service provider, found that in the UK alone, 130,000 small businesses fell victim to cybercrime in 2018 – almost two thirds of companies in the country which employ between 10 and 49 people. The average cost of a cyberattack on these businesses amounted to £65,000 in damaged assets, financial penalties, and business down time. Small businesses seem to be the most at risk. The total cost of cyber attacks in the UK amounted to around £17.8bn, of which, £13.6bn was made by small business.

This financial impact just shows how important it is for a company to have certain protections in place. One of these attacks could do serious damage to a business and having multiple in a year could prove financially devestating.

While there is a clear benefit to having an insurance policy ready to cover any financial damage, most businesses do not use cyber insurance. Fry said that this boils down to two reasons. The first is that the insurance premiums are very expensive, as most are blanket cover and aim to protect everything.

While these policies try to protect everything, there are also several exclusions which can work against you. For example, some require you to ensure you are up to date with vulnerability scanning. These exclusions can be a long checklist and a failure of one could nullify the whole claim. Establishing strong security controls should ensure the requirements are met, but not all businesses have these. He stated that, “if they’re not going to invest in the security controls then they’re not going to invest in cyber security insurance.”

The other reason companies are not using cyber insurance is simply due to the fact they do not think they need it. They have spent millions on deploying technology which is supposed to protect their network and infrastructure, so why would they pay for insurance on the chance it does not actually work? The simple answer is, cyber-defences are not infallible and new vulnerabilities or attacks are found daily.

He added, “I don’t think some businesses, and certainly some of the C-level people I’m involved with, actually understand the cost of a breach in the longer term. They don’t understand the loss of custom, the loss of credibility within in the industry, the financial fines. They are starting to with GDPR and I think that will actually drive out some of the behaviours.”

There are three elements which a cyber insurance policy would help a business which has fallen victim to an attack. These are the costs of investigations, and paying fines the breach may incur. The final element is the cost of remediating customers. Something like loss of data could be hard to compensate for, so a company could offer identity protection insurance to their customers for a year or monitor their identity for a period of time.

Attacks do happen. A company could be well prepared and have several security measures in place, this does not mean it is immune. In the event of a data breach and compromised customer identity, Fry believes that a company is beholden to compensate a customer. This means reparations for the loss incurred but also putting their credit rating back to what it was before the breach. This costs money, and cyber insurance would be there to ease this.

Fry believes a potential future for cyber insurance would be to make it mandatory for institutions, in a similar way that you must have car insurance. A business already needs to have liability insurance for health and safety so there is compensation for any injuries. Cyberattacks might not leave physical injuries but it can still have significant damage to people.

If it is not made into laws that a company must have cyber insurance, payment providers could fill in a similar role and make things contractual.

“Companies like Visa, Barclay card, MasterCard could start to stipulate it themselves as part of PCI. You must have insurance that covers you for forensic investigations in the event of a breach, cyber breach.”

Another route insurance firms could take to boost the adoption of cyber insurance would be to offer discounts on offerings. He believes a company should be able to bring in a third-party to assess their systems and controls to judge what standard they are at. If the company has implemented technology to handle certain types of attacks, like ransomware or has a data backup established, then they should receive a discount on their premium.

Furthermore, the third-party should then identify ways they could improve to earn yet a further discount. He added, “this gives you that level of discount on top, that would drive the right behaviours because it would actually make business focused on a financial benefit for doing all of this basic stuff. if you look at the breaches and the exploits, a lot of it is just what I class as security hygiene.”

At the moment, policies are quite expensive because they try to encompass every potential attack; however, Fry believes implementing these discounts on policies could see more companies take them up. Even if its only a discount on certain aspects of the policy, for example, maybe a business is very prepared for a ransomware incident, but not as much for a DDOS attack. This should be represented in the premium, and cheaper than a company with bad protections for both.

Fry also believes there are a number of other opportunities in the cyber insurance space which have yet to be realised. He added, “There are some things that you cannot insure against and that’s things like reputational damage but having insurance policies that say we will work with your customers, we’ll provide identity theft protection. I think there are ways of cutting the insurance cake that I don’t think has been explored yet. At the moment it’s a bit of a blunt instrument and a one size fits all.”

One of the opportunities that Fry sees is with cloud services. There seems to be a lack of understanding around cloud technology, such as where data is actually stored, but there is a lot of risk when using cloud services.

An example of this is the Capital One breach which occurred earlier in the year. A former software engineer of Amazon Web Services, the cloud hosting provider for Capital One, was reportedly able to access personal information of more than 100 Capital One customers through a misconfiguration of a firewall. Fry added, “That is a risk that businesses takes when they work with a cloud provider, that to me is an insurable risk and if they were to work with the cloud providers to actually underwrite some of those risks it would make cloud adoption a lot more palatable to more risk averse businesses.”

Copyright © 2019 FinTech Global

Investors

The following investor(s) were tagged in this article.