06 November 2017 by Christian Morin
With hackers now a permanent threat on the horizon, cyber insurance can mitigate the risk
‘Controlled risk-taking lies at the heart of all commercial activity,’ former Anglo American chairman John Parker once said. ‘The board has the potential to be both a source of risk to the organisation as well as an effective means of risk mitigation.’
As the custodians of the organisation, charged with making decisions that impact the livelihood of everybody who works for them, members of the boardroom would do well to reflect on this.
One of the most important duties of the board – and of the governance professionals who advise them – is to manage risk, taking the necessary measures to reduce, mitigate or transfer it as appropriate.
This is only possible if those at the top put themselves in a position whereby emerging threats are both known and understood.
Recently the most significant dangers that have come to light and threatened to destroy a company overnight have emerged within the cyber-security sphere. This has fuelled the growing interest and appetite for cyber-liability insurance.
Insurance has long existed as a mechanism for the transferral of risk to a third party, particularly for those risks that fall outside of the organisation’s direct control. However, as the threats we face evolve so must the insurance products that we purchase.
Name an electronic device and you can almost guarantee somebody will have brought a ‘connected’ version of it to market.
From video surveillance cameras to dishwashers, heating systems to intercoms, the ‘Internet of Things’ market has exploded, and computers and mobile phones are not now the only devices connecting to the corporate network.
The added convenience and enhanced functionality of these technologies can be game-changing. However, not all the device manufacturers participating in the ‘gold rush’ to get their device to market take an equal approach to cyber security.
With little oversight or regulation over how a device must be secured and maintained throughout its lifecycle, it is down to the purchaser to do their own due diligence and to ensure they only work with reputable vendors and installers.
“Security is a collective responsibility, which filters through all aspects of people, process and technology”
The dangers for boards that fail to sanction sufficient budget towards this, or delegate such matters solely to IT, have been there for some time. However, over the past couple of years, one security incident after another has sounded alarms that should not be ignored.
In October 2016, the Mirai botnet – made up of millions of poorly-secured cameras and home routers – was able to take several high profile websites offline, such as Twitter, Netflix and Airbnb.
This is notable as it shows it is not just the owners of poorly-secured devices that are harmed. Others pay for individuals’ poor security purchasing and maintenance behaviours.
More recently we have seen massive malware attacks, such as WannaCry and NotPetya, wreak havoc worldwide. Such malware does not discriminate regarding the size of its victim’s activities. All sorts – Deutsche Bahn, large parts of the NHS, small and medium businesses, and end users – were affected by the attacks.
Within the EU, the General Data Protection Regulation (GDPR) comes into effect from 25 May 2018, requiring all organisations to follow specific governance and accountability standards in the processing and protection of data.
Failure to comply can result in fines of up to €20 million or 4% of global turnover, whichever is higher – so it has captured the attention of the boardroom.
Elsewhere, including North America, the regulations are generally laxer. However, that does not mean such organisations are not exposed to such hefty fines. If they hold data on any EU citizen then they are subject to GDPR, no matter where they are based.
Equally, even in territories where governments show an unwillingness to legislate, attitudes to data security are changing. A demonstrable commitment to data security is increasingly asked for within tender documents, meaning it makes good business sense for an organisation to publicise their credentials.
In the simplest terms, cyber-liability insurance is a means of weeding out inadequate software providers and of holding people accountable for doing their job properly.
Just like with any other insurance policy there are certain conditions which must be met before a policy is issued. This helps to set a minimum bar for the cyber security of an organisation and its suppliers.
It gives peace of mind that should you be struck by a cyber incident you will be able to access some funds to manage the response and get back up and running.
Just as important, if you choose to only work with partners and suppliers that have cyber-liability insurance, it gives you confidence that should their incompetence cause harm to your business then you will be able to file a claim and get compensation.
You can also try to sue those without it if you can demonstrate they were the cause of the loss. However, it will not do much good if they do not have the resources to cover the liabilities.
“Cyber-liability insurance is not a get-out-of-jail-free card that relieves the board from ensuring and maintaining good overall security”
The cyber-liability insurance market is still in its infancy, with many insurers having only recently started selling polices at any real volume. Right now, the estimated written premium for policies around the world is estimated at $2.5 billion.
Yet Allianz estimates published in the Financial Times suggest the figure could grow to $20 billion by 2025. Cyber risks are significant, so your premium will be high too. However, that does not mean it will not deliver good value.
What cyber-liability insurance is not, is a get-out-of-jail-free card that relieves the board from ensuring and maintaining good overall security.
It does not take away the need to conduct the appropriate due diligence when vetting a new supplier, and it does not make it less important to ensure security patches are routinely being applied. It also does not lessen the need for all staff to be educated on appropriate security measures.
As stated above, it will enable you to access some funds in the aftermath of an incident. However, it will not compensate you for the longer effects, such as reputational damage, reduced employee morale and being excluded from future tenders.
Security is a collective responsibility, which filters through all aspects of people, process and technology. Therefore, only the board has access to all of the necessary levers to manage this effectively.
Much of it can be mitigated or eliminated by taking the necessary actions to ensure a strong security posture. However, for everything outside of the organisation’s direct control, cyber-liability insurance exists as a means of transferring some of that risk to a third party.
Going back to Parker’s words, a board can be ‘both a source of risk to the organisation as well as an effective means of risk mitigation’. Which you will be depends on your understanding of the risks, willingness to accept responsibility and determination to invest accordingly.