ICT insight with Institute of ICT Professionals: Understanding cyber insurance

0

What is Cyber Insurance?

Cyber insurance (Cyb-Ins), which is also known as cybersecurity insurance or cyber-liability insurance, is a type of non-life insurance that protects organisations from the loss (mostly financial) incurred from cyberattacks and/or data breaches. It is a risk treatment option organisations adopt to protect themselves in the event of information security or cybersecurity incidents. Such security incidents may include business email compromise, denial of service, ransomware, data-loss, theft of money, fraud, etc. Just like any other insurance product, Cyb-Ins may cover first-party and/or third-party liabilities. According to ‘MarketsandMarkets’, the global Cyb-Ins market is expected to grow from approximately US$12billion this year to US$29billion in the next 5 years.

Key Stakeholders in Cyb-Ins



The cyber insurance industry is made up of several stakeholders. Key among them are the following:

Regulator: This is the state authority that monitors and supervises operations of the Cyb-Ins companies in a particular jurisdiction. The regulator in the case of Ghana is the National Insurance Commission (NIC).

Insurer: The insurance company that offers the Cyb-Ins policy to organisations. Some of the major global Cyb-Ins companies include Allianz, American International Group (AIG), Aon, AXIS Capital, Beazley, Chubb, Fairfax Financial, Liberty Mutual, Lloyd’s of London, and Travellers. Enterprise Insurance can be cited for Ghana.

Insured: This is the organisation that subscribes to the Cyb-Ins policy from the insurer. In Cyb-Ins, this primarily refers to organisations and not persons.

Agent & Broker: Serves as intermediaries between the insurer and the insured. The agent works for the insurer, while the broker works for the insured.

Technology Provider: Assists the insurer in building the Cyb-Ins product, provides technical advice to the insurer, and performs due diligence and assessments on behalf of the insurer. These are mainly cybersecurity companies.

Which organisations need Cyb-Ins?

Any organisation may decide to subscribe to a Cyb-Ins policy. However, it becomes more needful or an onus for organisations in the following scenarios:

  1. Organisations that have been designated as critical information infrastructure by the state
  2. Organisations that collect or process sensitive, personally identifiable information; such as payment card data, financial records, medical records, national ID numbers and biometric data
  3. Organisations that are required by regulations to have Cyb-Ins in place
  4. Organisations that are required by agreements with their customers or partners to have Cyb-Ins in place

What costs may be covered or not covered under Cyb-Ins?

Depending on the type of Cyb-Ins policy (i.e. first-party or third-party), Cyb-Ins can take care of the following associated with cybersecurity incidents: investigation costs, regulatory fines, legal fees, judicial fines, business interruption, payment of ransom, theft of money, notification costs, credit monitoring costs, mitigation costs, repair costs, and public relations costs.

Cyb-Ins may not take care of the following associated with cybersecurity incidents: reputation, decline in share price, decline in revenue, prior cyber security incidents, an incident with employee involvement, general system failure, and cost of improving cybersecurity.

It is extremely important for organisations to obtain clarity from their insurers on what their Cyb-Ins policies cover and do not cover. They also need to clearly read and understand the terms and definitions used in the agreement. Engaging a lawyer in this process is very prudent and cost-saving.

How much does Cyb-Ins cost?

The cost of Cyb-Ins (premium) cannot be explicitly stated, as it depends on several factors. The premium (amount to pay the insurer) may depend on the following: type of industry, size of business, annual organisational revenue, history of security incidents, and results of Cyb-Ins risk assessments.

According to AdvisorSmith (2021), the average cost of Cyb-Ins in the USA is US$1,485 per year, with premiums ranging from US$650 to US$2,357 for companies with moderate risks and annual revenue of US$1million.

Requirements for Cyb-Ins

Most Cyb-Ins companies have requirements that their prospective clients have to meet before their application can be accepted. These requirements, once met, help the prospective client (insured) to pay a low premium. The absence of such requirements may result in the insurer declining the application, or demanding payment of a high insurance premium.

Prospective clients may be expected to have the following controls in place: multi-factor authentication; regular staff training, and awareness; effective management of third-parties; encryption of data; testing incident response plans; conducting regular vulnerability assessment and penetration testing; deployment of endpoint detection and response solutions; secure remote access to company systems; regular testing of backups; management of privileged access; patch-management and management of end of life systems.

It must be noted that these requirements may differ from one insurer to another.

Benefits of Cyb-Ins

The benefits of Cyb-Ins include the following:

Saves cost: It helps save organisations huge sums of money in the long-term. Considering the huge cost and fines associated with cyberattacks and data breaches, Cyb-Ins will help cater to such costs.

Ensures faster recovery: It helps organisations to quickly recover from cybersecurity incidents. With the needed support (expertise, logistics or financial) provided by insurers, organisations can quickly resume their operations within a tolerable period.

Provides competitive advantage: Having a Cyb-Ins policy provides an organisation with a competitive advantage. Prospective clients and partners may prefer to do business with such an organisation rather than one without a Cyb-Ins policy.

Helps meet requirements: It helps organisations to meet their regulatory and contractual obligations in instances where it is required by a regulator or agreement to have a Cyb-Ins policy in place.

Helps prevent cyberattacks: Some insurers are keen on helping their clients in preventing cyberattacks through pre-breach services. Such services may include provision of the following: training and awareness; cyber security products and services at discounted prices; cybersecurity intelligence; advisory and cyber experts.

Challenges of Cyb-Ins

Despite the benefits, Cyb-Ins also has some challenges. The following are some of them:

Expensive: Due to the rampant and ubiquitous nature of cyberattacks, the premium for Cyb-Ins has become very prohibitive for some organisations.

Provides a false sense of security: The insured may have a false sense of security. Cyb-Ins is not a silver-bullet to prevent and recover from cyberattacks. The insured ought to know that they may not even get any form of support when an incident occurs. It is an onus on the insured to be proactive and not rely solely on the insurance.

Coverage limitation: No single Cyb-Ins policy would be able to cover all cybersecurity incidents or breaches. All Cyb-Ins policies have limitations in terms of coverage and payouts. Hence, an insured may have to take care of some aspects of an incident when they fall outside the agreement’s scope.

Embolden cyber-criminals: With insurers paying the ransom on behalf of the insured, this can increase the spate of ransomware attacks. Since the ransomware attackers know they will get paid their ransom, they will always be encouraged to ply their trade.

Intricate coverage terms: Some Cyb-Ins agreements are very complicated and do not allow easy understanding. Some need cybersecurity experts and lawyers to provide an interpretation. It may result in dire consequences if the agreement is not gotten right from the beginning.

May not get payout: Due to the preceding point and among other things, the insured may not get a payout (what the Insurer needs to pay in case of an incident) when an incident occurs. There have been instances when the insured have dragged insurers to court to demand payouts. Examples of such cases include SS&C Technologies vs AIG, Mondelez vs Zurich, and SJ Computers vs Travelers.

Conclusion

Deciding whether to subscribe to a Cyb-Ins policy depends on several factors, which have been discussed in this article. It is left to the organisation to weigh the pros and cons and make that determination. It is extremely important to engage the services of information security or cybersecurity professionals and lawyers in the process of subscribing to a Cyb-Ins policy. Getting it wrong from the start may cause your organisation a huge loss in the future.

 SHERRIF is an Information Security Governance, Risk and Compliance Professional | Director of Communications, IIPGHFor comments, contact author [email protected] | +233243835912

Leave a Reply