Darting for cover: the pros and cons of cyber insurance

Sooraj Shah
clock

A growing number of UK organisations are predicted to take out cyber insurance policies this year. So what's driving this uptake and are there any pitfalls IT leaders need to be aware of?

Bouloux says that companies would be more likely to try to raise cyber security awareness in the workplace and offer training to staff because it affects the pricing of the insurance policy.

"It affects the limit we're willing to be putting out to risk; we want to see an organisation that has got a healthy understanding and approach to the security threat by employing the right technology, risk management, disaster recovery and training in place. These are huge aspects of the underwriting process. They shouldn't look at it as an easy way out or they'll become uninsurable," he explains.

Organisations that are multinational, or that have customers and staff in other jurisdictions would see the cost of an insurance policy rising too, due to added complications, but Bouloux says that those that move data into the cloud wouldn't have to fork out more money. 

"We've built that into our policy because we realise that outsourcing is the reality for organisations today. It's included in the liability piece and we cover the first-party associated costs with an optional extension, which we tend to sublet because we are underwriting the clients and not their outsourcing providers. As organisations tend to have many providers it becomes difficult to manage them all from an aggregation perspective," he says.

But much of the cost depends on who the outsourcing service provider (OSP) is and what service it is that they are providing for the organisation.

"If you get a big name such as Amazon or IBM that is one thing. But there are a lot of players entering the space, especially in Eastern Europe or India, who have unproven track records and there are concerns about organisations moving to those types of OSPs. So we're asking firms who their OSPs are and making sure we understand what the OSP provides," says Bouloux.

AIG has teamed up with law firms Cameron McKenna, Norton Rose, and consultancy KPMG to offer clients a "data breach response service" whereby it provides legal and forensic experts who can help to identify and fix security vulnerabilities, as well as deal with regulators and any affected data subjects.

In the event of a breach, AIG can also offer clients a "crisis consultant" to handle the PR and mitigate reputational damage. It then works with the outsourcing service provider to identify exactly what data is missing and come up with a plan going forwards.

So do the cloud providers themselves buy cyber insurance?

"They don't buy cyber insurance as much as they come to us to buy professional indemnity insurance. The reason mid-market SMEs are interested in cyber insurance is because they enter contracts with OSPs that have very limited liability, and then they don't have the ability to sue because the contract states they are entitled to a month's fee which could be £50, and the cost to the organisation is potentially £100,000," Bouloux explains.

Although insurance costs can vary quite significantly for different types of companies, Bouloux says the "run-of-the-mill risk model" is worth £100,000 in indemnification for an annual premium of £400. However, premiums can amount to hundreds of thousands of pounds, he adds.

But deciding to purchase such insurance is the easy part, according to Seth Berman, UK head of risk management and intelligence firm Stroz Friedberg.

"The cyber security insurance market is in its infancy. As a result, there is very little consistency with the market about what is covered and what is excluded, and very little knowledge among potential buyers about what kind of coverage they need," he says.

Berman advises organisations to undertake a thorough investigation of digital assets and vulnerabilities "in order to both minimise its risks and intelligently purchase insurance against those risks that cannot be eliminated".

And perhaps, if the cyber insurance market does grow in the UK and Europe following the new regulations, new types of policies may be created. For example, UK firms could take on a common element that Japenese organisations include in their cyber insurance policies.

"They have a notion of ‘apology money', so if someone's data goes missing, we would offer monetary compensation - almost like a coupon - to apologise for the loss of the data," says AIG's Bouloux.

@Sooraj_Shah

You may also like
UK data regulator finds gaps in Google's Privacy Sandbox proposals

Privacy

Concerns shared with the Competition and Markets Authority

clock 22 April 2024 • 3 min read
Leicester Council confirms ransomware attack

Hacking

Hackers are now publishing stolen data

clock 05 April 2024 • 3 min read
Long Reads: A chance meeting cost this CIO £400,000

Security

Betrayal, bewilderment and Bank of America

clock 02 October 2023 • 7 min read

More on Threats and Risks

Mandiant's 2024 threat report - five takeaways

Mandiant's 2024 threat report - five takeaways

Latest M-Trends report details how ransomware, zero-day attacks and other threats evolved last year.

Kyle Alspach
clock 24 April 2024 • 5 min read
Proportion paying ransoms declines in Q1 2024, even as takings break a new record

Proportion paying ransoms declines in Q1 2024, even as takings break a new record

Only 28% willing to meet ransomware gangs' demands

Muskan Arora
clock 23 April 2024 • 2 min read
ToddyCat cybercriminals using high-end tools to commit 'industrial scale' theft

ToddyCat cybercriminals using high-end tools to commit 'industrial scale' theft

ToddyCat restrict access to compromised systems while they steal valuable data.

Muskan Arora
clock 23 April 2024 • 2 min read