Are you covered? Why are businesses ignoring the need to be insured when it comes to cyber security breaches?
Only a third of organisations in the UK have company insurance that covers them for a cyber security breach and for the financial impact of data loss. This compares to 40% globally, according to figures from NTT Security’s latest Risk:Value report, which also shows that the majority (81%) of these organisations believe it is ‘vital’ that they are insured against security breaches.
Given the number of organisations that have suffered from major data breaches and struggle to manage the impact to their reputation, their systems, and perhaps most important, to the trust of their customers, this is surprising, says Mark Taylor, managing consultant, NTT Security.
Breaches all too common
It’s interesting that in an era where data breaches are all too common, just 29% of organisations have a dedicated cyber security policy in place.
You could argue that cyber insurance is not very common. In fact, it’s more common than you think with cyber liability insurance, as it’s also known, having been around for over 10 years. The number of insurers now offering cyber insurance via Lloyds of London has grown to more than 70 companies; nearly double the figure just a few years ago.
So why are businesses not addressing this issue more seriously? It’s down to a combination of reasons.
Lack of awareness by firms about the existence of such policies certainly, but more often than not, insurers do not yet fully understood the scale and nature of cyber risks. Cyber insurance is full of ambiguity and complexity and trying to underwrite such complexities is difficult if it’s not clear what you are supposed to be insuring. There have been cases of insurers not paying out because of ambiguous policy interpretation. Insurers need clarity before underwriting these policies.
Companies taking out insurance also need to know what they are talking about and to be able to answer questions accurately from the insurer about their risk profile, and their security infrastructure, policies and processes. Inaccurate information can also void a policy, with claims denied because the information provided is inaccurate.
Our own research reveals that business leaders within organisations are at least aware of what might invalidate their insurance. Half of respondents say that the failure to maintain or apply updates to existing IT systems could invalidate an insurance policy; 38% point to the lack of an incident response plan, while 37% believe that lack of compliance with industry regulations, including the EU General Data Protection Regulation (GDPR), could affect a claim.
GDPR requires notification – if there is a risk to the data subjects’ data – to the relevant authorities within 72 hours. If you have sufficient controls in place to be confident that the data subject information cannot be read/accessed, notification is not mandated, but it is an important point here.
The very fact that breach notification was not mandated until the GDPR came into effect this year may be one of the reasons why more companies have not put cyber risk insurance higher on their list of priorities. Now the penalties are tougher, with potentially huge fines of up to £17 million (€19.13 million) or 4% of global annual turnover for non-compliance, perhaps we will see an uptick in policies being taken out?
No ‘get out of jail free’ card
But a word of caution to would-be policyholders. While cyber risk insurance should be in place to help mitigate the fallout of a security breach and from the resulting financial loss, a policy must not be seen as a ‘get out of jail free’ card.
It must be complementary to a risk-based approach to security, not a replacement for it. You would not expect an insurance provider to pay out if you were burgled with the doors and windows left unlocked. So organisations cannot expect a payout if they haven’t put in place the right processes and policies.
Buy insurance, but demonstrate that you have put the right security programs and controls in place, including business continuity arrangements and business risk assessment, which shows a clear link to information security risk. You will also need a comprehensive incident response plan. According to the 2018 Risk:Value report, less than half of organisations have implemented an incident response plan, a figure that has barely moved in 12 months.
Incident response planning is a crucial part of any security strategy. It guides people through the necessary steps to contain a threat, recover, and remediate the damage. But it must have support from top down and be communicated effectively throughout the organisation.
Any business serious about insuring its data assets, should invest in implementing relevant protection measures that can be demonstrated to an insurer. This means assessing and reducing the risks, and taking the appropriate and measurable steps to continuously monitor those risks.
The author of this blog is Mark Taylor, managing consultant, NTT Security