Cyber insurance not trusted by business, KPMG claims

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.scmagazineuk.com/cyber-insurance-not-trusted-by-business-kpmg-claims/article/412535/

Based on a survey of senior information security professionals from
organisations which are members of KPMG's International Information
Integrity Institute (I-4), 74 percent of businesses have no cyber insurance.

Given that 79 percent of companies believe that cyber threats are likely to
increase in the next 12 months, the results would be inexplicable except
for the fact that at least half of businesses believe that a
cyber-insurance policy may not pay out when needed.

Mark Waghorne, head of I-4, is concerned that many businesses would rather
not have insurance against a threat they believe is inevitable.

He revealed that 30 percent of information security professionals in the
survey believe the cyber insurance industry has yet to mature. “Insurers
will need to deliver more comprehensive packages in order to convince the
business community that they can and will protect against losses on
cyber-crime,” Waghorne said.

Sarah Stephenson, head of cyber, technology and media E&O at JLT Specialty,
told SCMagazineUK.com that she “couldn't disagree more that might not be
effective”.

“Like any emerging line of insurance, there is going to be scepticism about
its efficacy,” she said. “But it's been around since 2000, and while it may
feel brand new, it's been paying claims and helping to mitigate the effects
of cyber disruption for 15 years.”

She said there was an impression in the media that insurers weren't paying
out on cyber insurance policies based on a failure to distinguish between
the specialist insurance policy and more general policies like crime.

“Almost all that litigation has been with general liability and crime
insurance and was not cyber specific,” she said. “The policies that aren't
paying out aren't cyber policies at all.”

Cyber is still a niche sector which unlike other insurance markets doesn't
have the history or case law to allow insurers and brokers to develop
standardised terms and conditions. “Companies that are purchasing cyber-
insurance now understand better how it's a partnership with the
underwriting community, that there will be a sit-down meeting with the
underwriter, broker, chief information officer and CISO to understand your
cyber risk,” she said.

“They will want to understand not only your adherence to polices but also
your culture. They are underwriting not only what you do today but also
your ability to adapt to new risks,” Stephens said.

Waghorne's supported Stephens' final point. “Discussions during a later
debate at the most recent I-4 forum showed that the availability of
specialist, focused cyber related insurance has much improved during the
past year with clear evidence that carriers do pay out, indicating that
those organisations which have avoided cyber-insurance in the past should
perhaps revisit their positions,” he said.

Meanwhile, Daljitt Barn, director, cyber security at PwC wasn't surprised
by the figures which are broadly in line with other reports he's seen
including a report co-authored by the Cabinet Office and insurance broker
Marsh which found that 81 percent of big businesses and 60 percent of SMEs
had suffered a cyber-security breach.

The report found that half of firms surveyed were unaware that
cyber-insurance was even available – hardly surprising then that only ten
percent of firms have armed themselves with cyber-insurance.

Barn was sympathetic with business owners who may be worried that their
cyber-insurance won't cover them in the event of a major breach. With
technology evolving so quickly, it is perhaps natural to question whether
the details in your policy are still applicable.

However, Barn said that if organisations believed their cyber insurance
won't pay out, it indicated that they hadn't done their research. “They
need to understand their risk and what they are buying,” he said. “They
need to ask, do some of my existing insurance policies cover me for the
affects of a cyber attack? They need to understand their cyber exposure and
risk and then tailor their purchase according to what they need.”

The suggestion that cyber insurance policies won't pay out in the event of
an incident is not supported by the facts, he added. In the case of Target
Stores in the US, they had a US$100 million (£66 million) policy which paid
out. “But was it enough – we don't know,” Barn said.

Barn's advice is that when purchasing cyber insurance, understand what you
are buying and scrutinise all the detail under the heads of cover. The more
work your organisation does to reduce the chances of a cyber attack and
mitigate the consequences of a breach, the more you will save on cyber
insurance while also lessening the business disruption that simply can't be
insured for.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!