Cyber Insurance - a way for risk mitigation

The recent spike in occurrence of cybercrime across the globe has made it obvious that it is no more a question of “whether” but a question of “when”. The average cost to the organization of these breaches is estimated to be close to 5 million USD. Multiple analyst reports place the average cost per breached record between USD 78 and USD 277. This cost is attributed to investigation and remediation activities, notifications to be sent to customers and other stakeholders, change in credit worthiness, reputation management, legal fees and settlements and any regulatory fines arising from the breach. Add to this the intangible loss to the brand value and the change in customer behavior in response to the breaches.

Organizations no more have the luxury of imagining that they will not be targeted by malicious hackers. Remember that the hacks need not just target the data an organization holds - the compromised systems can also be used to launch an attack on third parties it interacts with. In such a scenario, the organization may be held liable for the damage caused to the third parties. While a commitment to security is must, it is impossible to make any system 100% foolproof. As such, it has become inevitable for organizations across industries and sizes to develop a good cyber risk management approach.

A sound cyber risk management plan will include increased cyber resilience through response and recovery, contingency planning, and as a last resort mitigation and transfer of financial risk through cyber insurance. The cyber insurance market is still nascent, and even in the markets where take-up for commercial property and liability insurance approaches 100%, cyber insurance is purchased by anywhere between 20% to 35% of businesses based on the industry and size of the organization. The variation based on size and line of business indicates that the low adoption rate is because of a lack of awareness in the market.

An analysis of cyber-attacks over the last 3 years makes it clear that an organization’s defense is only as strong as the weakest vendor they interact with. Hackers have launched attacks on Fortune 500 companies using credentials they got off vendors like air conditioning and food delivery companies. The substantial difference in procedures and protocols followed at large and small organizations forces the larger player to fall back on cyber insurance as a way to transfer the risk arising from the weak links they have little control over. It is no surprise that while the take-up rates have increased in both small and large organizations, the gap between the two segments has actually increased over the last 3 years.

The very act of applying for a cyber-insurance incentives behavioral change in an organization. Simple desire to get the coverage at as low a premium as possible drives the organization to conduct gap analysis. The very first ask from underwriters is that all significant activities are logged against individual users and therefore login to the system are secure. Additionally, they require organizations to have disciplined procedures for patching software and put in place an incident response plan. They would also want to know if vendor networks are monitored regularly. Organizations would want to measure upto industry benchmarks like NIST framework and ISO 27001 as that would result in lower cost of insurance.

Further, once a policy is purchased, the insurer is invested in keeping the damage from any cyber-attacks at the minimum. This results in an additional layer of security through monitoring and rapid response services provided by the insurer to their policyholders.

While correlated risks arising from software vulnerabilities (like the “Heart bleed” discovered in 2014) and scalability of sophisticated attacks used by hackers makes risk assessment especially difficult, insurers have developed complex statistical models to facilitate evaluation of potential consequences arising from different damage scenarios. This allows the insured to work out the best contingency plans and ensure that the critical services are up & running at the earliest possible in case of a breach, keeping the consumer backlash at minimum possible.

While cyber insurance cannot protect an organization against reputation risk or replace strong security controls and information security programs, it does act as a last line of defense and mitigates most of the financial risks arising from a breach. Further, it also incentivizes cyber security discipline across the organization.

Sanjeev Srinivasan
CEO & MD, Bharti AXA General Insurance