Findings from the recently published 2020 Unisys Security Index survey, India indicated that family health and other aspects pertaining to the current health crisis have taken precedence over concerns around the risk of a data or security breach while working remotely, with only 32% of respondents seriously concerned about this issue. Contrast this with the spike in cyber attacks during the pandemic and you get a sense of the challenge facing organizations. While cyberattacks are increasing in number and intensity, organizations have limited control on their IT landscape as a majority of their employees, if not all, are working remotely. With the current increase in threat landscape brought about by the move to working from home, many businesses are now seriously looking at cyber insurance as a means to transfer some of their cyber risk.
Cyber insurance is effectively transferring your cyber security related risk to an insurer in the case of the risk eventuating as a result of a cyber security incident. The incident can take many forms – from an attack by a hacker to an unintentional release of data by an employee. The specific events covered by the insurer will be in the insurance policy which must be carefully reviewed to ensure you have the right types of events covered. Cyber insurance would typically provide cover for the following losses resulting from a cyber incident:
* Public relations expense
* Replacement/restoration of electronic data
* Website publishing liability/media liability
* Security breach expense
* Business income and extra expense
* Programming errors and omissions liability
* Extortion threats
*Data breach or security breach liability
Of note has to be third party risk. This applies when a breach is as a result of one of your third party suppliers which then leads to a breach within your organisation. This is becoming a common area of risk and organisations must specifically check to see if these types of events are covered. Organisations should also see if they are covered for an event where they are breached and this leads to a breach in their downstream clients. This cover is needed for third party losses in both directions – where you are a victim of your supplier’s breach or your client is a victim of your breach.
It is critical that organisations carefully assess their policy for adequate coverage. This must include review of:
* Types of cyber incidents covered and the definition of a cyber-event
* Types of losses covered and the definition of each
* Most importantly, the level of cover i.e. the amount that will be paid out in the case of a loss
The last bullet above is critical. Most organisations do not have a robust way of determining the right level of cover. In order to do this, an organisation needs to understand the level of residual risk they have for cyber security events – the risk that remains after appropriate cyber security controls have been implemented. This needs to be quantified in monetary terms. This should form part of the organisation’s usual risk management procedures. Once the organisation has assessed their cyber risk and implemented appropriate controls to mitigate the risk to an adequate level, they can estimate the level of residual risk and transfer this to an insurance company. Mitigating all the risk will generally be uneconomical for an organisation. The correct risk management practice will be to get the risk down to within the organisation’s risk appetite and transfer the remaining risk. What is important here is to accurately estimate the level of residual risk and not just pick a number! What you want to avoid is getting the wrong level of cover and be left out of pocket in the case of a cyber incident. The whole point behind cyber insurance is to ensure survivability in monetary terms by obtaining cover for cyber losses discussed earlier. Getting inadequate cover can have disastrous consequences if the losses exceed the value of the business endangering its survivability.
Just as any insurance policy, the insurer will also have an expectation that the insured party will ‘keep their house in order’. In the case of cyber insurance, this includes ensuring basic cyber hygiene i.e. you will have at least basic controls in place to protect your cyber assets. The level of hygiene will vary from insurer to insurer. It is best to check with your insurer as to what the expectation is in order to avoid them refusing a payout in the case of a cyber event. Similarly, the insurer will also have an expectation that you will keep the good guys in and the bad guys out. You must be able to demonstrate this in line with what the insurer expects to avoid any issues when claiming.
With the threat landscape increasing rapidly, cyber insurance is becoming a necessity. It is critical to ensure that you have the right level of cover, the right cyber security events covered and follow basic cyber hygiene as well as access control practices to avoid any issues when it comes to claiming for any cyber security related losses.