Cyber insurance – Consider these 6 Points when buying your ‘protection’

Cyber insurance is becoming big business.  According to one recent  global industry survey, business cyber incidents rank third highest of the top 10 Global Business Risks for 2016, up 17% on the previous year.

This increase should come as no surprise to business leaders or industry bodies as the wholesale ‘digital transformation’ of entire industries and organisation continues to spread and consolidate.

This push towards ‘digital’ is driven by a diverse range of factors such as the availability of low cost, innovative new digital technologies that are relatively easy to implement and operate, the need to keeping up with rapidly shifting customer needs or the demands for improved business efficiency and adaptability to name but a few.

Fact is, as the use of digital technologies expands within and across organisations, so do the opportunities for adverse cyber risk incidents. This is unlikely to be a linear relationship, however.

Additionally, organisation’s increased dependency on technology also presents an enhanced opportunity for adverse cyber incidents.

For business decision makers, striking the right balance between owning or transferring the risk – through cyber insurance – is not as straightforward as it may initially appear.

Self-inflicted adverse cyber incidents

Your organisation could be subject to adverse cyber incidents that could arise from any number of causes.

On the one hand, we have the much publicised Cybercrime. The number of cybercrime events is increasing. Put another way, the bad guys appear to be winning.

On the other hand, the less well discussed – some say tend to be swept under the carpet –   are the spectrum of avoidable, self-inflicted adverse cyber incidents.

These often have their origins in poorly designed, operated or maintained technology architecture or software, ineffective governance, poor technology choices, shadow IT, predictable vendor failure, disengaged employees or IT department whose primary purpose is to ‘support’, not be deeply engaged in, the business.

Bottom line is that defining the return on investment in cyber crime and cyber security countermeasures largely end up being a subjective call. However a ‘do-nothing’ strategy is not an option.

The fact is that there are many first and second order factors – many of which are not always that evident at first pass – that contribute to the effectiveness of your cyber risk’s countermeasures at any point in time. In other words – effective today – but not so sure tomorrow.

These impacts of the interaction between these factors can be difficult to correlate, predict and quantify for a range of reasons. Some of these include:

  • The high rate of change of modern digital technologies. On the one hand, change and disruption is a gift to cybercriminals. Cybercrime is persistent, innovative, adaptable and fast moving. Not only that, cybercriminals are often far more innovative and adaptable than their intended targets.  On the other hand, continual internally generated change, if poorly managed, can contribute to a de-focussing on cyber incident governance.
  • Your IT department is not a true business peer. Most organisations are still struggling to fully integrate IT, digital and business strategies.  This contributes to a slew of effect such as Shadow IT, data slums and information islands – which may influence your cyber risk profile.
  • Inflexible, bureaucratic risk governance processes and frameworks. Enterprise risk and other compliance governance frameworks and processes are often tied down to measuring and monitoring processes to defined standards.  Problem is, in volatile environments, the rote adherence to and reliance on ‘standards’ should be questioned.
  • Decision-making processes that are not always objective, based in evidence or subject to the appropriate level of rigour.
  • Inadequate protection from supplier induced risk. That key IT or digital outsource provider may be your Achilles heel. Or their supplier in turn.   Don’t let your supplier’s success turn into your own business failure.
  • Staff satisfaction and engagement. Disengaged, dis-empowered staff are a potential risk to the organisation. These risks can manifest from the deliberate damage and disruption through to simple inattention at work – all of which may result in an adverse cyber incident. Effective leadership is often the antidote.

Put yourself in your cyber-insurer’s shoes

Think you’re finding it a challenge in coming to grips with cyber risk across your organisation? For a moment, put yourself in the shoes of your cyber-insurer.

While cyber insurance is good news for the insurance industry and company shareholders, the reality is that maturity of the cyber insurance industry is at its infancy when compared to other well established and understood insurance products.

Fact is, the growth of the global cyber-risk insurance is substantial. For the 24 month period 2012 to 2015, the global expenditure on cyber insurance premiums trebled from US$850 million to an US$2.5 billion. Some analysts expect this to grow to $7.5 billion by 2020.

In rapidly expanding markets, the profit attractor compels insurance companies (and consulting firms, and other secondary players for that matter) to add cyber insurance and related services to their product offerings – or risk being left behind.

As an insurer, your challenge is the lack of precedence and reliable data for underwriting defined risks. Especially in our fast moving digital world.

Also, clearly understanding the risks being taken on is also a challenge, especially when the nature and potential impact of the risks on specific organisations changes rapidly. Rapid changes in technology are the norm – something that is difficult to predict.

Thinking of buying cyber insurance?  Consider these 6 points:

The fundamental challenge facing cyber insurance policy holders remains the clarity of definition over what exactly is being insured. Here are a few key pointers to help you frame your decision making processes.

  1. Understand your business and its technologies well. If your IT department is not playing an active and constructive part as a business peer, that’s your first problem.  This goes well beyond Shadow IT – The proliferation of digital solutions and technologies within individual departments that fit a local need that are tacitly implemented with the approval of business executives.
  2. Meticulously read, understand and test any hypotheses, definitions and contributory negligence conditions in your cyber insurance policy.  To do this requires a holistic understanding of your organisation and how all the moving parts within it operate. A skilled multidisciplinary team that cuts across the entire organisation is needed – one that works collaboratively.
  3. If you cannot predict your business’ future how can you insure it? Insurance is for events that have yet to occur.   Volatile environments are difficult to predict.   Acknowledge that cyber insurance in these instances is not a precise – despite your attempts (or your lawyer’s) to itemise policy conditions with precision.
  4. Set executive’s expectations that cyber insurance is not precise. If cyber incidents are a real threat to your business, establish a skilled, empowered multidisciplinary team to continually test key assumptions regarding cyber risk. Simply put, consider a process that evaluates everything with the appropriate degree of rigour, assess outcomes, make change, and then repeat.  This is far more than establishing a ‘risk committee’.
  5. Continually reassess the effectiveness of your cyber incident response team and process, then make changes as needed.  Test its effectiveness on a regular basis.  Just like an airline pilots having to simulate multiple events and scenarios. Likewise for your business, if the reputation, customer’s trust and your organisation’s value is to be protected, that is.
  6. Peer into your supply chain. The failure of a key supplier could rapidly become your problem. Their lack of knowledge and resources to address their cyber risks will not only threaten their own viability, but also present real risks to your business.

At the end of the day, rapid technology induced change forms part of the fabric of modern business and organisations.

It is incumbent on Boards of organisations, their executives, and indeed all staff within the organisation to play an active part in continually assessing the potential of adverse cyber incidents.  This requires an enterprise culture based on sustained, high staff engagement levels.

Establishing this culture and frameworks so that they all play nicely together is the real challenge facing today’s business leaders.   Not getting that right, may ultimately be your organisations largest risk.

Is expecting your cyber-insurer to cover you when your own ‘digital’ house is not in order too much to ask?