Cyber insurance is a safety net, not a solution, writes Ross Brewer, pictured, of LogRhythm.
Over the last few years, cyber attacks have become increasingly sophisticated and complex, making them much more difficult to detect. Indeed, last year, we saw a barrage of very high profile data breaches affecting a whole range of businesses from retail organisations, like Office, to banks, such as Barclays. With cyber attacks now becoming a case of when, not if, a growing concern for many businesses is how they will manage the aftermath.
As an attack becomes more inevitable, it makes sense that businesses would want to have the greatest level of protection, particularly as the repercussions of serious breaches are now akin to a large-scale theft. Indeed, there aren’t just reputational damages to consider; there are also significant financial fines that can severely affect a business’ bottom line. For example, last year, the Information Commissioners Office (ICO) imposed a penalty of £200,000 on the charity, British Pregnancy Advice Service (BPAS), for exposing confidential information, while an online travel services company, Think W3 Ltd, was hit with a £150,000 fine for failing to keep records of 1.5 million credit card details safe. This can have a significant impact on an organisation that does not have the resources to deal with the financial and logistical repercussions of a breach.
While cyber insurance has been around for a while, the market has been relatively slow to take off. This is due to many reasons. For example, it has been relatively difficult for insurers to create policies that will take into account both new and future unknown threats. As such, in order to cover all bases and provide sufficient terms and conditions, it’s been imperative for insurers to have full understanding of the evolving threat landscape. A lot of businesses have also tended to rely on general liability policies, despite the fact they offer limited protection from cyber threats, while some have even tended to ignore the risk of an attack completely. However, with data breach headlines continuing to dominate today’s news stories, and the threat of new EU regulations that could impose even bigger penalties, this is likely to soon change.
Government support
Last year, the UK government announced that it was partnering with 12 insurance companies to develop the cyber insurance market and highlight the threat of cyber attacks to businesses. As part of this, it promised that new working groups would be put in place and tasked with reporting back to the Cabinet Office on what the key issues in the market are. Worryingly, cyber crime has now become so commonplace that security incidents can occur with barely an eyebrow raised when reported. What many people don’t realise is that, while businesses themselves clearly have to deal with the consequences of these attacks, they also cost the UK as a whole a vast sum of money. Joining forces with insurers makes sense for the government as it will enable it not only to raise awareness of the issue, but also ensure future damage for any organisation is mitigated.
Growing government support for the cyber insurance market is certainly a good step forward in further boosting protection for businesses, however, while cyber insurance looks to be an inevitable addition to a business’ defence strategy in the near future, it must not start to be seen as a substitute for traditional and next-generation security tools. Instead, it needs to be used in conjunction with good cyber security practices and regarded simply as an extra layer of defence. Just as you wouldn’t forgo your fire alarm when you purchase contents insurance for your home, organisations must not do the same with their defensive security measures.
The reputational damage of a cyber attack must also not be underestimated. In a recent survey, we found that over half of consumers in the UK will not do business with an organisation that has suffered a breach, or will at least limit the amount of information they share. It is clear that future business is at stake, and while cyber insurance will help businesses clean up the mess should they fall victim to an attack, it won’t stop existing or potential customers going elsewhere to do business. As such, organisations must ensure that they still have sophisticated tools in place that can detect and mitigate threats quickly.
It is imperative that the right checks and balances are maintained by businesses to keep corporate networks watertight, as the protection of private information should be paramount – rather than simply having the means to cover the costs of a breach after it occurs. Proactively monitoring the network for threats and applying intelligence to put all network activity into context should be the go-to strategy throughout organisations. This ensures that suspicious activity can be immediately identified and stopped in its tracks before any lasting damage is done – or big insurance payouts are required. While there is no harm in having insurance, and it will likely prove advantageous to both businesses and the UK economy, it must not be seen as the only option. Businesses have a responsibility to their customers to keep their personal data safe and that, ultimately, should be the driving force when building a defence in-depth security strategy.
