Cyber liability insurance. Another Y2K or a new essential?

Mark Rogers looks at the huge and rapidly growing market for cyber liability insurance and the risks highlighted by those bringing these new products to market, to ask “Is this something we really need?”

Cyber liability insurance - essential or overkill?

Cyber liability insurance, the insurance industry tells us, is designed to protect against the financial and, rather more esoterically, reputational risks associated with the loss, theft or damage to sensitive data – be it personal, private information or ‘business critical’ data.

To a large extent, it appears that the insurance market has moved to create and aggressively market these products in response to two issues.

First, the rise of high profile hacks – in recent times eHarmony, Dropbox, Sony and Yahoo! have been hit by ‘cyber attacks’, which resulted in the theft or exposure of personal information relating to millions of customers. Second, a series of moves by governments and regulators worldwide have strengthened data privacy regulations.  From the US and Canada, to the EU, Hong Kong and Singapore, draft or actual regulations rightly raise the bar in terms of the lengths businesses must go to in order to prevent data loss, and they have, or will, increase the financial impact when things go wrong.

Regulatory approaches differ from country to country of course.  Measures passed or currently in discussion in the EU and Singapore for instance are broadly similar.  They focus on prevention and, what businesses must do if data is lost or stolen – in simple terms, they must quickly notify those affected and move to minimise the potential damage, and they are likely to face significant financial penalties.  In the US on the other hand, the focus is less on prevention and more on the ‘after the fact’ measures and penalties.

There is not doubt, however, that in all these jurisdictions the financial impact of a serious ‘cyber attack’ and subsequent loss of data is potentially significant.  What, for instance, does it cost to quickly (in a matter of days) notify millions of people that you have allowed their credit card details to fall into the hands of criminals?

Then there is the damage to reputation and customer trust.  If you lose a customer’s details once, they are quite clearly less likely to trust you with them again – especially if the ‘hack’ (or an employee leaving a laptop on a train for that matter) is splashed across the front pages of the morning paper.

These, in essence are the issues and risks that cyber liability insurance is designed to protect against.  There are one or two issues with the level of protection they provide, or claim to provide, in my view.  First, the legality of insuring against financial penalties varies from country to country – it’s fine in the US, but illegal in the UK.  Second, how do you insure against adverse media coverage or any reputational risk for that matter?  It is esoteric at best – if the damage is done, insurance is not going to wave a magic wand and make everyone forget.

The core value of cyber liability insurance then, taking into account variations in local laws, appears to be in covering the costs of cleaning up the mess – notifying affected individuals, potentially compensating them and so on.  Suddenly, it sounds like a bit of a specialist product, or at least one most applicable to firms collecting and storing a large amount blackjack online of customers’ personal, private data.  Does a small firm selling specialist products to a small number of corporate customers really need it to the same extent as a business like eHarmony or LinkedIn?

Not that it appears to matter.  The fear-marketing machine is in full swing, and it has the cloud and BYOD firmly in its sights.  The mantra goes like this: “Putting data in the cloud is risky and compromises the security of your data, while BYOD amounts to allowing employers to carry unfettered access to data around in their back pockets.”

Whether you agree with that assessment or not , the message is getting through.  A recent survey by Chubb in the US found that cyber risk is the number one concern for public companies, whilst insurance broking giant Marsh reported recently that cyber liability insurance purchasing jumped by 33% in one year.

Let’s be clear.  I am not saying cyber liability insurance is a waste of money.  For some firms, as noted above, it is probably an essential.  I do, however, feel the risks are somewhat overstated.  For starters, any businesses storing sensitive data in the public cloud is asking for trouble – indeed, I am not aware of a single example of that.  Private corporate cloud solutions can, and should, be every bit as secure as on premises infrastructure – provided the solution is scoped, designed, tested and proactively managed by a vendor with secure infrastructure, highly skilled people and a commitment to constant improvement.

Equally, BYOD is a significant risk only when security and policy are overlooked.  Mobile Device Management (MDM), to control what data a user has access to and what can be done if their device is lost or stolen, is fundamental to a secure BYOD environment. Again, it comes down to design and scoping – from ensuring systems readiness, designing a sensible solution (yes, including MDM) to ongoing management of the environment.

Frankly, it is very difficult to imagine any CIO would invest in any significant technology solution without first carrying out rigorous due diligence – the cloud and BYOD are no different. The level of risk boils down to the quality of the solution and the capabilities of the vendor sitting behind them.

In the end, my view is that cyber liability insurance does have its place.  Higher risk industries like e-commerce, gaming networks, social networks and healthcare suppliers for instance are already buying cover, and they are probably right to do so given the potentially huge costs associated with a serious data breach.  The same might apply to very specialised firms, big and small, which depend entirely on very sensitive IP for their prosperity.

But let’s hope that buying cover does not amount to a false sense of security – “It’s OK, we’re insured against that.”  Insurance does not obviate the need to design and maintain secure environments - cloud, BYOD or not.

My point is, it is vital to look beyond the hype.  The extent to which any business really needs cover boils down, as ever, to the level of risk it is really exposed to.   Maybe that is why that survey from Chubb also found that 65% of businesses have foregone cyber liability cover?

Tags Security, Strategy, Disaster Recovery, IT trends, data security, Business Strategy