Many companies are seeking protection against cyber attacks. Cybersecurity insurance may be a good solution, but it’s not enough on its own. What is needed is a corporate risk culture, focused on Human Factors and organisational strategies.
Cybercrime is today the main risk factor for companies. In 2016 alone, Italy suffered economic damage from cyber attacks amounting to about 10 billion Euros. The situation in the United States is no better. In fact, it has been estimated that the average annual cost per company is of $ 4 Million, due to data breach (based on the 2016 BDO Board Survey).
Many companies are seeking protection by taking out insurance policies for cyber security. In the U.S., almost one in three companies owns one (a figure that is three times what it was in 2014). Italy, on the other hand, is behind, with only 27% of companies covered by cybercrime insurance policies.
On the one hand, a good cyber insurance can help customers to return to normal in the shortest possible time in case of data breach and damage to computer systems. However, it is also true that insurance is not able to prevent an attack. It is therefore necessary to tackle the cause of the problem and work on risk analysis and management. Most of all, it is crucial to spread a corporate culture of cyber security and data protection, addressing both human and organizational factors as well as technological ones.
The HERMENEUT project
These points were discussed July 5, 2018 in Milan, during the workshop on “Insurance in cyber-security”. The European project HERMENEUT, part of the Horizon 2020 program, in which Deep Blue participated as project partner, promoted the workshop. Positively reviewed by professionals and insurance agents, the meeting involved over 65 participants. It served to take stock of the situation on the cyber insurance market and to illustrate the HERMENEUT methodology and models for risk assessment and cost-benefit analysis, key factors for the development and growth of the insurance market in terms of information security. The workshop also focused on legislative aspects and on the General Data Protection Regulation (GDPR), the new single European regulation on privacy and data security that came into force May 25, 2018.
A key point, among the outcomes of the workshop, emerged clearly. Insurance policies for cyber security are the last – though not a minor – component of a process that all companies should follow to protect themselves from cyber attacks. Insurance policies are important, but they are not enough if the highest standards of security and internal organization of companies, together with the regulatory framework on data protection, are not respected beforehand.
That is why, before taking out cyber security insurance, there are 7 important things to know.
1) Who is cyber insurance for?
All companies, large but especially medium and small ones. In particular, the latter are the most vulnerable to cyber attacks. But overall, 71% of U.S. companies have been the victim of a cyber attack at least once. The impact of a breach can sometimes be very serious. Economic consequences may include the loss of portions of the market, of customers, data and reputation. From this point of view, investing in cyber security in general (and therefore also in cyber insurance) could prove to be a very important investment for a company.
2) What can cyber insurance do for companies?
To answer this question, it is best to first clarify what it cannot do. Insurance companies do not review business processes or security levels of the information and technology systems adopted. But of course, they will take these elements into account during risk analysis and assessment, in order to define the contract. For this reason, before signing the contract, it is necessary for a company to invest in security, human factors, internal process management, and GDPR. This can require a specialised consultancy (sometimes indicated by the insurance company itself).
That said, insurance can do many other things, such as:
– Quantify the risk and exposure of a company, constantly monitoring the situation of the company.
– Offer assistance in the event of a cyber attack. This includes providing the customer with all the necessary means to counteract and mitigate the effects of the attack, and guiding it through a process to go back to operational normality.
– Guide the customer through the operations related to the regulatory obligations set out in the GDPR. In addition, to give advice on internal security and defence of the company’s reputation.
– Compensate the customer economically in the event of a cyber attack and data breach.
In this latter case, however, there is a distinction to be made.
3) Which assets can be insured and reimbursed?
Cybercrime insurance cannot cover any penalties imposed on a company that has not fulfilled its legal obligations, such as those of the GDPR. In fact, the new European regulation was born precisely to help companies minimize the risks of cyber attacks. For this reason, the regulation imposes significant penalties to those who do not comply with legal obligations. These will always be borne by the offender, with or without insurance policy. All other types of protection and economic coverage are, on the other hand, provided, both for tangible and intangible assets.
4) Are there defined standards for insurance policies in the cyber security sector?
No, to date there are no standards for cyber insurance. On the one hand this can constitute a risk for companies. On the other hand, though, this is an opportunity. Since it is a new sector, still in a testing phase, insurance companies offer various possibilities and margins for negotiation. Also, there is a wide range of insurance policies, which can be modelled on specific business risks. It is therefore necessary to pay attention to what insurances cover and how. In order to have a clear understating of the needs of a company, it is useful to ask for specialized advice.
5) What types of insurance policies are there?
There are many, and all have a wide range of personalized solutions. Some policies guarantee coverage of the costs of restoring the system, and in general of all material damage. Others cover data loss and reputational damage. Others even cover losses of income from an attack blocking the production activities of a company. Finally, some compensate for economic theft or extortion following a cyber attack (the increasingly widespread ransomware, such as Wannacry, which in 2017 hit one hundred thousand computer systems in 105 countries). This type of coverage is, however, prohibited in some countries. All these policies are part of the so-called “first party insurance”.
Then there is “third party insurance”. This relates to third parties, or the risk of contamination by other companies with which the company operates in various capacities.
6) But is insurance enough to protect a company?
No, it is not. Cyber insurance is only one of the elements composing the framework of the measures that every company should take in the field of cyber security. It is necessary to resort to multiple intervention measures. These should concern human factors and the organizational processes of the company, technological and IT standards, and legislative aspects. Only then, it is feasible to consider taking out an insurance policy tailored to the company.
7) How to choose the right insurance policy?
Choosing the best and most suitable policy for specific business needs may be tricky. In order to do so, first of all, it is necessary to analyze the risks and the impact that these could have on a business.
The analysis should consider all the company’s assets. These include financial assets, stored data (internal and external), assets protected by intellectual property. For each of these, it is necessary to identify the main vulnerabilities and assign a level of risk. In fact, hackers often exploit the vulnerabilities of the system to penetrate the physical resources of a company.
Only at this point, once the characteristics of a company are clear, is it advisable to turn to an insurance agency in order to determine which policy best suits specific needs.