time for a fresh look at cyber risk

Cyber risk has evolved. Attacks are increasing in both volume and sophistication. While data breaches and privacy remain real concerns for some, today’s phishing, social engineering and ransomware attacks threaten to disrupt businesses, supply chains and industries for the many.

During the coronavirus outbreak it evolved again. With workers rapidly redeployed to home and security best practices harder to enforce, criminal attackers took advantage of the uncertainties to launch huge numbers of crisis-related attacks. In just one week in April 2020, Google reported seeing 18 million ransomware and phishing related emails per day.  

Organisations are heavily investing in IT-based protection. But no security solution is 100% effective. The weakest link remains the employee unwittingly falling foul of socially engineered attacks that lock up devices or push malware into the network, or those who maliciously steal data or introduce viruses.  

Cyber risk cannot be eliminated. It is now an unavoidable cost to the business; and those costs can be high – from business interruption and loss of income, through the restoration costs of replacing damaged digital assets, to reputational damage and regulatory action. 

I don’t need cyber insurance because…

With so many myths and assumptions, it’s hardly surprising many organisations are reluctant to explore cyber insurance:

Myth	Reality
My risk is outsourced to an IT partner.	Your IT security may be outsourced, but your risk is not. Cyber insurance means you do not have to rely on making a claim against the outsourced provider following a successful attack or data breach.
I have a secure network and the right antivirus tools.	This may be true, but no security solution is 100% effective. Crucially, successful attacks on your supply chain partners can also have a significant impact on your business. In a recent survey, only 16% of organisations say they effectively mitigate third-party cyber risks.
Cyber insurance policies do not pay out.	99% of claims made on ABI-member cyber insurance policies in 2018 were paid. This is one of the highest claims acceptance rates across all insurance products.
Cyber insurance doesn’t cover human error.	Human error is the single biggest security risk facing organisations. Cyber insurance can provide cover for breaches resulting from deliberate malicious actions by certain employees.
Cyber insurance only focusses on GDPR – I have no data so no risk.	Cyber insurance can cover loss of income as a result of a cyber event causing network downtime, and provides support with IT forensic investigations, legal advice and notification to customers or regulators A data breach is just one of the risks organisations face. Cyber insurance covers financial losses as a result of the cyber event and provides proactive support in a wide variety of cases – as we see below.

Addressing the perception problem

With every new threat, it is natural there will be misunderstandings. For example, that cyber attack is covered under other business insurance policies like revenue protection, public liability or business interruption insurance, for example. This is not the case. But perhaps the biggest perception issue is that cyber insurance is purely a reactive, claims-based financial transaction. In fact, as we have seen, the reverse is true.

From the moment a breach or attack is suspected, insurers can provide a team of project management and forensic IT specialists whose job it is to manage and contain the attack, restore systems and then take care of the entire process through to payment of lost income claims.

When it comes to cyber, the risk can be mitigated, managed, and recovered from, but it cannot be eliminated. And with attacks on the rise, it makes business sense to take a fresh look at cyber insurance.

Is cyber insurance right for you? Take the online test

^{Source:
1 https://www.gov.uk/government/publications/cyber-security-breaches-survey-2020/cyber-security-breaches-survey-2020
2 https://www.abi.org.uk/news/news-articles/2019/08/cyber-insurance-payout-rates-at-99-but-uptake-still-far-too-low/
3 https://www.theregister.co.uk/2020/04/17/google_coronavirus_spam/
4 https://www.businesswire.com/news/home/20181115005665/en/Opus-Ponemon-Institute-Announce-Results-2018-Third-Party
5 https://www.abi.org.uk/news/news-articles/2019/08/cyber-insurance-payout-rates-at-99-but-uptake-still-far-too-low/}