Kaspersky Lab recently hosted a round table in London on the current state of the cyber insurance industry.
The first-of-its-kind event was arranged to debate what the insurance sector is currently doing to tackle the increasing threat to UK businesses of cyber risk and how this is set to develop over the next few years.
The round table included luminaries from the Chartered Insurance Institute, respected heavyweights for the insurance industry, brokers, professors of law, and key thought leaders from the information security community.
The common cold
The nature of cyber threats is evolving rapidly, and in some ways is a perfect synonym of the common cold as they change rapidly and are difficult to protect against. The types of attacks themselves can be varied. They could be targeting a business’ intellectual property, customer data, or aimed at causing maximum disruption, such as a distributed denial of service (DDOS) attack. The good news is that the awareness of the threats is evolving too, and businesses finally understand the consequences of suffering a data breach.
Delegates agreed that modern cyber threats have three unique challenges. One, they are intangible, so understanding the nature of the risk exposure is a real challenge for insurers, this is underpinned by a lack of trusted insight into the frequency and severity of attacks. Secondly, cyber threats are systemic and a single attack can lead to a lot of consequences, so threats can quickly propagate throughout networks, even across geographical borders. The third component is that cyber threats are still generally human driven, whereby those planning an attack will study the defences in front of them and try to circumvent them – so it is always a battle to stay one step ahead of the threat.
Another big problem for the industry is how to value any potential payout. It is no longer a physical entity – such as offices or stock – that are being insured but the data itself. So the nature of the causable loss is difficult to pinpoint.
A question of time
The nature of how insurance policies should be sold was also a point of concern for attendees. As cyber insurance policies have become more popular, brokers are finding it increasingly difficult to find the time to actually visit a customer’s site to provide a proper risk assessment.
Much is having to be done via a check list and taken as read by the insurers, but mistakes or misunderstandings can happen. Whilst a site visit would always be preferable, it is only really practical with the biggest clients. Yet, this is an issue that needs to be solved as most of the interest in cyber insurance is from medium sized businesses.
Back to school
A topic of intense debate was around where the onus of education falls. Some felt that the insurers should be educating businesses, whilst others felt that it was the businesses themselves that need to drive the insurance industry to provide such cyber policies.
Those around the table felt that the industry needs to improve how it shares data and called for the government to enforce this (albeit on an anonymised basis). They were looking for leadership from the government, a legislative force, and access to detailed data and research so that premiums can be better set.
The insurance industry is already talking to government regarding how the industry can drive resilience against cyber attacks. One of the suggestions put forward was for them to target big multinational companies with a substantial supply chain (such as the large supermarkets) so that by them implementing cyber insurance policies it would filter down through the supply chain to their various suppliers and partners.
Putting a price on failure
The panel agreed that the insurance industry needs to collectively set premiums that truly reflect the risk. But how do you put a price on a breach? Unfortunately, there is no quick fix. The challenge is to achieve an objective measurement of the true costs incurred following a breach. This is where by working with the infosec industry they can gain a better understanding, so that insurers can more accurately calculate a risk profile and what the potential impact cost would be for different events.
This education would not only benefit the insurance industry but the companies themselves as business will be encouraged to mitigate the risk by being given an incentive to do so. For example, a specific regulatory regime might force certain types of businesses to purchase cyber insurance.
Perception v reality
Recent worrying research was highlighted during the roundtable that showed the disparity between the perception of CEOs as to their cover and the reality. Of those CEOs in large organisations surveyed, over half (52 per cent) thought they had suitable insurance to be covered in the occurrence of a breach, whilst risk professionals said only 15 per cent were in reality, and insurers themselves estimated the number with applicable cover to be only 2 per cent.
Looking to the future
Uncertainty and ambiguity are the biggest issues with any type of insurance policy. Those on the panel felt that the industry needs to appreciate that businesses want one single integrated insurance policy that covers everything needed to protect the business, and that cyber insurance is a component of that. If policies are split by occurrence, or even worse by provider, then you will get to a stage where each insurer is pointing the finger at the other, or even worse the businesses cover could simply fall between the cracks between the policies.
There is no doubt as to the severity of business interruption caused by a cyber-attack and how the ever expanding digital world and the internet of things (IoT) means that the risk of exposure is growing exponentially. The insurance industry needs to act now to be able to cope with this coming wave.
Kirill Slavin, General Manager of UK and Ireland at Kaspersky Lab