The uptake of cyber insurance, particularly by small to medium enterprises (SMEs), remains low. Existing research suggests that some of the overarching factors explaining this are: the high cost of policies and the difficulties insurers face in pricing premiums; confusion over what types of incidents insurance policies cover (and the issue of ‘silent cyber’); and a lack of understanding of risks stemming from cyber incidents.
That’s from a paper by the defence and security think-tank RUSI (Royal United Services Institute). It arose from interviews and workshops with insurers, businesses, cyber security providers, government and others.
In April 2020, reports emerged that Travelex had paid a ransom of $2.3m to restore its services after a crippling ransomware attack. Initially, the company claimed that its cyber insurance policy, designed to cover business liability from the impact of cyber incidents, would cover a large part of these outgoings. However, the extent to which the policy covered the company’s losses from the ransomware attack remains unclear. Travelex has never stated what sort of policy it has or how much of its losses were covered. In August, Travelex went into administration; the administrators said that the cyber incident, plus the coronavirus pandemic, had acutely impacted the business.
As the extent to which Travelex’s policy covered its losses from the ransomware attack was never disclosed publicly, that promotes perceptions of cyber insurance as a secretive market where pay-outs are hard to unlock. And, there is no information in the public domain on the intricacies of Travelex’s cyber insurance policy and whether it directly or indirectly encouraged good cyber behaviours or not.
Remote working, rapid digitalisation and the need for connectivity had already made cyber risk a concern, even before the pandemic.
The paper was by Dr Jason Nurse of the School of Computing and Kent Interdisciplinary Research Centre in Cyber Security (KirCCS); with James Sullivan, Head of Cyber Research at RUSI. Dr Nurse said: “With data breaches and cyber attacks a higher risk to businesses than ever before, the uptake of cyber insurance still remains low. Businesses remain sceptical about the benefits of cyber insurance and the need to have it. They are also discouraged by the high prices of policies and the type of incidents they will be covered for. We hope that this report proves useful in assisting the cyber insurance market, both for businesses considering insurance, but also for insurers and regulators reflecting on what market weaknesses are yet to be addressed.”
He is next researching views on cyber insurance from those in a position to purchase cyber insurance, or that have purchased it, via a survey: https://www.surveymonkey.com/r/rusiuokcyberinsurancesurvey.
For the full 20-page paper, visit the RUSI website.
