Cyber Insurance – What Every Business Needs To Know

Posted on : 26-02-2015 | By : kerry.housley | In : Cyber Security

Tags: , , , , ,


Cyber insurance is a growing market in the UK.  Although it has been on the rise in the last few years, it still lags way behind the US who have a far more advanced cyber insurance market. The main reason for this is legislation. In the US most states are required by law to publicly disclose a security breach. As we all know the financial consequences of having to declare a breach publicly are far reaching so US companies seek to mitigate their losses using dedicated stand alone cyber  insurance.

In the UK it is a rather different story:

  • Only public sector companies are required to disclose a security breach with no specified time limit to do so

However, the situation is about to change with implementation of the new European Directive on Data Protection expected to come in to effect in 2016. This reform will radically alter the security landscape in Europe;

  • It states that all data breaches must be disclosed within a specified time limit of 72 hours
  • Failure to do so will incur a heavy fine of 5% of annual turnover or EUR 100M, whichever is the greatest

Some see this EU Directive as the silver bullet for the growth of the UK cyber insurance market.  It changes significantly the rules of the game and UK businesses will be looking at ways to deal with potential devastating effects of this public admission. The fact is that no company can ever completely protect itself from suffering a breach. What they can do is take measures to limit the chances and mitigate the potentially financially crippling effects.

This is where cyber insurance comes into play.

Many business make the mistake of thinking that their current insurance policy will cover them for a cyber incident – in many cases it will not. Companies need a dedicated stand alone cyber insurance policy that is right for them.  However, taking out a cyber insurance policy may not mean that they fully covered for all eventualities.

One of the problems with cyber insurance is that the business looking for the insurance does not know what it is that it needs to insure in the first place. Every company must establish its “Crown Jewels”  – i.e. know what its most critical information assets are. This is an absolutely essential first step to ensuring the right insurance cover is applied for.

It is critical too, on the other side of the deal, that the insurance company must be clear on what it is actually insuring against and understands its liabilities.  Insurance companies are not experts in Information security or the technology involved.  Couple that with the fact that they actually have very little data statistics on cyber incidents, making it very difficult to build an accurate risk profile.

Question is, how does an insurer find out that a business is risky in terms of cyber insurance?

With the absence of data on cyber incidents the onus is therefore on the  client to establish how prepared they to protect their information,  how likely they are to suffer a breach in the first place and what measures they have in place to reduce the financial impact.

  • Robert Hartwig, President of the Insurance Information Institute, described assessing cyber insurance risk as “this is like insuring aircraft in 1915!”

The result of this difficulty and sometimes vagueness in policy language are disputes in the courtroom as policy holders make a claim.

An information security audit is the key. This way both the insurer and the client can see exactly what it is they need to cover. As a business looking for insurance you must show that you have done everything you can to limit the possibility of a security breach and limit the effects when it happens.

Demonstrating that a company takes information security seriously is all about good governance and best practice. In the absence of any legally binding compliance or regulation, companies must look to the various types of guidance available and adopt an approach which best suits the needs of their business. The UK Government was so concerned about this lack of common guidance that it published its 10 Steps to Cyber Security an easy to follow checklist that any business can adopt to improve it information security.

Subsequently, this has been followed with the launch of its Cyber Essentials Scheme. This is a recognised cyber assurance certificate which the government hopes business will use as a baseline standard for its information security. By undertaking the Cyber Essentials Assessment and passing, companies can demonstrate to the insurer that they have adopted an effective good governance strategy and take cyber security seriously (if we adopt a baseline against which insurance companies can risk assess this will greatly improve the insurance process for both sides).

The cyber security challenge is something that crosses many parties and is firmly on the agenda of world leaders. Recently, President Obama was quoted as saying;

Just as we’re all connected like never before, we have to work together like never before, both to seize opportunities but also meet the challenges of this information age

Of course, cyber insurance alone is not enough to win the information security war.  What is needed is a broader strategy that companies must adopt in managing the risk and regularly reviewing the process and procedures and the technologies in place to ensure that they are keeping with changing times.

Insurance must sit alongside to be there when all else has failed!

Cyber Security in the Board Room

Posted on : 26-02-2015 | By : kerry.housley | In : Cyber Security

Tags: , , , , , ,


Most of us are all familiar by now with the Sony Entertainment hack which happened at the end of last year which had disastrous consequences for the film company. There have been many high profile breaches but this is probably the most notorious hack to date.

The Sony cyber attack resulted in embarrassing emails and personal details of movie stars published over the internet, contract and salary details released and the hackers managed to steal five entire movies! Whilst investigations were underway and the network disabled, Sony employees were left with just a pen and paper and fax machine to carry out their daily business. It has been impossible for business to ignore such high profile attacks which have helped to push cyber security onto most boardroom agendas.

The Thomson Reuters Corporate Governance Survey for 2014 reveals that although Cyber Security was now on the board agenda with 88% of boards including a Cyber Risk category in their Strategic Risk Register.

  • Only 29% viewed cyber threat as a “Top Risk”.
  • Two thirds (67%) of corporate boards are very concerned about cyber risk, but only 44% claimed they actually make decision on the topic.

The question is does the board see cyber security as an integral part of their business risk strategy or rather as tick box exercise that needs to be undertaken in order to satisfy compliance and regulatory departments. It still does not appear to be the case that company executives understand the paralysing nature of cyber crime and the ultimate affect it could have on their company’s profits and reputation.

An important part of any cyber defence approach is education and this must start with senior management. The Thomson Reuters Board Governance Survey found that board members had a poor understanding of the importance of the intellectual property and company data that they regularly carried around with them in person and on personal mobile devices.  A large volume of information was on paper which was rarely officially destroyed after it was no longer required and sometimes left on the train!  All company employees need to be trained in cyber security with the board being no exception.

  • The FTSE350 Cyber Governance Report found that 75% of board members had no cyber security training.

One way of improving this education is through the Chief Technology Officers and Chief Information Officers as the main communicators between IT and the business. A key part of their role is to talk to the company leadership in a way in a way which translates from the IT detail to a business level.

Less technological jargon and more about the people and the processes around which the IT framework sits.

The Government is keen to address this language issue and challenge the common perception that cyber security is an IT problem.  In 2013 it launched it’s 10 Steps Guide to Cyber Security which is a simple framework of 10 questions around information security presented in a more business friendly format. A summary of this document has been published with board members in mind 10 Steps: A Board Level Responsibility. The idea behind the 10 Steps is to encourage organisations to adopt a comprehensive risk management approach from the top.

The BIS 2014 Information Security Breaches Survey found that

  • 81% of large organisations had suffered a breach at an average cost of £600k – £1.5M
  • 60% small business suffered a breach at an average cost of £65k – £115k

A cyber attack experienced by Sony may sound like the stuff of Hollywood movies but the threat is very real, a threat that ultimately will affect the company profits.  A threat to company profits is a threat that any board member cannot afford to ignore.

If you would like any more information on Information Security and ways in which Broadgate can help your organisation please contact:

Kerry Housley
+44(0)203 328 8006