What do JP Morgan, Sony, eBay, Yahoo, Three, and Talk Talk have in common?
In the past two years, these companies have all been victims of cybercrimes and have experienced widespread media attention as a result.
An increase in cybercrimes, followed by an increase in media reporting of breached businesses, and moves towards tougher regulatory penalties, has created an emerging market for cyber insurance.
It is understandable that companies want to be insured against the rising threat of cybercrime. Cyber insurance, however, is still in its infancy. Coverage terms, conditions, and exclusions have not yet been standardised. This, along with the evolving nature of the risk, has resulted in confusion and complexity for insurers, brokers, and companies seeking cyber insurance policies.
Furthermore, the complexity of cyber security and threats has made it difficult for companies to fully understand what their risks are, and what cover they require. Without a benchmark or comprehensive audit, businesses are not only at risk of failing to understand what they need from cyber insurance, but are also in danger of not being covered if they fail to meet the minimum obligations of their policy.
Minimum obligations are common across most types of insurance policies. If a burglar gained access to your house through an unlocked door, for example, your home insurer may say you failed to take appropriate measures to properly secure the property, and therefore deny your claim.
The same is true for cyber insurance. Your company might not be covered if an insurer believes you failed to take measures to secure your data and technology. This could arise through negligence, lack of policies and procedures, lack of security measures, or even purchasing the wrong type of cyber insurance.
Not all cyber insurance policies are the same. While personal data breaches have been given much attention (mostly due to laws requiring notification in the event of such a breach), there are other risks that might benefit from cyber coverage. A company that doesn’t hold sensitive information will not require cover for a personal data breach, but may need a cyber insurance policy that covers theft of intellectual property, ransomware, or denial of service attacks.
You don’t know what you don’t know
When buying or renewing a cyber insurance policy, it is advisable to enlist a professional to assess your risk, and the measures you have taken to mitigate it. A specialist will help you identify where you need cover, and their assessment will also act as evidence to confirm whether you are meeting minimum obligations. This could be the difference between being fully covered in the event of a successful attack, and a denied insurance claim.
An external assessment is the best way to highlight any gaps in preventative measures and to identify a company’s cyber risk exposures. Choosing an experienced cyber insurance broker will help align these risks with appropriate cyber insurance coverages.