A growing number of UK organisations are predicted to take out cyber insurance policies this year. So what's driving this uptake and are there any pitfalls IT leaders need to be aware of?
Bouloux says that companies would be more likely to try to raise cyber security awareness in the workplace and offer training to staff because it affects the pricing of the insurance policy.
"It affects the limit we're willing to be putting out to risk; we want to see an organisation that has got a healthy understanding and approach to the security threat by employing the right technology, risk management, disaster recovery and training in place. These are huge aspects of the underwriting process. They shouldn't look at it as an easy way out or they'll become uninsurable," he explains.
Organisations that are multinational, or that have customers and staff in other jurisdictions would see the cost of an insurance policy rising too, due to added complications, but Bouloux says that those that move data into the cloud wouldn't have to fork out more money.
"We've built that into our policy because we realise that outsourcing is the reality for organisations today. It's included in the liability piece and we cover the first-party associated costs with an optional extension, which we tend to sublet because we are underwriting the clients and not their outsourcing providers. As organisations tend to have many providers it becomes difficult to manage them all from an aggregation perspective," he says.
But much of the cost depends on who the outsourcing service provider (OSP) is and what service it is that they are providing for the organisation.
"If you get a big name such as Amazon or IBM that is one thing. But there are a lot of players entering the space, especially in Eastern Europe or India, who have unproven track records and there are concerns about organisations moving to those types of OSPs. So we're asking firms who their OSPs are and making sure we understand what the OSP provides," says Bouloux.
AIG has teamed up with law firms Cameron McKenna, Norton Rose, and consultancy KPMG to offer clients a "data breach response service" whereby it provides legal and forensic experts who can help to identify and fix security vulnerabilities, as well as deal with regulators and any affected data subjects.
In the event of a breach, AIG can also offer clients a "crisis consultant" to handle the PR and mitigate reputational damage. It then works with the outsourcing service provider to identify exactly what data is missing and come up with a plan going forwards.
So do the cloud providers themselves buy cyber insurance?
"They don't buy cyber insurance as much as they come to us to buy professional indemnity insurance. The reason mid-market SMEs are interested in cyber insurance is because they enter contracts with OSPs that have very limited liability, and then they don't have the ability to sue because the contract states they are entitled to a month's fee which could be £50, and the cost to the organisation is potentially £100,000," Bouloux explains.
Although insurance costs can vary quite significantly for different types of companies, Bouloux says the "run-of-the-mill risk model" is worth £100,000 in indemnification for an annual premium of £400. However, premiums can amount to hundreds of thousands of pounds, he adds.
But deciding to purchase such insurance is the easy part, according to Seth Berman, UK head of risk management and intelligence firm Stroz Friedberg.
"The cyber security insurance market is in its infancy. As a result, there is very little consistency with the market about what is covered and what is excluded, and very little knowledge among potential buyers about what kind of coverage they need," he says.
Berman advises organisations to undertake a thorough investigation of digital assets and vulnerabilities "in order to both minimise its risks and intelligently purchase insurance against those risks that cannot be eliminated".
And perhaps, if the cyber insurance market does grow in the UK and Europe following the new regulations, new types of policies may be created. For example, UK firms could take on a common element that Japenese organisations include in their cyber insurance policies.
"They have a notion of ‘apology money', so if someone's data goes missing, we would offer monetary compensation - almost like a coupon - to apologise for the loss of the data," says AIG's Bouloux.
@Sooraj_Shah
