Cyber insurance underused

Businesses are finding it difficult to protect themselves against the increasingly diverse range of tactics deployed by cyber criminals and cyber insurance is underused.  Recently, organisations have experienced a rise in destructive malware attacks, for instance, which are designed to shut down information access and obliterate system functions on victim machines.

Destructive malware, including ransomware that employs a “wiper” element, is on the rise, according to recent research by IBM X-Force Incident Response and Intelligence Services (IRIS). It saw a rise in cases of 200% during the first half of 2019 compared with the second half of 2018, it said.

High costs

IBM X-Force IRIS data showed organisations hit with destructive malware can experience a total loss of $200 million. Large multinational companies take an average hit of $239 million per incident, it estimated. The cost of remediation, equipment replacement, lost productivity, and other damage makes destructive malware attacks far pricier than typical data breaches, which averaged $3.92 million each, according to estimates from the Ponemon Institute.

Unlike a traditional data breach, which typically targets intellectual property or other valuable information, a destructive malware attack aims to shut down a target’s corporate environment. Half of destructive malware cases targeted the manufacturing industry. Other popular targets were in the education or oil and gas sectors.

The firm recommends that businesses consider segregating and minimising privileged accounts and ensuring the same account cannot be used to access every critical system. It is critical to protect company backups, otherwise paying a ransom may be the only way a victim can get its information back, it said.

Cyber insurance

In August, the industry body the Association of British Insurers revealed that 99% of claims made (207) on ABI-member cyber insurance policies in 2018 were paid. It said that this is one of the highest claims acceptance rates across all insurance products. But the take up of cyber insurance products for business stands at only 11% and is about only a tenth of the size of the market for UK pet insurance, suggesting that cyber insurance is underused. Many standard policies are “silent” over whether businesses are covered, making specific cyber-related insurance more important.

“The UK has the potential to be a world leader in cyber insurance, but the inability to access raw breach data risks limiting the potential of the market,” an ABI spokesperson said. It said that the Information Commissioner’s Office has so far refused to make anonymised cyber breach data publicly available. ABI said this would enable insurers to price risk more accurately and manage exposure more effectively by feeding this data directly into their modelling. Ultimately this would make cyber insurance more widely available, more accurately priced and better tailored to each business, it said.

What does cyber insurance cover?

While individual policies may differ, the ABI says that typical cyber insurance policies cover the following risks:

  1. Cyber business interruption: when a cyberattack interrupts business operations, insurers cover loss of income during the period of interruption and beyond.
  2. Privacy breach: protects businesses against losses arising from dealing with a security breach. For example, notifying customers of a cyber breach, the costs of hiring a call centre to answer customer enquiries, the costs of public relations advice, IT forensic costs, any resulting legal fees and the costs of responding to regulatory bodies.
  3. Cyber extortion cover protects businesses from ransomware and other malicious attempts to seize control of operational or personal data until a fee is paid. This clause will typically provide for a reimbursement of the ransom amount demanded by the attacker as well as any consultant fees to oversee the negotiation.
  4. Hacker damage: protects business from damage inflicted by a hacker on digital assets. In particular it provides protection against the loss, corruption or alteration of data as well as the misuse of computer programmes and systems.
  5. Media liability: protects a business in the event that an organisation’s digital media presence leads to a party bringing a claim against your business for libel, slander, defamation or the infringement of intellectual property rights.
  6. Cyber forensic support: provides cover for near immediate 24/7 support from cyber specialists recommended by the insurer in the period following a hack or data breach. These specialists are able to assess systems, identifying the source of any breach and suggest preventative measures for the future.

 

  • About Enterprise Risk Magazine

    Enterprise Risk Magazine is the leading quarterly title for risk managers and enterprise risk, with a print circulation of over 5,500.

    Enterprise Risk is published on behalf of the Institute of Risk Management (IRM). The majority of IRM members receive their copy of Enterprise Risk at their home address, meaning the title... Read more
  • Categories

  • Tags