The case for “Cyber Insurance“
THE CASE FOR CYBER INSURANCE
Cyber Insurance – To have it or to not have it?
- Many rental companies report that they do currently have a policy of having cyber insurance, but not all.
- It is often perceived as increasingly expensive, given the trend of increasing threat and with reducing cover scope or level of cover.
- Those who don’t have it, don’t necessarily see the need for it and do not intend to adopt it in the foreseeable future.
- Most of those who do have insurance consider it as a part of a standard scope of company or group insurance requirements, rather than something they seek to secure as part of their security strategy.
- Some, but not all, markets, are seeing (corporate) customer requirements for rental companies requesting evidence that they have cyber insurance in addition to public liability or similar cover.
- Those members who formed part of a larger group felt that cyber insurance was a “group level” matter and so afforded them better support than being standalone.
- Applying for insurance is onerous, with most members reporting insurers requiring end to end risk assessment and maturity analysis prior to quote. This content can be 200 items plus and usually non standard, i.e. custom built assessment forms, differing by insurer.
“The average duration of damage being wreaked by a serious and successful attack is 267 days… but you may not even know you have it until well into that period.”
WE FACE THE CHALLENGES OF AN INSURANCE INDUSTRY IN TURMOIL WHERE THE CYBER INSURANCE PRODUCT IS IN FLUX, PERCEIVED AS INCREASING RISK TO THE INSURER, WITH A TREND OF EXPONENTIAL INCREASES IN PREMIUMS AND REDUCTION IN COVER SCOPE AND SUMS INSURED.
“We have insurance, but we wouldn’t rely on it in the event of an incident. Cyber insurance is expensive, because cyber attacks are expensive. It is one of those parts of a business that requires such a level of financial cover that being part of a group, or being acquired by a bigger group, may be the first time you get the peace of mind that you could afford a major attack and resume business successfully afterwards.”
THE CYBER INSURERS’ PERSPECTIVE:
Smaller companies are often “cyber novices” and ….
… THERE IS A BIG DIVIDE BETWEEN LARGE AND SMALL:
Average spending by firms with 250 to 999 people has doubled in the past year. For enterprise firms of 1,000-plus it is up 65%.
…At the other end of the scale it is a different story. Firms with between 10 and 49 employees have almost halved their cybersecurity budgets. Among those with under 10 employees, spending has collapsed – from an average of $150,000 to just $29,000.
CONTRACTED-OUT CYBER DEFENCE?
Some member SMEs acknowledged they have limited cyber knowledge and involvement.
This a specialised area and so they “contract out” systems and support to IT service providers, particularly for cloud, network, VoIP and office systems, which is perceived to bring with it an advanced level cyber defence than they would achieve in-house.
Ransomware rises 19% of respondents reported a ransomware attack, up from 16%.
More cyber policies 64% of companies now have cyber insurance as a standalone, or part of another, policy. Up from 58% two years ago.
Increased spending Respondents’ mean cybersecurity spending is up 60% in the past year to $5.3m, and has increased by 250% since 2019.
“We are not in favour of paying ransoms. If you pay, the criminals have you “dialled in” and are back again six months later for more. They are still in your network, just waiting to push the attack button again. If you think the insurance company will reimburse you, if you pay the ransom …think again.”
INSURANCE INDUSTRY VIEW
There is a call to action for the “cyber novice”
The insurance industry confirms what we are seeing in our in-industry interviews and polls – there is lower cyber maturity and lower uptake typically amongst smaller companies, who are described as “cyber novices”.
Firms who have been attacked are twice as likely as others to seek cyber insurance
The Hiscox Cyber Readiness Report* provides a unique gauge of the state of commercial cybersecurity across eight markets in Europe – the UK, the US, Spain, the Netherlands, Germany, France, Belgium and Ireland.
ON THE OTHER HAND, THE INSURANCE INDUSTRY REPORTS THAT …
Gartner predicts that within three years, 80% of the magnitude of fines imposed by regulators after a cybersecurity breach will be attributable to failures to prove the duty of due care was met rather than the impact of the breach.
MATURITY IN CYBERSECURITY IS STILL LARGELY THE PRESERVE OF LARGER COMPANIES WITH THE ABILITY TO INVEST, BUT “SUNRISE” RENTAL COMPANIES AND THOSE DRIVING DIGITALISATION ARE EXCEPTIONS
Smaller rental companies clearly recognise the risks arising from cyber threats, and increasingly over the last three years but are only now getting ready to act.
