Darting for cover: the pros and cons of cyber insurance

A growing number of UK organisations are predicted to take out cyber insurance policies this year. So what's driving this uptake and are there any pitfalls IT leaders need to be aware of?

"They will be rubbing their hands in glee," says Ann Bevitt, head of law firm Morrison & Foerster's London privacy and data security group.

Bevitt isn't quoting the chief of MI6, Sir John Sawers, who claimed recently that whistleblower Edward Snowden's leaks would aid terrorists. Instead, she says, the ones who could reap the biggest rewards from the ongoing hysteria over mass surveillance, rising cyber threats and regulatory changes, are insurers.

But according to several top law firms, UK organisations are not yet insuring themselves against data breaches.

"In our experience, the vast majority have not insured themselves against such risk," says Vinod Bange, partner at law firm Taylor Wessing.

Indeed, Richard Cumbley, a partner at Linklaters, believes that cyber insurance policies are less popular now than they were three years ago.

"I have had clients report to me that they have found the exclusions of these policies so great that it doesn't make them very valuable; the premiums may be outweighing the losses recovered in the EU," he says. In other words, organisations found that their premiums were more than the payouts they received under their policies, when it came to making a claim.

This contrasts with the US, where a recent survey from security software firm Symantec found that data recovery costs are higher than in the EU and, therefore, perhaps current insurance policies are more skewed towards the US market.

US take-up of cyber insurance has been steadily growing as a result of security breach notification laws that have been enacted in most US states since 2002, Jamie Bouloux, head of cyber products and liability at insurer AIG, explains.

"US businesses became much more concerned about dealing with privacy and identifying issues around large datasets of their subjects going missing or being stolen [after the new notification rules came in]," Bouloux says.

AIG has been underwriting cyber insurance for 13 years, and a year and a half ago it rolled out the product across the EU, EMEA and Asia Pacific.

The timing couldn't have been better, with proposed EU regulations set to include fines for breaches of up to two per cent of global annual turnover - which could cost big corporations millions of pounds. For some, two per cent is not nearly enough.

"It is really scary for businesses in the EU because now there is talk of a fine [for data breaches] of up to five per cent of annual worldwide turnover, up from the two per cent that was stated. Either way it will make every organisation stop and think because that is huge, and this is likely to drive growth in insurance," says Bevitt.

AIG can see that growth coming as a result of the new regulation, just as it did in the US a decade ago.

The insurance would be a "secure safety net", Taylor Wessing's Bange claims, as firms will be more exposed and not be able to sweep incidents "under the carpet", which would in turn lead to reputational damage.

But Linklaters Cumbley argues that, for now, companies' compliance teams should focus on staff training rather than taking out insurance, as he believes most data breaches involve some kind of human failure.

Bevitt, meanwhile, argues that organisations must also raise awareness among employees of external threats from hackers or disgruntled former employees. "However good your policies are in minimising risks, it won't get around the significant risks that come from an external source," she says.

Does insurance lead to complacency?

AIG's Bouloux dismisses the notion that organisations that take out cyber insurance will use it as an excuse to relax their internal data governance practices.

"We've partnered with a company called Risk Analytics to offer internal training to clients around data security, data breaches, encryption, email safety and so on, so that if something happens when a client loses data, they can tell the regulator that they did everything within reason to try to ensure that there was an environment of security where its employees knew how to handle client information," he says.

"Being able to prove that they weren't negligent could save organisations millions in the long-run," he adds.

Darting for cover: the pros and cons of cyber insurance

A growing number of UK organisations are predicted to take out cyber insurance policies this year. So what's driving this uptake and are there any pitfalls IT leaders need to be aware of?

Bouloux says that companies would be more likely to try to raise cyber security awareness in the workplace and offer training to staff because it affects the pricing of the insurance policy.

"It affects the limit we're willing to be putting out to risk; we want to see an organisation that has got a healthy understanding and approach to the security threat by employing the right technology, risk management, disaster recovery and training in place. These are huge aspects of the underwriting process. They shouldn't look at it as an easy way out or they'll become uninsurable," he explains.

Organisations that are multinational, or that have customers and staff in other jurisdictions would see the cost of an insurance policy rising too, due to added complications, but Bouloux says that those that move data into the cloud wouldn't have to fork out more money.

"We've built that into our policy because we realise that outsourcing is the reality for organisations today. It's included in the liability piece and we cover the first-party associated costs with an optional extension, which we tend to sublet because we are underwriting the clients and not their outsourcing providers. As organisations tend to have many providers it becomes difficult to manage them all from an aggregation perspective," he says.

But much of the cost depends on who the outsourcing service provider (OSP) is and what service it is that they are providing for the organisation.

"If you get a big name such as Amazon or IBM that is one thing. But there are a lot of players entering the space, especially in Eastern Europe or India, who have unproven track records and there are concerns about organisations moving to those types of OSPs. So we're asking firms who their OSPs are and making sure we understand what the OSP provides," says Bouloux.

AIG has teamed up with law firms Cameron McKenna, Norton Rose, and consultancy KPMG to offer clients a "data breach response service" whereby it provides legal and forensic experts who can help to identify and fix security vulnerabilities, as well as deal with regulators and any affected data subjects.

In the event of a breach, AIG can also offer clients a "crisis consultant" to handle the PR and mitigate reputational damage. It then works with the outsourcing service provider to identify exactly what data is missing and come up with a plan going forwards.

So do the cloud providers themselves buy cyber insurance?

"They don't buy cyber insurance as much as they come to us to buy professional indemnity insurance. The reason mid-market SMEs are interested in cyber insurance is because they enter contracts with OSPs that have very limited liability, and then they don't have the ability to sue because the contract states they are entitled to a month's fee which could be £50, and the cost to the organisation is potentially £100,000," Bouloux explains.

Although insurance costs can vary quite significantly for different types of companies, Bouloux says the "run-of-the-mill risk model" is worth £100,000 in indemnification for an annual premium of £400. However, premiums can amount to hundreds of thousands of pounds, he adds.

But deciding to purchase such insurance is the easy part, according to Seth Berman, UK head of risk management and intelligence firm Stroz Friedberg.

"The cyber security insurance market is in its infancy. As a result, there is very little consistency with the market about what is covered and what is excluded, and very little knowledge among potential buyers about what kind of coverage they need," he says.

Berman advises organisations to undertake a thorough investigation of digital assets and vulnerabilities "in order to both minimise its risks and intelligently purchase insurance against those risks that cannot be eliminated".

And perhaps, if the cyber insurance market does grow in the UK and Europe following the new regulations, new types of policies may be created. For example, UK firms could take on a common element that Japenese organisations include in their cyber insurance policies.

"They have a notion of ‘apology money', so if someone's data goes missing, we would offer monetary compensation - almost like a coupon - to apologise for the loss of the data," says AIG's Bouloux.

@Sooraj_Shah