CYBER-INSURANCE?

With the threat of a successful cyber-attack is becoming ever more likely (firewalls bounce back thousands of attempts a day, even for a small company) cyber insurance may become a basic cost of doing business. Awareness is growing because some well-known companies have admitted that they have been attacked, although the great majority of victims do not report an attack because they want to avoid reputational damage and do not want to encourage further attacks. Even so only 20% are protected by cyber-insurance. This is going to change with industry pundits predicting that it will become a ‘must have’ for businesses.

Insurance is not a defence against cyber-attacks and there is a danger that it may encourage complacency; however, IT service companies and cloud providers are tipped to start providing cyber-insurance as a standard part of their offering. Even so reputational damage is a hard thing to quantify yet might have a far greater impact on an organization than any monetary loss. As it cannot be quantified it may not be covered in a policy.

A UK government survey in 2015 reported that attackers had breached 90% of large corporations and 74% of SMEs at an estimated cost of £1.5m-£3m for the larger targets and £75k to £300k for SMEs. To cope with the aftermath of these breaches a single policy cyber-insurance market now offers both first-party and third-party protection. The challenge to insurers is to come up with a policy that provides adequate cover at an affordable price, not easy when it is impossible to predict third-party consequential loss.

If you have home insurance but leave your front door open when you go out for the night your insurer is likely to decline to pay out on the policy when you are burgled. Similarly, insurers expect businesses to take adequate measures to protect themselves against cyber-crime (making all staff cyber-aware, alerting them to scams, implementing basic security practices, providing adequate firewalls, warnings on using public WiFi and so on). Increasingly businesses will need cyber-insurance to reassure their customers and it may become a requirement of doing business with public bodies.

There is scope here for consultants to go into businesses and audit their cyber-awareness and the adequacy of their protection with the incentive of lower rates if audited satisfactorily. Insurers and their brokers may offer this service themselves to get the right cover for their clients at the best price.

Business resilience projects have taken on a new dimension.