White Paper: ATCH
Cyber Insurance- To buy or not to buy
If you have been following the industry news on cyber security, you will realize that cyber insurance has been featured in many forums and discussions. In fact cyber insurance is getting a lot of attention and what's even more intriguing is that it's most often cyber security professionals from the forefront who promote the product. The insurer plays a major role in the policy issuance, however the product is technical hence the campaign is led by cyber security specialists. One other milestone achieved, is that we have moved from “What is cyber insurance?” to “Do I need to buy cyber insurance?”
Cyber insurance doesn’t replace the cyber security measures that a business undertakes to protect its information asset. As a business you still need to implement preventive controls e.g. Anti-malware solutions, policies, awareness programs, etc. as well as defense controls which could include: Firewalls, intrusion detection and protection systems. These cyber security measures reduce the risk and the residual risk is then transferred through an insurance cover.
- Cyber insurance is a risk transfer mechanism that provides financial protection to get back on your feet after a cyber attack.
- Cyber insurance will not stop cyber attacks but will save you from financial loss during & after the attack.
Why do you need to buy a cyber insurance cover?
It’s not a matter of ‘if’ but ‘when’.....
Despite the best efforts by a business to mitigate cyber risks, there is always a chance that something could go wrong. No solution can guarantee 100% protection which isn’t a failure on the solutions available but rather the nature of the cyber threats landscape. Cyber threats are global and more dynamic than ever – think of the losses experienced in 2017 from Ransomware. Looking back to 2015, Ransomware still existed but wasn’t a major threat to organizations. As a business you can’t really predict when you will be hit nor the financial loss you might undergo - hence the need to prepare for the inevitable. Recovery from a cyber attack can be costly especially where other stakeholders are impacted by the breach; and not forgetting the legal suits that may follow.
Regulatory compliance –GDPR, IATA PCI DSS, Central Bank of Kenya Cyber Risk Guidelines etc.
Regulators & government agencies appreciate that cyber risks are an impediment to economic stability & growth and are putting in place strict compliance requirements for businesses. A successful cyber attack on a business doesn’t just cost financial loss but the ripple effect extends to other aspects of the business, the industry and the economy at large. In 2018 (‘The year of Regulations’) a number of regulations take effect- GDPR, IATA PCI DSS Compliance, Computer & Cyber Crime Law (Kenya) among others. There is a high expectation placed on the business of cyber risk management by these regulations and some of them come with hefty penalties for those who fail to comply. This means that businesses will have to spend more on cyber security and despite this investment there's still no guarantee that they will not be a victim of a cyber attack. There are cyber insurance covers that cater for regulatory response providing compliance as well as cover for costs – fines/penalties that arise from the regulations. The Central Bank of Kenya's, Guidance Note on Cyber Security proposes that financial institutions should consider taking up a cyber insurance - which is a clear indicator that the regulator appreciates the value of cyber insurance.
Cyber governance as part of cyber risk management
Cyber risk is now being recognized as a business risk and incorporated into the enterprise risk management strategy. Discussions on cyber risk feature in board meetings now too, given the awareness of the impact of cyber threats to business. Business stakeholders –shareholders, customers, government etc. also expect due diligence to be taken by the board, in addition to the high expectations placed on the board to address cyber risks. When a security incident occurs, the board/C-level executive must be ready with a business continuity plan to minimize their company’s liability and exposure whilst protecting the company’s reputation. A cyber insurance cover will play a significant role in protecting the company’s bottom line; the insurer takes up the costs associated with the incident. Stakeholders will also appreciate that the board took a decision to purchase a policy at an acceptable premium but benefitted more from limits of the cover.
Business Valuation (Competitive Advantage)
Cyber risk management has become an integral part of business management – from partners to customers and other third parties; there is a higher expectation to have your ‘house in order’ before engaging. Everyone is trying to minimize their exposure and if businesses have a cyber insurance cover, their rating improves. Local telcos now require business entities to have cyber insurance cover should they need to be integrated into their infrastructure. The telco has realized that third parties who integrate on their infrastructure could lead to data breaches which could amount to huge losses. Therefore, to protect themselves from that exposure they require all third parties to have an insurance cover to cater for such eventualities. A business that already has a cyber insurance cover will find it easier to engage and conduct business with such telcos. This is a trend that will be picked up in other sectors especially in financial services where we have SME’s integrating with banks on their mobile/online based services.
Back to the question, Should a business purchase cyber insurance cover?
Yes, and this paper gives us many hints on why this is becoming more and more important. It’s prudent to have a cover rather than to wait for a cyber attack that can lead to a negative financial standing. Remember, just like a fire policy doesn’t stop fires - you will be still be protected from financial loss should a fire burn down your premises! The same case applies with cyber insurance; the cover won’t stop cyber attacks but will protect your business from financial loss during & after the incident.