The current situation regarding Cyber Risk Insurance
In March 2015, Marsh published a report titled “UK Cyber Security – The Role of Insurance in Managing and Mitigating the Risk” in conjunction with HM Government. It reveals a number of interesting statistics and provides a solid analysis of the current situation – given that the World Economic Forum included cyber attacks in the top ten global risks in 2015.
The continuing commercial evolution of the Internet has increased the reliance of many businesses on technology. The extent to which this has happened can be demonstrated in the number of online businesses who have no bricks and mortar presence. To attack a traditional business, without an online presence, requires the attackers to be physically present in some way – and physical safeguards such as locks and alarms are well understood by the insurance industry.
However, cyber attackers can be located anywhere in the world – and often remain invisible to the target of the attack for some considerable time, both during and after the attack. Additionally, legal jurisdiction can be much more complex due to the lack of international laws or agreements governing cyber security. In many cases, it can be unclear who’s responsible for dealing with an attack originating from another country, and which country’s laws would apply.
Technology is continuing to grow, providing both faster processing and greater functionality, almost on a daily basis. Further complexity is also introduced by the intercommunication between the different technology solutions required to enable cross-selling or provide straight-through processing in order to improve the effectiveness of business processes. All of this means that the potential attack surface is constantly changing and often increasing.
This is reinforced by the “2014 Information Security Breaches Survey” – produced by the UK Department of Business, Innovation and Skills – which states that 81% of large businesses and 60% of small businesses suffered a cyber security breach in the last year. While both statistics were marginally down on the previous year, the financial impact of these breaches is estimated to have doubled year on year – with the average cost of the worst breach increasing to between £600k and £1.15m for large firms, and £65k and £115k for small firms.
In their report, Marsh established that only 52% of CEOs thought that their firms had insurance against cyber risk. Further analysis by Marsh concluded that, in reality, less than 10% of CEOs were actually covered against cyber risk in their current insurance policies. Whilst this is clearly a challenge to the insurance industry, it also presents them with a huge opportunity.
The challenge of insuring cyber risk
The insurance industry has traditionally relied on actuarial data to statistically calculate the risk – and consequently determine the associated insurance premiums. In relationship to cyber risk, this presents two challenges:
Firstly, the availability of accurate data on cyber attacks and breaches is extremely limited as many organisations do not want to publicise these events, if they can avoid doing so. There are a number of reports, largely produced by technology vendors, which attempt to summarise the overall position. Typically, it is only the most high profile cyber security breaches that are newsworthy and are drawn to the public’s attention. This means that historic data is unlikely to be available in sufficient quantity to be able to draw any meaningful statistical conclusion.
Secondly, the speed at which the cyber landscape is evolving and changing presents a significant challenge, and yesterday’s technology vulnerabilities are not the same – or even representative of those that we will be facing in the future. Past cyber attacks bear little relevance to future cyber attacks because of the speed at which the technologies, attack surfaces and threats are evolving. Therefore, the traditional approach of relying on historic data cannot work.
A new approach will need to be simple and consistently measurable.
In the Marsh report, the authors promote the idea that Cyber Risk Insurance premiums should be linked to a recognised Information Security framework – and clearly differentiate between small and large firms.
Marsh are promoting the use of the UK Government’s Cyber Essentials initiative and certification scheme for small firms. To show their commitment on this scheme, they have already developed cyber insurance cover for SMEs – which includes the cost of Cyber Essentials certification.
Whilst the UK Cyber Essential initiative provides a solid basis for the key safeguards that all organisations should put in place, these are still quite involved and are likely to be complex for small organisations – many of which would not have a dedicated IT Security team. This seems to have been recognised, but as a result the emphasis has shifted towards focusing on the technical safeguards – which are likely to be better understood across broader IT communities. However, it remains unclear how some of the various controls with the UK Cyber Essentials framework will be measured, which may lead to further confusion.
For example, one of the Patch Management requirements in the Cyber Essentials states that updates “… should be installed in a timely manner e.g. within 30 days of release …”. Not only is the requirement wide open (would within 45 days of release be adequate for some organisations? or should it be 15? and who decides? and for what technology?), but more importantly, how do you determine compliance? Would an organisation that deploys patches in a timely manner on 83% of its infrastructure be deemed “Cyber Essentials Compliant” on this point? Or should the threshold be at 90%? Or at 75%? Surely those are questions for the certifying bodies, but would they all apply the same logic – across all small firms and all industry sectors?
For large firms, Marsh suggest that insurers benchmark firms against one of the established Information Security frameworks – such as SANS Top 20 Controls or National Institute of Standards and Technology (NIST) Cyber Security Framework. The extent at which large firms are adopting these frameworks heavily depends on the complexity of their implementation. The Marsh report identifies that large firms have been actively trying to protect themselves against cyber risk but significant risks still remain.
This reflects the field experience of Corix Partners. In our experience, this is often an issue caused by an excessive tactical and technical focus on short-term issues – often audit or compliance driven. Instead, the focus needs to be on the threats to a firm’s business assets, the necessary controls to protect the firm against these threats and the long-term transformational actions required to put those in place.
Why Cyber Risk Insurance is likely to be a game changer
The insurers are keen to create a viable market, where the premiums are attractive, without creating a massive list of exclusions – which could render the policies pointless or result in the insurers being accused of mis-selling.
The insurance industry has the opportunity to compel organisations to take actions to actually increase the protection of their information assets and their longer term health.
Historically, Information Security decision making has been driven – in many organisations – by the short-term need to correct issues identified through audit or compliance activities. These findings were often very technical in nature, and not necessarily associated with the activities that will provide the greatest improvements to better protect the organisation against the threats that it really faces. In many cases, they were simply “low hanging fruits” – picked up by auditors with no real life field experience, and were often perceived by IT Management (at best) as purely theoretical – or (at worse) as irrelevant. Doing the bare minimum to put ticks in boxes, or window-dressing existing situations, became the rule of the game on these matters with middle management in a number of organisations.
With the emergence of a number of affordable Cyber Insurance products, the game changes and the days of paying lip service to Information Security – as well as simply putting ticks in boxes to satisfy auditors or compliance – may have to come to an end. Insurers can be expected to ask for evidence that Controls were demonstrably in place, prior to a breach, before paying up – and will actively challenge their clients on that. The Zurich American Insurance Co. v. Sony Corp. of America et al case demonstrates that insurers will challenge as to whether specific cyber attacks are covered by their insurance policies.
John Vincent of Broadgate Consultants stated “Demonstrating that a company takes information security seriously is all about good governance and best practice” in his article titled “Cyber insurance is a growing market in the UK”.
It is in the best interests of all organisations to focus on improving the actual protection of their information assets, rather than allowing the Information Security agenda to be solely driven by short-term audit or compliance considerations. By taking a structured and strategic approach to Information Security, an organisation will resolve the underlying root causes of the Security problems it faces – providing better protection over the long term. This goes beyond the requirements to resolve specific audit points and will also prevent the similar issues from recurring every few years.
An organisation that is used to paying “lip service” to Information Security, merely to satisfy their auditors or regulators, may find that insurers are “a more difficult nut to crack” when it comes to demonstrating that specific controls were actually in place after a breach. By then, damage might have been done – with possible financial or reputational implications, and there might be few places to hide for the CIO.
Find out more about how your business can truly protect its future from cyber threats by contacting Corix Partners. Corix Partners is a Boutique Management Consultancy Firm, focused on assisting CIOs and COOs in resolving Security Strategy, Organisation & Governance challenges.