Cyber Risk – Is cyber-insurance really worth it or a virtual waste?

Cyberthreat

Hardly a day goes by without reports of a new cyberattack. Indeed, the frequency of cyberattacks seems to be increasing as a range of new actors use cyberspace to achieve political, economic or criminal objectives. Not only are viruses, rootkits, backdoors, worms, ransomware, adware, spyware or denial of service attacks apparently more frequent, but they are also being constantly adapted so as to thwart defensive processes. Estimates of the cost of cyberattacks vary: for example, in a 2011 study the global cost of cybercrime was estimated to be US$388 billion annually with the direct cash cost estimated to be US$114 billion 1.

As the world has reaped the benefits of greater interconnection through the internet, its vulnerability to cyberattacks has increased. With the growth of IoT devices, organisations and individuals involved in cyberattacks have been provided with even more vulnerabilities to exploit, and the benefits of perpetrating attacks have increased. A cyberattack can be inexpensive but it has the capacity to provide monetary or other benefits which exponentially exceed its cost.

In contrast, most commercial organisations lack the resources, funds or capacity to defend against the evolving and increasing threat. Sophisticated systems and processes are only as good as the weakest link, which is often an interconnected third party with lower or redundant security systems.

Challenges for the Insurance Industry

In this environment, underwriters have sought to develop a range of insurance products to transfer the risk of cyberattacks. That said, there are a range of challenges for insurers seeking to develop and price policies. Some of those challenges include the following:

  • Inadequate Reporting – Increasing evidence suggests that commercial organisations are underreporting cyberattacks 2, or worse, are unaware that attacks have occurred. The lack of reliable data makes precise actuarial calculations difficult, inevitably leading to high premiums to accommodate the imprecision. It is unclear whether the introduction of mandatory data breach notification requirements in Australia will alleviate some of the uncertainty but at least overseas there is evidence that insurers’ exposure to markets where reporting is mandatory has improved their capacity to calculate risk and associated premiums 3.
  • Threat Modification – Cyberattacks constantly evolve as defensive practices and processes adapt. The constant evolution of threats makes it challenging for insurers to develop policies that adequately respond to new or developing threats and accurately quantify their impact. In reality a lot can change during the currency of a policy.
  • Quantifying Business Impact – Simplistically, calculating risk depends on the probability of an attack as well as its likely consequence, which is difficult to predict. This is in part a function of the security processes and measures taken by other organisations in the internet network – it is difficult for insurers to quantify the business impact of cyberattacks in a networked environment where the deficient practices of any participant will impact on the likely size of the cyberattack’s consequences across the network (i.e. the ‘moral hazard’ problem).

Insure or not?

In this environment, there is no doubt that cyber insurance is an important mechanism in an organisation’s arsenal to transfer risks to a third party where preventative security measures fail.

What are some of the considerations, however, that an organisation needs to evaluate when deciding whether to insure?

  • Is it necessary? What are the risks to an organisation of simply relying on technical and practical prevention mechanisms? What would be the likely consequences for the organisation if a cyberattack occurred vs the cost of maintaining the insurance? If the costs of maintaining the insurance cannot be justified, perhaps the better use of scarce resources would be to improve practical measures to mitigate the risk.

Organisations may seek to reduce costs by taking out insurance in relation to specific types of cyberattack like ransomware (which seems to focus on small to medium sized organisations) rather than take out comprehensive and potentially expensive insurance.

The Australian Signals Directorate (ASD) produces useful guidelines on practical steps organisations can take to mitigate cyber security incidents.  The ASD suggest that its top four mitigation strategies will, ‘mitigate over 85% of adversary techniques used in targeted cyber intrusions which ASD has visibility of.’ 4.

  • What do I need to do? What does the insurer require? Are there minimum practices the organisation must introduce to obtain the insurance or reduce its premiums? If these practices are not currently adopted, what will be the cost of implementing and maintaining them over the policy duration? What are the claims requirements?
  • What does it cover? Organisations should consider whether their existing policies will cover the damage – sometimes there is overlap between an insurance like business interruption insurance and cyber insurance. Insurers will not want to insure something which is already insured by another policy. As with all insurance, the insured should have a thorough understanding of the policy exemptions.
  • Review and monitoring. With the introduction of mandatory data breach notification in Australia, organisations should be revisiting their insurances as well as their processes to ensure current insurances are appropriate. As we have highlighted above, cyber threats evolve and insurances need to be checked to ensure they cover those changing risks.

If you have any queries or would like further information regarding this article, please contact:

Simon McDonald 
Partner
M: 0402 843 198
E: smcdonald@pageseager.com.au

1  Based on a survey conducted in 24 countries among adults 18-64, Norton Cybercrime Report 2011, Symantec 2011.

2  For example, http://www.zdnet.com/article/businesses-are-still-scared-of-reporting-cyberattacks-to-the-police/

3  European Union Agency for Network and Information Security ‘Cyber Insurance: Recent Advances, Good Practices and Challenges’ November 2016 at page 10.

4  Refer to the ASD’s ‘Strategies to Mitigate Cyber Security Incidents’ available at https://www.asd.gov.au/infosec/top-mitigations/mitigations-2017-table.htm

Published: 17 August 2017

Copyright © 2016 Page Seager. Privacy Statement Privacy Policy