Sam Lascelles and Mark Riley
18 June 2014
Digital information is fundamental to businesses; it’s at the core of what they do and allows them to operate effectively.
Without this digital information, businesses would not be able to foster a commercial advantage allowing them to outperform and outgrow competitors, and become more efficient while continuing to satisfy their regulatory and legal requirements.
Yet the volumes of digital information compromised through cyber attacks continues to rise, with major brands continuing to lose sensitive data and fall victim to cyber criminals.
The issue has become so serious that the Lloyds Risk Index 2013 now puts cyber risk up with high taxation and loss of customers as one of the three biggest concerns for senior executives.
Recent years have seen a growing demand for specialist cyber insurance to cover cyber breaches, including the cost of putting things right after an incident, and handling fines and civil claims.
A report by broker Marsh shows that the number of companies buying cover increased by a third between 2011 and 2012.
Yet despite these developments, many firms still do not make insurance part of their cyber security strategy. Only $500m worth of cyber-related premiums were paid in the US in 2013, and the market is even less mature in Europe.
As the threat of cyber attacks continues to grow, we think the turning point is due. Private sector organisations must make insurance against cyber attacks an integral part of their cyber security strategy.
Cyber risks are dynamic and uncertain
In its Global Risk Report 2013, the World Economic Forum placed cyber attacks among the greatest global risks. In effect, this means that cyber attacks should be viewed in the same way as other accidental or third-party risks (such as health and safety or extreme weather).
The emergence of cyber insurance gives organisations the option to transfer some of this risk. Before, their only options were to mitigate, accept or avoid it. This classic risk management treatment needs to be at the heart of an organisation’s cyber security strategy. CISOs must act (and be recognised) as adept risk managers, not just system implementers.
100% protection is expensive, impossible and potentially counterproductive
Organisations that get the basics of cyber security right can protect themselves from a significant proportion of attacks. UK government advice suggests that 80% of cyber attacks can be mitigated by following their recommendations for establishing a basic level of "cyber hygiene".
Achieving higher levels of protection, however, is expensive. For specific areas, regulation and industry standards will dictate the required protection levels, but outside of these constraints there comes a point beyond which the effort and investment needed for further protection will not yield a proportionate reduction in risk.
In addition, excessive security controls can reduce the capability of an organisation to collaborate effectively and can cause employees to look for workarounds – thus increasing their vulnerabilities. Cyber insurance gives organisations the opportunity to focus on those areas where they can make the most difference to significantly reduce the chance of a successful attack in the first instance and then insure against the residual risk.
Cyber insurance has come of age
As insurers have invested time and resources into understanding the cyber risk, the policies available have become more credible and viable. This has been encouraged by governments, which are concerned about the private sector’s exposure to cyber risk.
At the same time, the data needed for insurers to model cyber risk more accurately is becoming available through programmes such as the Cyber Security Information Sharing Partnership. In addition, the Centre for the Protection of National Infrastructure recently launched a scheme for approved incident responders, focusing on harm reduction. And the new cyber security standard from the BSI (PAS 555) promotes a risk-led, outcome-based approach.
Together, these factors create a much more informed, supported and mature environment for insurers to provide reliable cover.
Sam Lascelles and Mark Riley are cyber security experts at PA Consulting Group