Companies are increasingly relying on hardware and software components in order to create new business opportunities, to stay competitive in the markets or to be compliant with laws and regulations, and during the information age we are living in, companies are able to collect incredible amounts of data, continuously extracting information, allowing collaboration around the globe and to streamline business processes. Unfortunately, as experience teaches, with great power comes great risks. Riding a Ferrari at full speed is fun, but it is surely more dangerous than a Toyota, and we’re just discovering how fast technology can be.
According to the 2020 US CEO Survey done by PwC, 50% of the CEOs are ‘extremely concerned’ about cybersecurity threats; rightfully so, as the World Economic Forum in its annual Global Risk Report ranks Cybersecurity attacks at 9th place for likelihood and 2nd among global business risks.
Outages, mistakes, or attacks on these new processes can result in significant out-of-pocket costs that can devastate the bottom line of the organisation. When it comes to data security infringement or loss of privacy, it’s not about whether it’s going to happen, it’s about when it’s going to happen. Companies cannot fully prevent all the attacks from being successful, and for this reason, exactly like with vehicles, an insurance policy might be helpful.
CYBER RISK MANAGEMENT
In order to be able to understand the extent to which they are exposed to cyber risks, companies need to carry out a proper assessment of key systems. An important phase of the Cyber Risk Management process, which is going to be better explored in our future articles, is Risk Transfer. In synthesis it is composed of:
- Risk identification: analysis of possible sources and scenarios of cyber risk that may affect the company;
- Risk classification and estimation: evaluation of the two components of risk – the probability of occurrence (the frequency with which it is assumed that a given event may occur) and the impact (severity of the consequences caused by the risk scenario);
- Risk assessment: comparison of the possibility of risk occurrence with the desirability criteria defined by the company, in order to understand the relevance of the risks for the organization;
- Risk treatment and mitigation: planning and implementing measures to modify the two risk components so that they are within the company’s acceptable parameters;
- And ultimately, Risk Transfer to pass residual risks to third parties, companies use cyber insurance policies.
CYBER RISK INSURANCE POLICIES
After the risk mitigation phase, the so-called residual risk remains. If the residual risk is greater than the company’s risk appetite, a cyber insurance policy can be used to transfer the risk.
In response to the growing attention from companies to the theme of information security, the offer of the insurance market is also growing. In fact, the cyber insurance market offers several coverage options regarding the loss or disclosure of sensitive data. Not only that, but it is also possible to protect oneself against damages resulting from a compromise of the information system or an interruption of service.
In concrete terms, a cyber insurance policy can, for example, cover loss of income due to business interruption, crisis management consultancy fees, legal fees, extortion and damages caused to third parties as a result of data loss.
WHAT ARE THE ADVANTAGES OF TAKING OUT A CYBERSECURITY INSURANCE?
This type of insurance can help an organization recover more quickly and at a lower cost from a cyber incident. Modern cybersecurity policies could also provide resources to help businesses prevent cyber incidents in the first place.
Cybersecurity insurance can also provide a safety net for organizations that are implementing security controls but need to transfer certain risks to third parties. A policy can then provide quick access to funds and special services in the event of an incident.
ARE THERE DISADVANTAGES?
As with any type of insurance, you may end up paying high premiums on a policy for which (hopefully) you would never have to make a claim. But the pitfalls go beyond the visible aspect.
There is also the problem of whether cybersecurity insurance will enable offenders because they know that the expense of the attack will inevitably be protected by a victim’s insurance company. In the case of ransomware demands, that may particularly hold true.
Policies can be complex, argues a manager of Coalfire (an important cybersecurity advisory company in the US), and sometimes the brokers don’t fully articulate the values as they’re incentivized to sell certain policies. “Some cyber policies lock you into a vendor ecosystem for incident response, which may also not be cost-effective either. These policies should really be well considered by corporate risk managers.”
HOW MUCH CYBER INSURANCE COST?
The average cost of cyber insurance in the U.S. is $1,485 per year, but the amount of the premium depends on a variety of factors that are analyzed by the insurer. Starting from the revenues and the coverage level chosen by the company (the higher the limits, the higher the premium), the deductible (the amount of a loss that your company is responsible for in the event of a covered).
The cost takes into account the nature and size of the business, as well as the type of data treated and the state in which it is located. Finally, the analysis takes into account also the security measures when it comes to calculating the premium.