Share this article on:
Claire Pales and Anna Leibel from The Secure Board advisory service explain why organisations should look beyond just attaining cyber security insurance to minimise risks.
Risk mitigation is one of the key activities undertaken by company directors and boards. And while insurance is a useful tool for minimising the impact of an event, it does not change its likelihood. Just as car insurance doesn’t reduce the likelihood of an accident, cyber security insurance is not a get-out-of-jail card for Australian businesses and their boards.
Cyber security insurance can provide peace of mind to boards and organisations that there is some financial support to reduce the impact of a cyber attack. It may help with recouping the costs of recovery or direct financial losses suffered as the result of an attack. But insurers won’t just pay out for any attack.
Dealing with impact
From a risk perspective, the threat of cyber-attacks is significant and the impact can be devastating. But insurance doesn’t prevent those incidents from occurring. Even with insurance in place, boards are not indemnified against ensuring their organisations have protective controls in place.
Insurers can deny claims if companies do not take reasonable precautions to prevent an attack. It is imperative that all Australian board members, regardless of their technical level of expertise, understand the risks and put in place complete mitigation strategies. Insurance forms part of an overall cyber resilience strategy.
A new type of insurance
It is important to understand that cyber security insurance is very different to other insurance products. If we compare it to car insurance, there is a rich history of actuarial data that can profile risk quite precisely. Car insurers can look at many decades of data about driver age and experience, types of vehicles, locations and many other factors to calculate a premium. But cyber security is a far newer insurance sector. And it has to deal with attackers who constantly change and adapt to the defences put in place to thwart them.
Businesses with deep financial and technical resources such as Channel 9, Toll Group, BlueScope Steel and the Australian Wool Exchange have been hit by significant cyber attacks such as ransomware. In fact, credit ratings agency AM Best found that ransomware now accounts for 75 per cent of all cyber insurance claims, a 20 per cent increase over the last five years.
What does cyber security insurance provide?
Although cyber security insurance is still a nascent field, it is bringing significant value to organisations. The work done by insurance companies is helping to improve and redefine security standards. And while the return on investment for some cyber security initiatives in businesses can be difficult to quantify, uplifting security measures and lowering risk can result in better insurance coverage at lower rates.
With well-regarded insurance agencies now offering cyber security insurance, there is an opportunity for executives to become increasingly aware of the scope of cyber risks and the severity of their consequences. Just as car insurance puts the risk of car accidents into focus, cyber security insurance can pave the way for much-needed security initiatives.
Deciding on cyber security insurance
For many enterprises, only the CFO or senior finance and cyber risk professionals have the expertise to properly assess the value of cyber insurance investments, the total cost of an event and, therefore, the potential return of investment of the insurance policy. It is imperative that the board does not make assumptions on what the policy covers them for.
Boards need to understand why they are taking out a cyber security insurance policy and what the policy covers and does not cover. For example, it may cover losses related to a ransomware attack but not the paying of ransoms. Or the cost of recovery from an incident may be covered but not losses suffered from a business email compromise attack.
Cyber security insurance must be considered just as any other insurance product. It is not a ‘checklist item’ for cyber security compliance and doesn’t mean organisations can stop developing policies and investing in security, in fact, the opposite is true. Cyber security insurance does not prevent attacks. It is a tool that can reduce the financial impact of an attack.
Cyber risk must be managed within the context of a reasonable risk appetite. This appetite must be endorsed by directors who are well informed of threats and the risk context within which the organisation operates. Cyber security insurance is part of a well-considered risk mitigation plan that includes ongoing security education for everyone in the organisation and the right tools for security teams to reduce the likelihood and impact of an attack. It is not a silver bullet.
Claire Pales and Anna Leibel are co-authors of The Secure Board Book and directors of the The Secure Board advisory service.