Imagine that one day your company loses all its data from emails, transactions to employee records due to cyber-attacks. What would you do? Have you even thought about it? How much loss will you have and how much of it will you be able to take care of? Do you have measures in place to take care of any risks posed by cyber-attacks? Probably not, in a recent survey, 90% of SME businesses don’t rank cybercrime as a business risk.
But the risk of cyber attacks has become even more prevalent with the recent hospital cyber attacks. Sony PlayStation network has had its own share of cyber insecurity. In 2011, it was hit affecting over 77million user accounts, losing approximately $170million. When such a thing occurs the first thing companies think of is insurance policies. Therefore, Sony decided to contact their insurance firm because they thought the attack was covered under general liability insurance policy. As it turns out, they were wrong. The insurance firm denied their claim saying the policy did not include cyber-attacks. This was confirmed in court, leaving Sony in a big financial mess.
Sony learned a lesson and ensured they had a cyber-insurance policy before some malicious people hacked their network again. They were attacked in 2014 and this time the policy was there to save the company trouble. It lost $100million and almost all of it was compensated. The CEO of Sony Pictures attested to how helpful the policy was by saying the breach would not affect their budget.
Lesson from Sony’s experience
Sony had to analyze its risks and identified ways to tackle it if it happened. Your company does not have to be as big as Sony. Cyberattacks are inevitable. The loss Sony made is enough reason to convince your firm how bad cyber attacks are.
Reports show that companies of any size, whether small or big are at risk of attacks. The Verizon Data Breach Report in 2016 shows that 62 percent of breach attacks affected small and mid-sized entities. It does not matter the location of the entity.
There are other statistics to prove how bad cyber breaches are. With regard to 2015 Cost of Data Breach Study: Global Analysis, it is estimated that the average total cost of any given breach is $3.8milion.
How organizations are preparing themselves in response to cyber attacks
More energy is directed towards guarding systems. The efforts include preventive measures against breach and increasing security services. However, it seems these are not enough. Companies are getting into cyber insurance daily. 2016 research conveys that almost 60 percent of firms included cyber insurance into their strategies to handle cyber crimes. However, the large organizations took a better part of the percentage.
Cyber insurance is now categorized as general insurance
Now, cyber insurance is found in the general insurance category. It exists to help businesses through cyber risks. This type of insurance has been there for a while than many may realize. In the past 10 years, many organizations did not give so much weight to cyber risks until now. The term cyber insurance is gaining popularity. The breaches all over the world have enhanced marketing efforts of insurance firms offering the product.
Cyber insurance policies differ depending on the insurer. Besides, governments have boosted its demand. Countries are engaging more in cyber-attack policies. Currently, many countries have compulsory data breach notification laws. That is why more organizations are getting cyber insurance to assist in covering the notification cost.
In few years, the cyber insurance industry in the U.S has grown from 10 policies to 50. These provide cyber insurance only. Insurers intending to get into this business have something to smile about. In 2015, the industry amassed $2.75billion revenue in America. A study by PwC predicts that the amount would triple by 2020.
Understanding cyber insurance policy
A good number of cyber insurance firms offer two kinds of insurance. The first party coverage attends to direct losses caused to the organization, while the third party coverage protects the organization against claims from third parties for example partners and customers. In addition to the monetary compensation, insurers offer risk management and after breach services.
Is assessing risks difficult?
Yes, it is. Cyber crimes are unpredictable that is why cyber insurers do not have a uniform policy. The risks are not common knowledge like in other types of insurance. In this age, before insurers provide you a policy, they look at your risk possibilities. In determining how much you will be remitting as premium, they scrutinize the size of the business, how sensitive its data is, the storage of the data and the general security state of the business.
It is not easy putting into numbers the risks and security status. First, there is little past data on losses. Besides, insurers cannot accurately predict a client’s ability to manage the past and coming cyber issues. This has made insurers very keen on what they offer. Some of them take care of the unpredictability by having costly premiums and low policy covers. Others demand that clients install new technologies before they get the policies.
When companies come up with risk management strategies, they need to include cyber insurance. You cannot tell if the cover will be enough. For instance, the attack on U.S.’s Anthem Health Insurer could cost more than a million dollars. This means a cyber insurance cover ranging from $150-$200 Million may be insufficient to cover the losses.
This way, you can see that insurers are having a hard time coming up with premiums while clients struggle to know how much will be enough. Both parties need a method to better assess risks and establish an organization’s risk.
The cyber insurance industry is an opportunity for cyber security startups
Companies interested in risk assessment tools have enough space in cyber insurance. The automatic tools will help insurers know a firm’s risk status, increasing accuracy. Companies known for the risk tools include Security Scorecard and BitSight Technologies. Organizations such as QuadMetrics in the US are already assisting insurance companies set premiums for their policies.
Insurance companies may also open new departments offering pre-attack and post-attack services such as responses and security analysis. This poses a lot of competition to insurance companies. Cyber security specialists will be on demand and cyber security startups will be more active. Therefore, the cyber security system will grow and become even more complex. The startups can help come up with cyber security strategies for companies.
Bottom line is, risk assessment is changing and cyber policies are important in any firm’s risk management framework. The effectiveness of this is yet to be felt in helping organizations assess and handle the ever-increasing threat.