Two-thirds of senior business executives expect to suffer a security breach, according to a survey of international business leaders. Breaches are expected to result in an average drop in revenues of about eight per cent, according to a poll of 800 senior business decision-makers sponsored by NTT Com Security.
Despite the tangible threat of security breaches, only 44 per cent of business leaders had taken steps to secure all of what they consider to be their business-critical data and only 47 per cent had a recovery plan in place.
Nearly three-quarters (72 per cent) of senior execs polled believe it is vital that their organisation is insured for data security breaches, but only half (54 per cent) admit their company insurance currently covers the financial impact of both data loss and a security breach. Most senior executives fail to recognise the long-term damage that a data breach might have on their business, according to NTT which polled business leaders (not in an IT role) in Australia, France, Germany, Hong Kong, Norway, Sweden, UK and US.
The NTT study discovered that cyber insurance covered the financial impact of data loss or a data security breach as standard with other factors also covered, depending on the terms of the policy. Other factors that might be covered included legal costs, regulatory fines, loss of business, remediation, loss of customers and government fines.
Cybercrime as a relatively new form of commercial risk and a market that is still evolving with a lack of brokers and insurers with the relevant skills and knowledge. As a result, cyber insurance can be ambiguous with examples of insurers failing to pay out based on small print and complex policy interpretation.
NTT said the growing market still offers business benefits but needs to be approached carefully. Organisations need to understand the context and put necessary controls, processes and operations in place. It's only then they can look at the gaps, which enables them to tell insurers what risk controls and risk exposures there are in the business.
Garry Sidaway, senior vice president of Security Strategy & Alliances at NTT Com Security, said its report shows businesses increasingly value their data even though they don't necessarily understand risks to critical information posed by security breaches until disaster strikes. Sidaway said: "Unfortunately, security at the board level still tends be associated with data protection and compliance, when in fact securing data properly is absolutely critical to enabling businesses to thrive and survive. There’s also a growing disconnect between the cost of breaches and the importance that organisations place on IT security to drive these costs down."
Using cyber-insurance as a means of managing the risk of hacker attacks was earlier suggested by Michael Daniel, one of US President Obama's top cybersecurity advisers last year.
The US market for cyber insurance was already established even back then, according to industry experts.
"The involvement of the big insurance players, covering big companies against potentially massive losses, is steadily transforming it into a major business though. It's already raking in an estimated $1.3 billion per year in the US, with the rest of the world lagging some way behind," notes John Hawes in a post on Sophos's Naked Security blog.
"The cybersecurity insurance market is relatively new and undeveloped, according to a study last year from consulants Cap Gemini. Although we started seeing insurance against infection thrown in with some AV products several years ago, this was little more than a gimmick and never really took off."
No claims bonus
Mark Brown, executive director of cyber security and resilience at management consultancy EY, argued that the cyber security insurance market would work better if it incentivised firms to achieve compliance with industry standards via reduced premiums. Without this security insurance risks becoming a safety net for the feckless, according to Brown.
“Many firms are now focussing on how they protect against the consequential financial impacts of a cyber incident and are turning to insurance as a mechanism to alleviate risk," Brown said. "However, whilst insurance offers financial protection to businesses, it does not incentivise businesses to invest in enhancing their Cyber Security defences. Consideration should be given to rewarding those businesses who can demonstrate effective Cyber Security through certification schemes such as the Cyber Essentials.
“Those organisations that show high levels of effective cyber security should be rewarded through options such as insurance premium reduction. This would align to steps taken by insurers offering protection against wider business interruption and ensure that such risks were being appropriately managed by businesses and not just managed through insurance coverage.”
LogRhythm's Brewer argued businesses must see insurance as a safety net, and not as a security tool.
"Just as you wouldn’t forgo your fire alarm when you purchase contents insurance for your house, organisations must not do the same with their defensive security measures," he said. "Protective monitoring and security intelligence should be the go-to strategy throughout organisations, as it provides the most granular view into all network activity. This ensures that anything untoward can be immediately identified and stopped in its tracks before any lasting damage is done – or big insurance payouts are required." ®