Cybercriminals use strategies to select their victims and are not always selective about who they target. Examples of commonly targeted entities include corporate bank accounts, which often lack the added layer of security available within personal accounts. A UK Government survey estimated that in 2014, 81% of large corporations and 60% of small businesses suffered a cyber breach. The average cost of a cyber-security breach is between £600k-£1.15m for large businesses and £65k-115k for SME's.
While existing insurance policies such as commercial property, business interruption or professional indemnity insurance, may provide some elements of cover against cyber risks, businesses are increasingly buying specialised cyber insurance policies to supplement their existing insurance arrangements.
HOW IT WORKS
Cyber security insurance is designed to mitigate losses for a variety of cyber incidents, including data breaches, business interruption, IT systems and network damage. Policies generally include significant assistance with and management of the incident itself, which can be essential when faced with reputational damage or regulatory enforcement. These policies tend to offer targeted coverage's for discrete harms, with each coverage having a separate premium e.g. one coverage part might apply only to data breach notification costs and claims arising from civil lawsuits, whilst another coverage part might apply only to forensic costs to identify or fix a breach.
Generally cyber risks fall into first and third party risks. Insurance products exist to cover either or both of these types of risk:
First-party Insurance which covers a business’s own assets, interruption losses or costs to repair or restore lost data or software including:
- Business interruption from network downtime
- Cyber exhortation where third parties threaten to damage or release data if money is not paid to them
- Loss or damage to digital assets such as data or software programmes
- Theft of money or digital assets through theft of equipment or electronic theft
Third-party Insurance which covers the assets of others, typically customers including:
- Security and privacy breaches, and the investigation, defence costs and civil damages associated with them
- Multi-media liability, to cover investigation, defence costs and civil damages arising from defamation, breach of privacy or negligence in publication in electronic or print media
- Loss of third party data, including payment of compensation to customers for denial of access, and failure of software or systems
Cyber underwriters continue to innovate. In 2014, AIG introduced its CyberEdge PC38 policy that, for the first time in a form for general use, can cover property damage and bodily injury resulting from a cyber event. It does this by providing excess DIC coverage over a company’s existing insurance programs. However, cyber coverage for companies with payment card data is becoming more expensive and harder to get. Underwriters are asking deeper questions and are asking for more information than they have in the past. It should however be noted that there is a continuing willingness on the part of some underwriters to push the envelope on cyber policies in order to provide solutions, not just policies, to clients. That is essential at a time when the cyber risks companies face are so dynamic and there is unprecedented demand for cyber insurance.
The UK Government believes that working with the insurance industry to develop a comprehensive cyber security insurance model will encourage private sector firms to manage cyber risk. They have implemented changes to the law as well as planned proposals in order to prevent cyber attacks. These include:
- Cyber Information Sharing Partnership which allows Government and Industry to exchange information on cyber threats;
- The General Data Protection Regulation which offers a new perspective on protecting user data;
- The extension of Section 7 of the Bribery Act 2010 to make it an offence for a relevant commercial organisation to fail to prevent bribery and financial crime; and
- A proposed introduction of the Network and Information Security Directive which aims to bolster the security of critical infrastructure in the EU.
Although these changes signify the Government's acknowledgement around the issues surrounding cyber insurance they have emphasised that cyber insurance does not and should not replace the need for good cyber security practice.
Ideally a robust cyber security insurance market would help reduce the number of successful cyber attacks by not only promoting the adoption of preventative measures in return for more coverage; but encouraging the implementation of best practices by basing premiums on an insured’s level of self-protection. In order to achieve the optimum market it has been suggested that insurance companies could formally link with industry bodies such as Crest to define a basic approach. This could start to be used to assess risk, and then apply suitable premiums. A company which could show that it had achieved a better level of defence could then argue for its premium to be lowered, in line with the industry standard.