Saturday, February 9, 2019

Week 9 - Cyber-attack Insurance? Is that a thing?

Cyber-attack Insurance? Is that a thing?


Few things are more certain in 2019 than death and taxes and that is cyber-attacks. A recent report published by the Cambridge Centre for Risk Studies and authored by the Cyber Risk Management (CyRiM) project outlines costs for cyber attacks in 2019 into the billions of dollars.

The report examines ransomware specifically but it is an obvious representation of how costly and disruptive cyber-attacks are. The figures in the report, $25 billion in costs for retail and health along with $90 billion for the U.S. alone, include disruption to processes like supply chain and production, ransom payments, and mitigation expenses.

It is no longer a question if cyber-attacks will happen, but rather a question of when they will happen. Costs per incident will continue to rise in conjunction with the frequency and complexity of the attack. This was not more evident than the recent ransomware attack experienced by the city of Atlanta which essentially ground the city to a halt.

An unintended consequence of a cyber-attack is survival. Is your organization poised to not only mitigate an attack but also ensure business continuity? What about your financial posture? If the answer is “no” to any of these, it would be wise to seek out a lesser explored mitigation technique of risk transference – cyber insurance.

Expected to reach the $9 billion-dollar mark by 2020 (Siekierska, 2018), it seems that there is still some apprehension regarding this oft unknown lifeline. Organizations are reluctant to the tune of only one-third of companies making the choice to explore this option. In some circles, cyber-attack insurance is viewed as a bit of a novelty rather than a necessity of the cost of doing business. One of the reasons for this point of view is its recent popularity. Enterprise is still very much dominated by the “old guard” who view cyber-attack insurance as the trendy new-kid-on-the-block instead of another layer of insulation against potential disruption or ultimate financial ruin. But this type of mentality may not be without merit given the sometimes-fickle nature of security tools. What is hot today, is all but abandoned tomorrow leaving organizations fuming over unnecessary expenditures that could have been better utilized elsewhere.

And of course, the biggest point of contention with cyber-attack insurance is the lack of understanding of what is and what isn’t covered. This is akin to automobile insurance with slightly more confusing and obscure language. On one hand, mid-to-large businesses find it difficult to prove a loss to their carrier and on the other, carriers find it hard to properly write a policy which provides adequate coverage for the policy holder. Time will tell if cyber-attack insurance will become a thing or not. In the meantime, organizations would be best served by analyzing their risk appetite against their business continuity procedures and leveraging a policy which covers any gaps that are identified.
        

References

Poremba, S. (2019, Feb 5). Cyber Insurance Adoption Low, Despite Rising Cyberattack Threats. Retrieved from Securiyt Boulevard: https://securityboulevard.com/2019/02/cyber-insurance-adoption-low-despite-rising-cyberattack-threats/
Daffron, J., Ruffle, S., Andrew, C., Copic, J., Quantrill, K.,
Smith. A., Leverett, E., Cambridge Centre for Risk Studies, Bashe Attack: Global Infection by Contagious Malware, 2019

Siekierska, A. (2018, Nov 9). Hackers targeting small town governments, prompting need for 'cyber insurance'. Retrieved from Yahoo Finance: https://finance.yahoo.com/news/hackers-targeting-small-town-governments-prompting-need-cyber-insurance-154730070.html

No comments:

Post a Comment