Cyber-attack Insurance? Is that a thing?
Few things are more certain in 2019 than death and taxes and
that is cyber-attacks. A recent
report published
by the Cambridge Centre for Risk Studies and authored by the Cyber Risk Management
(CyRiM) project outlines costs for cyber attacks in 2019 into the
billions of dollars.
The report examines ransomware specifically but it is an obvious
representation of how costly and disruptive cyber-attacks are. The figures in
the report, $25 billion in costs for retail and health along with $90 billion
for the U.S. alone, include disruption to processes like supply chain and
production, ransom payments, and mitigation expenses.
It is no longer a question if cyber-attacks will happen, but rather a question of when they will happen. Costs per
incident will continue to rise in conjunction with the frequency and complexity
of the attack. This was not more evident than the recent ransomware attack
experienced by the city of Atlanta which essentially ground the city to a halt.
An unintended consequence of a cyber-attack is survival. Is
your organization poised to not only mitigate an attack but also ensure
business continuity? What about your financial posture? If the answer is “no”
to any of these, it would be wise to seek out a lesser explored mitigation
technique of risk transference – cyber insurance.
Expected to reach the $9 billion-dollar mark by 2020
(Siekierska, 2018), it seems that there is still some apprehension regarding
this oft unknown lifeline. Organizations are reluctant to the tune of only one-third
of companies making the choice to explore this option. In some circles,
cyber-attack insurance is viewed as a bit of a novelty rather than a necessity
of the cost of doing business. One of the reasons for this point of view is its
recent popularity. Enterprise is still very much dominated by the “old guard”
who view cyber-attack insurance as the trendy new-kid-on-the-block instead of another
layer of insulation against potential disruption or ultimate financial ruin. But
this type of mentality may not be without merit given the sometimes-fickle
nature of security tools. What is hot today, is all but abandoned tomorrow
leaving organizations fuming over unnecessary expenditures that could have been
better utilized elsewhere.
And of course, the biggest point of contention with cyber-attack
insurance is the lack of understanding of what is and what isn’t covered. This
is akin to automobile insurance with slightly more confusing and obscure language.
On one hand, mid-to-large businesses find it difficult to prove a loss to their
carrier and on the other, carriers find it hard to properly write a policy which
provides adequate coverage for the policy holder. Time will tell if cyber-attack
insurance will become a thing or not. In the meantime, organizations would be
best served by analyzing their risk appetite against their business continuity
procedures and leveraging a policy which covers any gaps that are identified.
References
Poremba, S. (2019, Feb 5). Cyber Insurance
Adoption Low, Despite Rising Cyberattack Threats. Retrieved from Securiyt
Boulevard:
https://securityboulevard.com/2019/02/cyber-insurance-adoption-low-despite-rising-cyberattack-threats/
Daffron, J., Ruffle, S., Andrew,
C., Copic, J., Quantrill, K.,
Smith. A.,
Leverett, E., Cambridge Centre for Risk Studies, Bashe Attack: Global
Infection by Contagious Malware, 2019
Siekierska, A.
(2018, Nov 9). Hackers targeting small
town governments, prompting need for 'cyber
insurance'. Retrieved from Yahoo Finance: https://finance.yahoo.com/news/hackers-targeting-small-town-governments-prompting-need-cyber-insurance-154730070.html
