Firms buy insurance ‘in mad panic’ as cyber attacks soar!
There are many stories which hit the news of businesses experiencing cyber attacks, this short article is in relation to the recent news report by the BBC on 16th January, “Firms buy insurance in ‘mad panic’ as cyber attacks soar.” I felt moved to write a response as it made me slightly angry and exasperated at the same time for several reasons. There are several points which need to be made that apply to firms, the cyber insurance collective and the security industry as a whole. Let’s start with the firms:
1. Insurance does not cover information loss
Insurance, as illustrated in the article will not cover the full extent of the costs of a cyber breach, even if it does help with the cost of investigation, remediation, legal and public relations costs. Ransomware is only one kind of cyber breach where information is encrypted and a ransom is charged to decrypt. This generally means that if you pay up, you will get access to your information without it being disclosed. However, a cyber breach may mean your information is stolen, published or exploited and you may not realise it has gone for some time after. Insurance will not cover when you go out of business.
2. Insurers are still learning how to price against cyber attack risk.
Take the car insurance market. There are many years of information regarding car insurance premiums, likelihood of claims and risk exposure. Therefore premiums are equated to the level of risk of loss or damage. However, in the case of cyber security, there is very little consistent and qualified risk information upon which to base premiums. So to address the risk to the insurers, premiums may be really high to cover all eventualities. Would it not be better to use this money to actually put cyber protection in place? This is highlighted in the article where it states that it is ‘difficult to assess the value of lost data’. If the organisation who lost the data cannot value their own data then how will the insurer be expected to price accordingly?
3. The security industry has been focusing on the wrong measures to sell products.
This is a pretty strong statement but the focus on security has been on products and approaches that have made little difference to the volume or scale of attacks. In order for the whole cyber protection system to work it is necessary to understand the value of the information lifecycle e.g.: how is it created, used, and stored, etc. Once you have this understanding then it is possible to apply protection measures with its value and risk of loss. As digital transformation gathers pace, so this information is scattered and now held on cloud services, third party providers and partners which increases the risk of loss. If companies focussed on this risk then it would be less important if attacks got in, for example if the data was encrypted. If companies focussed directly on the information protection issue, then insurers would have a template for premium creation. If measures to protect the information were tight, then attackers would go elsewhere – much like a car – If nothing was on show and there were steering locks then thieves will go to a more vulnerable target.
In summary, insurance is something to placate senior management. ‘It’s okay we are insured!’ However, focussing on the information lifecycle and protecting it at all points will mean information will be harder to find, access and steal. In the digital transformation surge, this is now critical. Old perimeter security models are obsolete. The lack of realisation of the impact of digital transformation on security and with no apparent new model has resulted in more cyber attacks being successful.
If you would like some help in assessing and securing your data please get in touch to arrange your FREE initial 60-minute consultation.