Cyber Insurance – Still a Valid Tool for Risk Management?

Cyber Insurance – Still a Valid Tool for Risk Management?

Insurance providers over recent years have dipped their toes in the water in the provision of Cyber-Insurance to organisations. Digital Transformation has made computer systems critical to business operations in many cases, and just as heavy machinery is insured against loss due to fire or flood, the contents of a data centre can now be insured against cyber-attack.

The Cyber Insurance industry is expected to grow to $20bn by 2025[1], and insurance is intended to be just one pillar of risk reduction – to be sensibly combined with investment in security technology, user education, and third-party risk reviews amongst others. While no-one, including the insurers, propose that insurance is a replacement for good security practices (indeed, many stipulate a certain level of due diligence before cover is provided), it can be used as a sensible way to transfer residual risk from cyber-attacks.

A major development which could derail the nascent industry is currently going through the courts. Mondalez, a huge food and snack multinational who own brands such as Cadbury and enjoys revenues of over $26bn experienced massive business disruption by the ‘NotPetya’ ransomware attack, losing nearly 26,000 devices resulting in a 5% revenue drop for the quarter.

Initially, Zurich Insurance approved $10M to Mondalez as it was covered for ‘physical loss or damage to electronic data, programs or software, including loss or damage caused by the malicious introduction of a machine code or instruction’. However, this was later rescinded as the policy included an exclusion for ‘hostile or warlike action in time of peace or war” by a ‘government or sovereign power.’

NotPetya was widely attributed to be an attack on the cyber-infrastructure of Ukraine, orchestrated by the Russian government. This poses a few discussion points in relation to the effectiveness of cyber-insurance:

  1. With the rise of nation state threats, either as an act of outright hostility or commercially focused espionage, does this take the most complex, and most disruptive cyber-attacks outside the scope of coverage from cyber insurance?
  2. The role of attribution of attacks becomes even more important – and this is already an extremely difficult process. Determining which country an attack came from is tricky enough – determining if it was state sponsored or a rogue individual is even more difficult. Another layer of complexity comes from ‘false flag’ attacks where one nation intentionally attempts an attack, leaving subtle hints to implicate another state.
  3. Cyber-insurance may not be the ‘last resort’ that some organisations were using it for. While transferring risk to another party in exchange for a predictable financial sum was tempting, the risks of an attack not being covered needs to be carefully understood.

In summary, security is – and always was the responsibility of the organisation who will be impacted most in the event of a breach. As an individual, this means don’t give your personal data to organisations with a dubious history of treating your data with the respect it deserves. For organisations, it means you need to fully understand your risks, quantify them appropriately, and provide your IT Security team with a budget commensurate with this risk.

Armadillo can provide a security risk review and help you to build out your security strategy for the coming 12-18 months. Get in touch if you would like to walk through how we can help you with strategic planning for 2019 and beyond. You can contact me directly at [email protected] - or read more about the services we provide at www.wearearmadillo.com

[1] Kesan, Jay P.; Majuca, Ruperto P.; Yurcik, William J. “The Economic Case for Cyberinsurance”. Workshop on the Economics of Information Security (WEIS), 2004.

 Written by: Rob O’Connor, Chief Technology Officer at Armadillo.

Stuart Quick

Head of Business Delivery GCT | The Cyber Helpline | Veteran

5 年

Yes

Ian Darlington MSc Veteran

Senior Consultant at CyberCSI

5 年

It requires an openness by the insurance companies and an awareness by the customer. This will allow the customers to understand why they need the insurance and what risks are covered. If the time insurance companies are open they can also strike a balance with the customer over risk management v insurance cover required

Cyber resiliency will allow companies to work proactively in the future. Without Cyber resiliency, companies will focus on what’s going to happen versus what we want to happen.

Joe DePaul

IronGate Cybersecurity LLC -?Chief Executive Officer / Co-Founder | Service Oriented Strategist | Solutions Based Thinker

5 年

The short answer is definitively - YES! Cyber Insurance in combination with a strong culture of cyber security, which permeates all levels of the organization, can be a very effective strategy to mitigate the financial loss associated with a cyber event. It is also extremely important to understand the nuances of how a property policy may respond in such an event, as noted in the article, and how a cyber insurance policy would respond to the same event by providing coverage for first and third party losses. Our team of experts and consultants would be happy to discuss, and provide insights into how cyber insurance can, coupled with a robust cyber security culture.

要查看或添加评论,请登录

社区洞察

其他会员也浏览了