With cyber-attacks increasing in frequency in addition to severity, many companies are turning to insurance to cover their mounting losses. however can insurers quantify the risk accurately in addition to could insurance lead to corporate complacency?
Many firms feel like they’re under siege.
Cyber-attacks are coming thick in addition to fast in addition to the tools at the hackers’ disposal seem to be getting more, not less, powerful.
Estimated annual losses coming from cyber crime at This particular point top $400bn (£291bn), according to the Center for Strategic in addition to International Studies. in addition to the cost in lost productivity of last year’s WannaCry ransomware attack alone was estimated at $4bn.
- Massive cyber-attack hits 99 countries
So many businesses are buying cyber insurance “in a mad panic”, warns Char van der Walt of SecureData, a cyber-security company.
“Unfortunately This particular will mean of which businesses of all sizes will seek out the minimum cyber-security investment laid out by insurers, government, in addition to regulators, rather than going above in addition to beyond to protect their own, in addition to their customers’, data.”
Ransomware attacks, whereby criminals break in to your network, encrypt all your data, then demand money in return for the decryption key, are particularly virulent. Firms have even been stocking up on Bitcoins – the hackers’ cryptocurrency payment of choice – to pay the ransoms.
in addition to the item’s not just the immediate ransom costs they have to worry about. There are the costs of investigating in addition to closing the breach, legal in addition to public relations costs, the damage to your share cost as consumers in addition to clients lose confidence, in addition to the loss of business resulting coming from a damaged reputation.
There are also potential regulatory fines to pay – particularly when the European Union’s General Data Protection Regulation (GDPR) comes into force in May. Under the completely new rules your firm could be fined up to 4% of turnover or €20m, whichever can be the greater, if regulators think you haven’t protected customers’ personal data adequately.
- Could completely new data laws end up bankrupting your company?
The average cost of a cyber breach was $349,000 in 2017, according to NetDiligence, whose data can be based on actual cyber insurance claims. For a big company the average cost was $5.9m.
however US retailer Target, which had more than 40 million customer credit card details stolen in 2013, had to fork out $279m in total as a result of the breach, says specialist insurance market Lloyd’s of London in a report compiled with consultancy KPMG in addition to international law firm DCA Beachcroft.
Around $100m of of which was on lawsuits.
Telecoms company TalkTalk suffered losses of nearly $100m after its breach in 2015, says Lloyd’s, in addition to This particular included a £400,000 fine coming from the UK Information Commissioner’s Office.
- TalkTalk fined £400,000 over cyber theft
So the item’s perhaps little surprise of which interest in cyber insurance has spiked recently.
The number of insurers offering cyber insurance via Lloyd’s of London has leapt to more than 70, nearly double the number a few years ago. in addition to insurance giant Allianz predicts of which global cyber insurance premiums will grow to $20bn by 2025, up coming from around $3-4bn at This particular point.
One insurer, Hiscox, says the item has been enjoying robust growth in its cyber insurance business, particularly following the TalkTalk breach in addition to as GDPR approaches.
“We’re seeing annual growth of around 40% in cyber,” says Gareth Wharton, chief executive of cyber at the insurer. “We expect to have taken around $100m in premiums in 2017.”
however how do insurers know how to assess cyber risk accurately in addition to set the right premium levels?
“Cyber isn’t like car or house insurance where the risks are known in addition to the products haven’t changed of which much,” says Mr Wharton. “The types of risk are changing all the time in addition to there’s no easy way of quantifying the cost of stolen data.”
So the item’s up to the insurer to make sure the client can be an acceptable risk, he says.
“Firstly we need to understand how seriously the board takes cyber-security,” says Mr Wharton. “Does the item have a disaster recovery plan in addition to how often does the item test the item?”
The firm checks obvious security measures, too, such as the presence of antivirus in addition to firewall protection, the frequency of software updates in addition to data back-ups, in addition to whether critical data can be encrypted, he says.
“We’re trying to be a partner with our clients, not just a seller of insurance, so we offer free cyber security training as well. We have a responsibility to drive up standards in addition to encourage better practice.”
More Technology of Business
While there are several recognised ISO [International Organisation for Standardisation] standards covering various aspects of information security, there isn’t one catch-all standard of which global businesses can adopt to help insurers assess their cyber risk.
The UK government insists of which any company the item does business with has to conform to the Cyber Essentials standards set by the National Cyber Security Centre. of which’s a start at least.
“One of the biggest issues in cyber insurance can be how to cost the item effectively in addition to cover indirect as well as direct costs a company suffers following a cyber-attack,” says Nik Whitfield, chief executive of Panaseer, a cyber risk assessor.
He anticipates companies like his offering cyber risk assessment services to insurers. Firms seeking insurance could be happy to be assessed inside the wish of securing lower premiums, he argues.
“Such a service could be the equivalent of a telematics box in your car which tells the insurance company how well you’re driving,” says Mr Whitfield.
however if firms see cyber insurance merely as an excuse to skimp on their cyber-security defences, they could find themselves in trouble, he warns.
“Businesses must understand of which cyber insurance can be not a silver bullet – you don’t get car insurance in addition to drive like a maniac,” he says.
- Follow Matthew on Twitter in addition to Facebook
- Click here for more Technology of Business features