The talk of cyber insurance has seen major steps forward in 2014.
With Cabinet Office Minister and Paymaster General Francis Maude MP recently working with the Association of British Insurers to create a comprehensive cyber security insurance model to Target’s successful claim, this is undoubtedly a topic being well discussed. At the recent Cyber Security Summit, Mark Brown executive director of cyber security and resilience at EY said that while there is currently $1BN of indemnity coverage in London alone, the industry needs to grow up.
Brown said: “We need to grow up in cyber risk insurance, but unfortunately it is the new fad for businesses. Do they know what they are buying? Is it adequate and do they know what the cyber risk is and determine what they are buying?
“If it provides the same level of support as to the business continuity industry, and you can prove adequacy and maturity of controls, then you should be rewarded with reduction in premiums. If you cannot, then I support them being higher.”
I caught up with Mark Brown to further discuss these points. He said that there are currently three types of policy: business interruption insurance, general liability insurance and cyber risk insurance, and insurance companies are moving cyber away from the other two as for a claim to be paid out, you have to prove that you have met the needs of the policy, and this where the specifics of the cyber policy is coming out.
“What we are seeing is there are lots of companies who are buying cyber insurance without knowing how much they should be buying, and looking at it as an easy way to transfer the risk,” he said. He claimed that this is causing nerves about underwriting policies as if a client is unable to prove what they are doing in terms of adequacy of control, there may be problems.
“One view expressed by the industry is that they shouldn’t be forced to accept any risk, they should be sensible in the risk that they insure and part of that would be for organisations to accurately identify: how much insurance they need; and to be able to prove what they are doing in terms of controls and adequacy of preparation,” he said.
He claimed that no-one should take out a policy that will never pay out, but cyber insurance policies are being written in a way to prove that you took the appropriate measures to stop the incident taking place in the first case. Brown said that this is driving itself to how is it formalised and potentially incentivising companies to see that an investment in insurance, there is a benefit to protection and enablement but in pure financial terms for doing so.
He admitted that simply buying insurance will not prevent anything; it will just provide a safety net in terms of financial resolution. Naturally the analogy of car insurance was made, and Brown said that one “safe” driver would not pay the same as someone with a more “dangerous” approach, so if you took a cavalier approach to cyber security as a business, and did not place adequate controls to protect yourself, why should you be paying the same premium as another company who is investing millions of pounds in defences to make themselves more resilient?
In the case of Target’s cyber insurance claim, two-thirds of losses were covered (of $68M to remediate, $44M was covered by insurance) and to many CFOs and heads of operational risk and assurance, that will further prove the need to transfer the balance of operational risk.
Brown said: “It is still a very immature market, but given that insurers are looking to move clients away from having cyber insurance within general liability and business interruption insurance, I think it is going to increase significantly in the next year.
“We have seen projections from insurance which say that the sector will increase tenfold in the next 12 to 24 months. Look at that level of incremental lift in the number of policies; it is going to become more common place that Government are moving away from Crown Insurance to some areas focusing on insurance as a risk plan.”
Mark Brown, executive director of cyber security and resilience at EY, was talking to Dan Raywood