Cyber insurance - new fad or real business value?
Do companies really benefit from cyber insurance? Cashing in on the cyber bandwagon or real world benefits to be offered?
As companies accept that there is a very real risk of their security infrastructure being breached, the allocation of IT security spend is set to change, moving away from a prevention focus to incorporate detection and response capabilities. With this change in budget allocation, cyber insurance policies are poised to become an effective tool in managing rising IT security costs.
IT security spend has traditionally been focused on prevention, with most companies spending as much as 80% of their security budget on preventative tools. Detection and response, while being regular features on a budget, have typically only received small slices of the pie, averaging at around 15% and 5% of overall budget spend respectively.
As South African companies continue to see an increase in the number of cyber attacks, they are starting to realise and acknowledge that traditional, typically signature-based preventative measures are fallible. Accepting that a breach could occur is resulting in an increased focus being placed on detection and response capabilities, the aim of which is to reduce the time taken to identify and react to a security breach. This shift in focus is also evident in the new solutions being investigated and released by security vendors. "These are exciting times - as the big data concept continues to mature, I believe security and event monitoring will be revolutionised, combining disparate data sources to derive context and drive down the traditional lead times we have seen to identify a breach," says CyGeist MD, Natalie van de Coolwijk.
Past figures show an average of almost 200 days for companies to detect a breach, with well over half of affected companies being notified of the breach by an external party. "Once introduced, POPI will require mandatory breach reporting and notification to affected parties. Companies will need to identify and respond to breaches quickly and effectively in order to protect their reputations. Reporting a 200-day-old breach is never going to be easy," warns Van de Coolwijk.
It is anticipated that in the near future, the change in focus will be echoed in IT security budgets, which will be more or less equally split between prevention, detection and response. This move towards the "rule of thirds" could see increasing pressure being placed on already stretched IT security budgets, as companies strive to improve their detection and response capabilities, while not letting their preventative measures slip. Despite being still a relatively new product offering in the South African market, cyber insurance policies have been available abroad for a number of years, most notably in the USA where premium volumes are in excess of $1 billion per annum and growing. "The coverage for incident response costs and guidance on steps to be taken in the event of an incident have been the most attractive features for clients in already established insurance markets such as the US, and we believe cyber insurance policies will also have tremendous value to offer to South African companies," says Van de Coolwijk.
Purchasing of cyber insurance coverage allows the risk of response costs to be transferred to insurer, thus easing IT security budget pressure and enabling the policyholder to focus on prevention and detection. Van de Coolwijk stresses that "there is significant advantage in making use of seasoned experts when responding to an incident", and that "the effectiveness of response can be pivotal to reducing the potential impact of an incident".
Response capabilities require specialised skills that are honed by dealing with incidents on a regular basis. For many organisations it is simply not feasible to retain such resources on the payroll for incidents which are hopefully not a frequent occurrence. Insurers add further value by making a panel of vetted service providers readily available to policyholders and managing their costs by pre-agreeing rates.
Many companies are under the impression that their traditional insurance products cover them against cyber risks. The reality, however, is somewhat different, as traditional insurance products generally require assets and damages to be of a tangible nature. Cyber perils and data fall outside of this requirement.
This is where CyGeist has stepped in to offer insurance tailored to the cyber threat landscape. It offers cover for the following potential consequences of a network security or privacy breach:
* Costs to restore or recover corrupt or destroyed information assets;
* Network/business interruption;
* Related expenses of specialists, investigators, attorneys, forensic auditors or loss adjustors;
* Third-party claims arising from compromised systems or data; and
* Crisis management and notification expenses.
CyGeist is a proudly South African offering that enjoys significant support from local and international partners.
To find out more about cyber insurance and the potential benefits to your company, visit www.cygeist.co.za or speak to your broker.
CyGeist underwrites on behalf of Guardrisk Insurance Company Limited (Authorised Financial Services Provider FSP 261075) by means of a dedicated and ring-fenced short-term cell captive, wholly owned by the Natsure Group.