Share this article on:
Robert Nobilo from Virsec explains why cyber insurance is not enough to prepare organisations for malicious attacks.
The surge in ransomware attacks over the last few years has precipitated a rise in the cyber insurance industry. Organisations hope that by taking out an insurance policy, they will be covered for the consequences of a cyber attack should one occur.
It must be noted that while insurance might provide some financial support in the event of an attack, it should never be considered an alternative to having robust security technologies and practices in place, which improve organisations' ability to respond to a breach and minimise its impact.
Demand for cyber insurance is massive and growing rapidly. According to GlobalData, the market grew 33.5 per cent in 2020 as businesses around the world realised the increased threat posed by COVID-19 and staff working from home. In July 2021, GlobalData projected the industry will continue to grow by over 22 per cent per year until 2025, when it will be worth $20.6 billion.
Insurance growing faster than security
This rate of growth is much higher than that predicted for the cyber security market: 10.9 percent annual growth rate from 2021 to 2028, which begs the question of whether organisations have the right balance between security and insurance.
An imbalance in favour of insurance could indicate that organisations expect to be hacked, due to a lack of confidence in their security technology and practices.
Unless organisations have taken the time to develop comprehensive resilience and contingence policies, they might not be able to quantify the cost to their business of a cyber incident. So, even if they do take out cyber insurance, they might not have adequate cover when an attack happens.
When organisations decide to take out insurance, they often have one kind of cyber incident firmly in mind: the loss of personal information. Security legislation around the world results in hefty fines and penalties for any organisations found responsible for the loss of personal data.
Data loss penalties only getting bigger
The Notifiable Data Breach (NDB) scheme which came into effect in February 2018, amended the Privacy Act to require any organisation that lost personal information to notify the Office of the Australian Information Commissioner (OAIC), and it imposed penalties too.
Those penalties are about to become much stiffer. Legislation now before Australian Parliament would increase the maximum penalty for the loss of personal information from $2.2 million, to $10 million or 10 per cent of the organisation’s domestic annual turnover, whichever is greater.
The legislation would bring the Privacy Act more in line with the EU’s General Data Protection Regulation’s (GDPR) maximum penalty: either €20 million or 4 per cent of global turnover, whichever is greater.
In its most recent report on the NDB scheme, the OAIC said it had received 446 data breach notifications between January-June 2021, 43 per cent resulting from cyber security incidents. Data breaches arising from ransomware incidents increased by 24 per cent, however the report gave no information on penalties imposed.
The EU is much more open about penalties under GDPR. In 2021, these exceeded €1.1 billion. Topping the list in 2021 was Amazon with a €746 million penalty (more than half the €1.31 billion total penalties handed out since the scheme came into effect). Amazon was followed by WhatsApp with a €225 million penalty in 2021.
Insurance costs are increasing
Insurers need to make a profit, so as the cost of cyber incidents increases so too will premiums.
There are many reports of insurers who significantly reduced the amount of cyber cover they provided after remote-working was introduced, and as a result of surging ransomware attacks and costly payouts, many insurers no longer offer coverage for Ransomware attacks.
Global insurance provider Lloyd's of London, which has around a fifth of the global cyber market, went so far as to discourage its 100-odd syndicate members from taking on new cyber business in 2022, in an effort to disengage from the market as losses mount.
Policy conditions will also tighten. In 2017, global pharmaceutical company Merck was seriously affected by the infamous NotPetya ransomware. It claimed US$1.4 billion from its insurer, Zurich.
Zurich rejected the claim on the grounds that NotPetya had been attributed to Russia’s military intelligence agency, and was therefore an act of war, which was excluded from the policy.
While a court in New Jersey ruled in favour of Merck this time, with the judge saying the term ‘act of war’ applied to armed conflict, that may not always be the case. Many insurers are already amending their policies to exclude attacks from "nation-state" hackers, which a large portion of ransomware groups could easily be classified under.
Strong security practices before premiums
Insurance should never be a substitute for good security practices. In fact, demonstrating comprehensive security is increasingly becoming a prerequisite for securing coverage at a reasonable premium.
An adequate, comprehensive security program requires more than just technology alone. It also requires people and processes to work together, and it must be tightly integrated with the priorities of the business i.e. the assets and information most critical to business operations must be identified and adequately protected, and should a successful cyber attack occur, robust policies and procedures must be in place to minimise the level of disruption caused.
Such business resilience planning should involve every part of an organisation, not just the security department.
While there are good reasons to take out cyber insurance, it should never be seen as a replacement for robust security. No one seeking to protect the valuable contents of their home would rely solely on insurance.
Depending on their assessment of the value of their property, and the risk of theft, they would have robust locks on doors and windows, an alarm system and possibly a back-to-base reporting system.
The exact parallel applies to cyber security and cyber insurance in a business context.
Robert Nobilo is ANZ regional director at Virsec.