Last updated: 16 May 2016
You have probably heard about cyber-insurance, which aims to provide protection against IT security risks and breaches. Unsurprisingly, insurers are telling us that cyber-insurance is the way to go. If you think that you will gain watertight protection against any possible threat, you might want to think again.
I’m not advocating against insurance, far from it. Indeed, as cyber risks increase, any company would be wise to look into it. It can be expensive, however: as a report from UK-based risk management and insurance association Airmic notes, UK premiums could be up to £30,000 for a £1 million liability limit.
Why so expensive? One of the challenges faced by insurers is that they (like the businesses they are insuring) are shooting into the unknown. Cyber risk is difficult to define or predict, a challenge exacerbated by general reticence to declare security breaches when they happen, for fear of reputational damage — a factor highlighted by US ratings agency Standard and Poors.
Inevitably, this lack of risk clarity makes insurance more expensive. It also means insurers focus on the limited set of cyber-risks they can get their heads around, notably traditional security areas such as malware, data loss and so on. Simply put, insurers aim to keep their exposure to a minimum, why wouldn’t they?
The consequence for business is that cyber-insurance is not fantastically effective at this point. As the Ponemon 2015 Cost of Data Breach Study: Global Analysis report illustrates, insurance can reduce the overall cost of a breach – but not by a significant amount.
Based on an overall cost of a breach of $154 per data point, a combination of measures have the potential to reduce the cost by a third ($55) – only $4.4 of which is due to insurance, says the report. While this is still worth having, it does feel like little more than a sticking plaster.
However the ability to respond to the breach, extensive use of encryption and the training of employees together add up to a potential of over $32 reduction in cost per data point, stressing the importance of getting these in place.
So I certainly wouldn’t rule out the use of cyber insurance. First and foremost however, it’s up to you to be honest with yourself about your own capabilities and to put appropriate internal measures in place — quite clearly, if you don’t, no external organization is going to take on your cyber risks on your behalf.