Cyber insurance is a growing market in the UK. Although it has been on the rise in the last few years, it still lags way behind the US who have a far more advanced cyber insurance market. The main reason for this is legislation. In the US most states are required by law to publicly disclose a security breach. As we all know the financial consequences of having to declare a breach publicly are far reaching so US companies seek to mitigate their losses using dedicated stand alone cyber insurance.
In the UK it is a rather different story:
- Only public sector companies are required to disclose a security breach with no specified time limit to do so
However, the situation is about to change with implementation of the new European Directive on Data Protection expected to come in to effect in 2016. This reform will radically alter the security landscape in Europe;
- It states that all data breaches must be disclosed within a specified time limit of 72 hours
- Failure to do so will incur a heavy fine of 5% of annual turnover or EUR 100M, whichever is the greatest
Some see this EU Directive as the silver bullet for the growth of the UK cyber insurance market. It changes significantly the rules of the game and UK businesses will be looking at ways to deal with potential devastating effects of this public admission. The fact is that no company can ever completely protect itself from suffering a breach. What they can do is take measures to limit the chances and mitigate the potentially financially crippling effects.
This is where cyber insurance comes into play.
Many business make the mistake of thinking that their current insurance policy will cover them for a cyber incident – in many cases it will not. Companies need a dedicated stand alone cyber insurance policy that is right for them. However, taking out a cyber insurance policy may not mean that they fully covered for all eventualities.
One of the problems with cyber insurance is that the business looking for the insurance does not know what it is that it needs to insure in the first place. Every company must establish its “Crown Jewels” – i.e. know what its most critical information assets are. This is an absolutely essential first step to ensuring the right insurance cover is applied for.
It is critical too, on the other side of the deal, that the insurance company must be clear on what it is actually insuring against and understands its liabilities. Insurance companies are not experts in Information security or the technology involved. Couple that with the fact that they actually have very little data statistics on cyber incidents, making it very difficult to build an accurate risk profile.
Question is, how does an insurer find out that a business is risky in terms of cyber insurance?
With the absence of data on cyber incidents the onus is therefore on the client to establish how prepared they to protect their information, how likely they are to suffer a breach in the first place and what measures they have in place to reduce the financial impact.
- Robert Hartwig, President of the Insurance Information Institute, described assessing cyber insurance risk as “this is like insuring aircraft in 1915!”
The result of this difficulty and sometimes vagueness in policy language are disputes in the courtroom as policy holders make a claim.
An information security audit is the key. This way both the insurer and the client can see exactly what it is they need to cover. As a business looking for insurance you must show that you have done everything you can to limit the possibility of a security breach and limit the effects when it happens.
Demonstrating that a company takes information security seriously is all about good governance and best practice. In the absence of any legally binding compliance or regulation, companies must look to the various types of guidance available and adopt an approach which best suits the needs of their business. The UK Government was so concerned about this lack of common guidance that it published its 10 Steps to Cyber Security an easy to follow checklist that any business can adopt to improve it information security.
Subsequently, this has been followed with the launch of its Cyber Essentials Scheme. This is a recognised cyber assurance certificate which the government hopes business will use as a baseline standard for its information security. By undertaking the Cyber Essentials Assessment and passing, companies can demonstrate to the insurer that they have adopted an effective good governance strategy and take cyber security seriously (if we adopt a baseline against which insurance companies can risk assess this will greatly improve the insurance process for both sides).
The cyber security challenge is something that crosses many parties and is firmly on the agenda of world leaders. Recently, President Obama was quoted as saying;
Just as we’re all connected like never before, we have to work together like never before, both to seize opportunities but also meet the challenges of this information age
Of course, cyber insurance alone is not enough to win the information security war. What is needed is a broader strategy that companies must adopt in managing the risk and regularly reviewing the process and procedures and the technologies in place to ensure that they are keeping with changing times.
Insurance must sit alongside to be there when all else has failed!
Article by John Vincent, Broadgate Consultants
The opinions expressed by guest bloggers are their views and do not necessarily reflect the opinions of Corix Partners.