When the worst happens and you have a cyber incident, you need the support of a specialist cyber team, and not just any team. You need the BEST in the business. That’s us.
When the worst happens and you have a cyber incident, you need the support of a specialist cyber team, and not just any team. You need the BEST in the business. That’s us.
Shortly before coronavirus was first detected, PwC published its Global Crisis Survey 2019 which found that crisis preparedness was rapidly becoming a source of competitive advantage. In the same way that financial institutions were put to the test in 2008/2009, the travel and hospitality sectors are currently bearing the brunt of the pandemic. Once the dust settles, we will see how well these organisations coped and whether those that were ‘crisis ready’, weathered the pandemic any better than their peers, just as some firms came through the financial crisis comparatively unscathed.
Back in 2019 the PwC study took the long view, and while it identified some health risks, it saw cyber risk gradually overtaking health risk, financial risk and all other risks to become the greatest risk that we all face. Indeed there are some concerning parallels between the focus on risk and revenue over risk in the run up to the global financial crisis, that can be seen in the current cyber threat landscape (see this 5 minute video for an overview of the cyber risk context https://buff.ly/3asCeVT).
Surely, I don’t need cyber crisis preparedness as I have cyber insurance
Currently most companies don’t actually have any cyber insurance. Coverage rates are only 40% in the U.S., and 10% in the U.K. Elsewhere, it’s even lower.
Many cyber insurers boast that they can provide an insurance quote in under an hour. If they are able to provide cover for such a complex policy in such a short period of time then this should risk alarm bells. You should be concerned with their ability not only to accurately assess your risk position, but also to price the policy accurately.
Some insurers base their risk assessment on cyber security risk ratings. Some of these ratings are produced by firms that use web crawlers that check externally facing end-points for known vulnerabilities.
This is a fairly crude method, but it’s probably still the best way to address the mass market at low cost. The problem is, it’s a bit like evaluating fire-safety risk by looking at a photograph of a building taken from across the street. You can get an idea of the building’s shape and size … But you can’t tell if there’s flammable material inside, or if the building is equipped with fire alarms, or sprinkler systems. A photo like this is better than nothing; but it still provides only a basic, limited idea of the real risk.
The reason that some insurers can probably afford to base premiums on such crude risk metrics is that cyber insurance policies often include a host of provisions and exclusions that in effect make it impossible to claim for almost any incident of any kind. If they want to refuse to pay out, they’re probably going to find a way of justifying this. Indeed, almost the only reason they would pay out at all is to encourage other clients to sign up. So, if there is a global cyber crisis they may well refuse to pay out on any policies and consider withdrawing from the market entirely.
Examples of common cyber insurance terms or exclusions are as follows:
For these reasons we have already seen that some claims are not being paid. For example, several major insurers have declined to pay for damages caused by the NotPetya ransomware attack a few years ago. They say it was a “hostile or warlike action” and therefore not covered.
On top of this other claims have only been paid in part. For example, Norsk Hydro received an insurance payout of $3.6 million. That’s only about 6% of the overall damage that was estimated to be as much as $71 million. It covered the cost of the technical fix, but that was it.
Cyber insurance, while important, simply isn’t a substitute for prevention or for crisis preparedness. You need to have all three.
First of all you need to understand the difference between a normal crisis and a cyber crisis. Most crises or crimes are relatively straight forward – picture a bank robbery – the criminals get the blame and the company and its customers are seen as victims. The conventional PR tactics in such a crisis scenario are to contain any issue until it becomes public and then to show empathy for your customers in order to gain sympathy from the press and general public for both you and your clients. It tends to work well.
A cyber incident works differently:
Crisis preparedness is also critical. Scenario planning and realistic simulation exercises are essential for preparedness, and indeed testing and assessment are mandated under GDPR. So if you don’t do these things, and you then have an incident – the regulatory action will be far harsher.
Here are a few measures to consider:
We need increased adoption of cyber insurance cover, with organisations being far more discerning about the policies they adopt:
What we tend to find is that those organisations that have incident response cover tend to call in the experts straight away, while those without it often attempt a DIY fix before calling for help. By the time they do call for help though it’s often a little too late (the impact and exposure have magnified significantly) and they call in the wrong people (not having time to accurately select the right experts).
Almost worse that a policy that won’t pay out is one that won’t provide top quality incident response. Whether your insurer is footing the bill or you are, here’s what you will really need:
The technical fix:
The legal defence:
The brand defence:
Social response:
For companies of any size, it’s probably not a matter of ‘if’ they’ll get hit, but ‘when’. And since the average breach takes more than six months to detect, it may well already have happened.
If ever there was a time to make a case to the board for the need for cyber insurance and crisis preparedness, it is now – with a looming pandemic. The last crisis may have been financial, the current one may be health related, but the chances are that the next one with be a cyber crisis. We all need to be prepared for this.