Companies are right to worry about the impact of a data breach – both in terms of short-term financial losses and long-term brand and reputation damage. Our 2017 Risk:Value report reveals that a business would have to spend £1m ($1.3m) on average to recover from a breach.
It’s therefore not surprising to see cyber insurance becoming an increasingly popular way for firms to mitigate the potential financial fall out of a serious service outage or data breach.
The bottom line is that cyber insurance should always be viewed as complementary to but not a replacement for an effective risk-based security strategy. Insurance is a smart way to mitigate cyber-related risk but, even if you secure a pay out, it will only cover financial loss. The impact of a breach on brand and reputation, including things like customer attrition, can be much larger and long-lasting. That’s why industry best practice cybersecurity in a way is its own insurance. It’s certainly not fool-proof but, if followed correctly, will make serious outages and breaches a rarity.
Insurance in the sector grew 50% in the UK between 2015 and 2016, according to a leading underwriter yet, as the industry rapidly matures, organizations must be careful not to view policies as a “get out of jail free card”. In fact, if companies can’t first demonstrate a baseline of cybersecurity best practice, they may find it extremely difficult to negotiate an acceptable contract, and even trickier to claim in the event of an incident.
The same Risk:Value report revealed some key areas of risk that might limit the chances of securing a cyber insurance contract, or a pay-out.
Nearly half (45%) of respondents said they thought poor system patching could invalidate their insurance. This isn’t surprising, given the fall-out from the WannaCry ransomware campaign which hit organizations that had failed to patch a critical Windows flaw released months earlier. Automated patch management systems are a must given current threat levels and the multiplicity of systems modern organizations need to manage. Ageing IT systems were also pegged as a major risk to insurance contracts, once again highlighted by WannaCry, which primarily exploited unpatched Windows 7 systems close to or past their end of life.
Incident response is also a basic requirement of best practice security and will become even more important as the General Data Protection Regulation (GDPR) mandates 72-hour notifications following a breach. In fact, general non-compliance problems were also flagged by respondents as possible barriers to insurance. These challenges are only going to increase with forthcoming European legislation set to come into force in May 2018. The GDPR and NIS Directive both require organizations in one way or another to follow best practices in cybersecurity, threatening massive new fines of up to £17m or 4% of global annual turnover for non-compliance.
Employee negligence was the final major risk to cyber insurance raised by the report’s respondents. Nearly half of all breaches reported to the ICO during the period 2013-2016 came as a result of human error by staff, so it’s not hard to see why well communicated policies and comprehensive training and education programmes are vital to attaining that baseline of good cybersecurity.
The consequences of failing to review security controls and manage the business risk go far beyond financial loss.