It’s interesting that, in an era where data breaches are all too common, just 38% of organizations have a dedicated cybersecurity insurance policy in place – according to our latest Risk:Value Report.
You could argue that cyber insurance is not very common. In fact, it’s more common than you think with cyber liability insurance, as it’s also known, having been around for over 10 years. The number of insurers now offering cyber insurance via Lloyds of London, for example, has grown to more than 70 companies. That’s nearly double the figure just a few years ago.
So why are businesses not addressing this issue more seriously? It’s down to a combination of reasons.
Lack of awareness by firms about the existence of such policies certainly but, more often than not, insurers do not yet fully understand the scale and nature of cyber risks. Cyber insurance is full of ambiguity and complexity and trying to underwrite such complexities is difficult if it’s not clear what you are supposed to be insuring. There have been cases of insurers not paying out because of ambiguous policy interpretation. Insurers need clarity before underwriting these policies.
Companies taking out insurance also need to know what they are talking about and to be able to answer questions accurately from the insurer about their risk profile, and their security infrastructure, policies and processes. Inaccurate information can also void a policy, with claims denied because the information provided is inaccurate.
Our Risk:Value research reveals that business leaders within organizations are at least aware of what might invalidate their insurance. Over half (47%) of respondents say that the failure to maintain or apply updates to existing IT systems could invalidate an insurance policy, while 36% point to the lack of an incident response plan, and 29% to lack of employee care.
As well as understanding what could invalidate insurance, businesses must also recognize that insurance is not a ‘get out of jail free' card.
It must be complementary to a risk-based approach to security, not a replacement for it. You would not expect an insurance provider to pay out if you were burgled with the doors and windows left unlocked. So organizations cannot expect a payout if they haven't put in place the right processes and policies.
Buy insurance, but demonstrate that you have put the right security programs and controls in place, including business continuity arrangements and business risk assessment, which shows a clear link to information security risk. You will also need a comprehensive incident response plan. Being able to demonstrate you have appropriate and effective information security in place will also enable an organization to negotiate improved premiums. According to the 2018 Risk:Value Report, 49% of organizations have implemented an incident response plan, a figure that has barely moved in 12 months.
Incident response planning is a crucial part of any information security strategy and business operations. It guides people through the necessary steps to contain a threat, recover, and remediate the damage. But it must have support from top down and be communicated effectively throughout the organization.
Any business serious about insuring its data assets, should invest in implementing relevant and appropriate protection measures that can be demonstrated to an insurer. This means assessing and reducing the risks, and taking the appropriate and measurable steps to continuously monitor those risks.