Incident response in a can
Cyber insurance is about surviving a breach.
Sixty percent of small businesses that suffer a security breach go out of business in less than six months, according to a 2013 Experian survey. The impact is twofold: the immediate business loss during an outage, and the lingering reputational impact as customers and suppliers turn away.
Cyber attacks are not only increasing in occurrence, they're also increasing in impact - criminals are actively targeting the most valuable data, and while their skills and tools continue to improve, their victims are still woefully unprepared. Into that gap steps cyber insurance, which is an umbrella term for insurance programmes aimed at reducing the impact of a breach. There are a handful of these policies available in South Africa, from the local expertise of CyGeist to the international muscle of AIG's CyberEdge.
Globally, cyber insurance has tended to be perceived as a facility for large organisations with equally large risk profiles, and has taken many years to gain traction among the smaller firms that actually need it most, says Natalie Van der Coolwijk. She's the MD of underwriting management agency CyGeist, which launched cyber insurance to the local market in 2013. "In South Africa, the uptake has been across the board. We have everyone from one-man operations through to large corporates on our books. I think that indicates that the South African market is actually quite sophisticated."
Cyber insurance policies centre around a common theme of incident response, rather than the financial payout the 'insurance' moniker evokes. In fact, while you can get a certain amount of financial cover for the losses incurred during a breach, that's likely to be the least of your worries, and the least of the cover. It's more about the costs and the knowledge of the vast network of specialists you don't even know you need.
There's a certain irony here. Security spend is often resented by CFOs. It's viewed as insurance; something you spend money on but hope to never need. A purely financial bet, based on risk. Cyber insurance, now that it's gaining traction, is actually exactly the opposite - an ongoing service fee for access to an incident response team.
Reputation protection is a major part of these plans, and one that many underestimate. You shouldn't - that's what drives the final nail into the coffin of those bankrupt breach victims. The story of Taylor & Sons is a great example, though it was accidental rather than a hack. Taylor & Sons Ltd, a 124-year-old UK business, was erroneously declared bankrupt by the UK government in 2014. Its supplier network promptly abandoned the stricken firm, leading to real bankruptcy shortly thereafter despite desperate remedial measures. The error? A simple typo by a government official. The actual bankrupt entity was one 'Taylor & Son Ltd'. By the time the error was corrected, the damage was done.
Although that was a mistake rather than a hack, the same pattern plays out after a breach has gone public. And once POPI is fully enacted, disclosure of a breach will be mandatory, so the traditional response of sweeping it under the carpet will become a crime in itself.
Consequently, one of the most important parts of a cyber insurance policy is access to a crisis communications team, including PR specialists, media experts, lawyers and process managers who can act decisively to contain the damage. But they're only part of the team - technical and legal specialists are no less important, and no less expensive. Those costs are a major concern. Cloud on Demand is fronting AIG's CyberEdge product, tuned for the cloud. Jonathan Kropf, Cloud on Demand's CEO, says few understand the full impact of an incident. "When something goes wrong, whether it's your fault or not, there will be a claim against you. You're in for huge money just to defend it." At the end of it, if you prevail, you might get some costs back, but it's never on the same scale and you still have the upfront expense and the reputational damage, he points out.
There's also the notion of professional indemnity, Kropf says: protecting against liability that may be incurred by negligence by an employee - the sort of liability that POPI introduces for protecting a customer's personal information.
Few understand the full impact of an incident.Jonathan Kropf, Cloud on Demand
In a nutshell, then, a cyber insurance policy exists to provide you with a team of incident response expertise to offset what could otherwise be overwhelming costs, and crippling business impact.
"You can draw an analogy with kidnap and ransom cover," says Michael Salant, head of legal at South Cross Risk Management (an AIG CyberEdge affiliate). "If your child has been kidnapped, an insurer won't pay the ransom, that's not what it's about. It's about sourcing experts who understand the situation, to negotiate the release, to help decide whether to pay a ransom at all - that sort of thing."
For all but the largest (and most actively attacked) companies, you are as unlikely to maintain a top-flight security ecosystem on staff as you are hostage negotiators. We're talking about not only operational security skills, but also forensic investigators, intellectual property and liability lawyers, crisis managers, incident response consultants...you'd be maintaining a whole village of extremely expensive specialists on the off-chance you might need them one day. And, to be honest, they wouldn't want to work for you anyway: most of these specialists are consultants, hunting for active cases to keep their skills - and their billable hours - sharp.
Even large companies tend to find themselves caught flat-footed by incidents, Salent adds. They find themselves struggling to figure out what action is required and what the legal implications are, and every delay can cost dearly.
These delays are what cyber insurance aims to tackle. In the first instance, by requiring the policy holder to complete a security self-assessment to help identify risk and raise awareness; secondly, by providing access to (and paying for) specialists who already know the drill and can react far faster, and with less impact to your business, than you can.
Insurers offering cyber policies have qualification processes that entail detailed questionnaires and assessments of the client's security practices, intended to quantify the level of risk and preparedness of the organisation. That's a useful process to undertake, even if you aren't interested in signing up to a policy - it'll give you a view of your security posture from an outsider's perspective, weighed by their experience across the broader market, which gives a good risk context to the penetration test or security assessment they may require as well. You can download the initial assessment questionnaires from AIG's and CyGeist's websites.
Insurance is a part of a security lifecycle, says Van der Coolwijk. "Companies can't assume that because they're insured against loss that they can stop focusing on security. You have to maintain the level of awareness from the start, or claims may be rejected. But most companies are the opposite: they understand that cyber insurance is there as a last resort, and the clients who come on board are actually the ones who are taking risk seriously."
Cyber insurance is now popular enough in global markets that its relevance is no longer questioned. More interesting questions are now emerging, such as whether cyber insurance should be mandatory, particularly for organisations holding large amounts of personal information, backing mandatory disclosure with mandatory remediation. Another is whether the risk profile of a company should be disclosed, identifying those that are failing to protect customer information. The ongoing threat of breaches to businesses and individuals is putting these issues directly under the spotlight, and cyber insurance is just a symptom of that evolution in progress.
This article was first published in Brainstorm magazine. Click here to read the complete article at the Brainstorm website.