New insurance products launched to protect businesses from suffering the losses of cyber-attacks have been met with great scepticism, it’s suggested.
A survey of information security people, whose organisations are members of KPMG’s International Information Integrity Institute (I-4), found that the most common reason for not purchasing a cyber insurance policy was the belief that insurers would not actually pay out on a claim.
Distrust around insurers honouring their contracts is leaving businesses vulnerable to the effects of cybercrime, according to the audit firm KPMG. Some 74 per cent of those surveyed stated their businesses had no cyber insurance in place. This is despite most, 79 percent believing that cyber security threats are likely to increase over the next 12 months, with three quarters (74 percent) perceiving organized crime and state sponsored activity to pose the biggest threat. For those whose businesses have purchased cyber insurance, 48 percent think that the policies may not pay out if they need it.
Mark Waghorne, Head of KPMG’s International Information Integrity Institute, says: “It is worrying to see that so many businesses would rather risk having no insurance in place to protect themselves against a threat they believe is very real. It is also disappointing that cyber insurance is viewed as providing little comfort to those who have it, as almost half do not believe they would be compensated properly if push came to shove.
“Of the information security professionals we spoke to, 30 percent believed the market for cyber insurance does not appear to be sufficiently mature yet. Insurers will need to deliver more comprehensive packages in order to convince the business community that they can and will protect against losses on cybercrime. However, discussions during a later debate at the most recent I-4 Forum showed that the availability of focused cyber related insurance has much improved during the past year with clear evidence that carriers do pay out. This indicates that organizations which have avoided cyber insurance in the past should perhaps revisit their positions.”
A survey meanwhile of global institutional investors by KPMG found that 79 percent of investors would be discouraged from investing in a business that has been hacked. The research surveyed 133 global institutional investors with USD$3-plus trillion under management.
The findings suggest, according to the audit firm, that investors believe less than half of the boards of the companies that they currently invest in have adequate skills to manage cyber risk. Furthermore, they believe that 43 percent of board members have unacceptable skills and knowledge to manage innovation and risk in the digital world. This sentiment was mirrored in a recent KPMG survey of boards and management of FTSE 350 businesses which found that 39 percent of boards and management agreed they were severely lacking in their understanding of this area.
Malcolm Marshall, global leader of KPMG’s cyber security practice and partner with the UK firm, says: “Investors see data breaches as a threat to a company’s material value and feel discouraged in investing in a business that has had its sensitive information compromised.”
“Following a number of high profile breaches, we are seeing Global investors waking up to the issue of cyber security. The ripple effect of this has seen investor appetite for cyber businesses increase, with the survey revealing that 86 percent of investors see it as a growth area.
“There is an expectation from investors for businesses to increase their cyber capabilities from top to bottom, including the board. In a world where breaches are common, is reasonable to expect boards to have prepared themselves. My personal experience of working with organisations that have been breached is that businesses that are generally well run and understand risk, are better prepared for future risks. A serious breach brings the competence and team work of senior executives and the board into sharp focus. What we are seeing is companies struggling to demonstrate that they are taking cyber risk seriously to their existing and potential investor base. The inability to demonstrate that a business is doing so could make it a less attractive investment proposition.
“A good start would be for Boards to elevate cyber higher up on the agenda and invest more time towards it. Our survey reveals that 86 percent of investors want to see an increase on the time Boards spend on cyber compared to last year.”
Marshall suggests that boards need to consider the following to be cyber secure:
Board directors need to understand and approach cyber security as a business risk issue, not just a problem for IT.
Directors need to understand the legal implications of cyber risks as they relate to their company’s specific circumstances.
Boards should have sufficient cyber security expertise, and discussions about cyber risk management should be given regular and adequate time on the boardroom agenda.
Directors should set the expectation that management will establish a firm wide cyber risk management framework that has adequate scope for staffing and budget. And:
Discussions of cyber risk should include identification of which risks to avoid, accept, mitigate, or transfer, as well as specific plans associated with each approach.