KEY DRIVERS FOR THE CALL TO ACTION ARE GROWING:
- The increased scope of telematics in equipment is rapidly creating new cyber risks and the spectre of active hijack or sabotage of equipment with human injury consequences.
- The changes in ways of working and the continuation of distance working brought about by the Covid pandemic means more remote resilience and practices.
- The perceived increase in cyber threats globally, some related to the Russian conflict in Ukraine. (These appear more pronounced in smaller rental companies, where cyber defence is often less prepared and robust).
- In the rental industry as well as outside it cyber maturity is a size and scale play, where larger budgets allow sizable cyber defence investment.
- Those newer “sunrise” rental companies, who show all the characteristics of being “digitally native”, consider their business models, systems and processes to have cyber defences built in.
“There is a drive in some of our markets (predominantly UK now but spreading) for (large) rental customers to require supply chain (often smaller) companies to declare formal cyber qualifications and evidence insurance cover. There is no point in our customers cyber proofing their own operations and allowing suppliers to be weak.”
THERE ARE EXCEPTIONS:
– Those who have suffered an attack are twice as likely to have taken measures and taken on cyber insurance.
– Those who take on shared cyber and IT services from a third party expert provider consider it a form of insurance, which reduces their perceived exposure and risk.
To have it or not to have it?
- Where an organisation has extensive insurance cover as a core strategy across the business, it makes sense to include cyber insurance in scope.
- Where organisations have high levels of cyber maturity already, insurance is more affordable and more likely to pay out in the event of a claim.
- In some markets, “ticking the cyber insurance box” for customers can increasingly be a business enabler.
- Where the cover includes “emergency assistance “ with pre-approved budget or similar fast response features, insured companies feel the insurance can really add value.
- Cover offered is increasingly exclusions driven.
- Pre-qualification and terms of cover are being tightened.
- Very few members had confidence that the insurance would be of use in the event of an attack or a subsequent claim.
- A number of instances were outlined that months or a year or more after an event a claim was still being investigated or challenged by an insurance company, sometimes with legal advice being required on both sides. In some cases claims were being abandoned part way through due to the overhead cost of pursuing the claim.
“Cyber insurance is expensive, because cyber attacks are expensive. It is one of those parts of a business that requires such a level of financial cover that being part of a group, or being acquired by a bigger group, may be the first time you get the peace of mind that you could afford a major attack and resume business successfully afterwards. What price is survival worth?
… Many of the rental companies who hold insurance report that the features of some policies, such as having a pre- approved budget for emergency or specialist third party support to triage or defend an attack, is very valuable.”
“We’re seeing that the proposed cost of insurance would now be more than our total security budget. That makes no sense.”
“Insurers only want to cover risks that are unlikely to happen, for example, this year our cover scope excluded Ransomware attack. The message from insurers is “No MFA (Multi Factor Authentication), no insurance”. There are clear red lines developing, one is MFA.”
“The more difficult part is that insurers seek to exclude human error, so if you confirm on the policy evaluation that your staff will always keep all your PCs updated without exception, then you will probably need to prove it in a claim. Few of us can demonstrate perfection.”
This guide defines a maturity pathway and aligns with the KPIs that insurers are often asking applicants to report and evaluate
CYBERSECURITY WITHIN EQUIPMENT RENTAL COMPANIES ENTERPRISE-WIDE’’ INTERVENTION
- Cybersecurity Plan and Investment
- Risk Assessment
- Industry Frameworks and Standards
- Continuous Improvement and Horizon Scanning
- Inventory Management
- Firewall Management
- Secure Configuration
- User Access Control
- Malware protection
- Security update management
- Distributed Networks
- Threat and Health Monitoring
- Enterprise-wide Awareness
- Training and Development
- Roles and Responsibilities
- Monitoring and Coaching
- Cybersecurity Personnel – Roles and Responsibilities
- Policies and Procedures
- Emergency Response
- Customer Management
- Supply Chain Management
CYBERSECURITY BENCHMARKS – COST BENCHMARKING – UNDERSTANDING COST OF COMPLIANCE/NON-COMPLIANCE
The guide considers key factors in “Investment and Maturity”
- Good cybersecurity requires significant investment, renewed each year. A common benchmark for direct investment in cybersecurity across all industries is quoted as 4-6% of IT spend.
- Larger investment is in indirect and intangible costs of “designing in”, managing and embedding security into everything they do, which may ultimately be more than the direct costs.