Head in the Sand 7: the rate of cyber insurance coverage is woefully low and some policies are inadequate, while many of the risk ratings on which many cyber insurance premiums are based are far too crude.
While new threats will continue to be found, like blockchain poisoning, much of the focus in cybersecurity remains on hackers, phishing, malware and ransomware, but in reality, the greatest threat is the insider one – the chance that one of your own staff could leak data either accidentally or maliciously. Until recently the law protected employers from being held liable for the illegal actions of their employees, but a recent ruling against Morrisons supermarket in the UK as changed this. Previously, organizations could not be held liable for criminal actions taken by their employees, but the Morrisons ruling means that the chain could be held vicariously liable and it now faces a huge potential payout to the 100,000 employees whose personal data was compromised when an internal auditor posted it online.
The judge in the Morrisons case accepted that this was a significant burden to bear, but suggested that it should be covered in future as part of an organisation’s business or cyber insurance. Obviously, this will result in increased premiums or further policy exclusions. The problem is that few business insurance policies cover cyber risks and not enough organisations have cyber insurance.
The cyber insurance sector is predicted to be a massive growth area as the range and scope of threats increases. This is in turn spawning a new set of businesses called cyber risk ratings agencies that seek to benchmark an organisation’s risk position by providing a risk rating that is meant to work in much the same way that credit ratings already work.
Most of these risk ratings agencies conduct remote tests of a firm’s externally facing endpoints for known vulnerabilities. However not only does this not give a picture of the internal security profile, but often a firm can outsource its web site to a marketing agency as well as outsourcing other elements of its infrastructure to other third parties, thereby making it hard to know who is running what and how.
The CTO at RedSeal has said that this kind of score “taken from the outside looking in, is similar to rating the fire risk to a building based on a photograph from across the street. You can, of course, establish some important things about the quality of a building from a photograph, but it’s no substitute for really being able to inspect it from the inside.”
Not only are cyber premiums often based on such crude metrics, but the extent of the cover varies widely. You need to be sure exactly what aspects any technical restitution will be covered and whether cover extends to regulatory fines and cyber litigation (from either customers or shareholders) and if it also extends to reputational protection and crisis management.
Even assuming that organisations are already taking all taking whatever measured they can to protect their systems, it is a never-ending battle and nobody is ever 100% secure. Maybe one day cyber insurance will be mandatory, just as business insurance and car insurance are today.
