Cyber Attacks Can Be Costly - Is Cyber Insurance the Answer?
The WannaCry malware attack in May 2017 marked a new and unsettling aggressiveness on the part of cybercriminals. No previous assault matched the breadth of its impact, which affected hospitals, corporations, and government offices in more than 150 countries around the world. WannaCry caused global financial and economic losses estimated at up to four billion dollars. Additionally, some organizations could still face lawsuits over their failure to secure the previously disclosed Windows vulnerability that the criminals exploited.
Already this year, security breaches have been experienced by U.S. power companies who have publicly acknowledged Russian hacking into their grid systems; U.S. universities who claim to have lost more than 31 terabytes of data; and well-known consumer brands including a major clothing retail chain from whom data pertaining to approximately 150 million customers was stolen, and several other main street retailers.
In the face of threats like these, a recent Ovum survey commissioned by FICO shows that take-up of cyber-risk insurance is growing, with 76 percent of those surveyed have some form of it in place. However, only half of those companies have a comprehensive “all-risks” position, and the survey finds that many are overconfident in their existing threat protection capabilities. Additionally, the 2018 Top Risks survey published by Protiviti and North Carolina State University’s ERM Initiative reported that 61 percent of executives are significantly concerned that their organizations may not be sufficiently prepared to manage cyber threats.
For almost all companies, a comprehensive cyber liability insurance policy is a prudent course of action
For almost all companies, a comprehensive cyber liability insurance policy is a prudent course of action. Although it should never be a substitute for strong cybersecurity defenses, it can spell the difference between a severely affected and fairly unscathed bottom line in the aftermath of an attack. Before committing to a policy, however, it is important that management teams and their insurance brokers discuss three pivotal issues:
• What kind of cyber liability insurance policy does the company need? Does it need a first-person policy to cover the cost of retrieving data critical to the operation, or does the company possess consumer information that requires protection against third-party lawsuits? Does it need both?
• What amount of coverage does the company want to obtain? This figure will depend on a number of factors, including the size of the company and the type of coverage it needs. To mitigate third-party risk, for example, settlements like those from retailer Target’s data breach could provide useful benchmarks.
• What is the premium an organization is willing to pay? A number of variables should be used to determine this figure, including a company’s earnings, the size of the IT budget, and the operations or data at risk.
Once a company has answered these questions, it can begin to shop for cyber liability insurance. As part of the process, the management team needs to fully understand what the policies cover. But perhaps most importantly, organizations need to understand what the policies don’t cover, which will ultimately indicate whether the policy is worth the expenditure.
Given the sophistication and prevalence of successful data breaches, it is now more important than ever for companies to analyze whether a cyber liability insurance policy should be a part of their overall cyber strategy.