A cyberattack is just as likely to affect the top and bottom end of town – the proportional effects can be no less devastating resulting in loss of reputation and loss of business.
For example, there was a major attack last week on domain name services provider Dynamic Network Services. It was described as "the most disruptive cyber incident" since the birth of the Internet and could have a profound impact on insurance.
Dr Michael Neary, industry general manager for insurance, CSC (Computer Sciences Corporation), said in a media release: “With almost 70% of Australian businesses experiencing a cyberattack in the last 12 months, this is now a board-level discussion. Cyber risk has materialised as one of the top challenges faced by companies worldwide. This is further reflected in the valuation of the cyber security market, with Lloyds having recently valued it at US$85 billion, indicating the enormous potential to drive growth for insurers.”
Many Australian businesses are starting to respond to the ongoing risk of cyberattacks by increasing their investment in information security. The cost of cyber-crime continues to rise: in Australia, the cost rose by 13% in 2015 over 2014. Each attack also took longer to detect and resolve, demonstrating the increasing sophistication of cyber criminals, as well as the persistence of their attacks.
“Many organisations believe they are covered for a cyberattack under the terms of their current insurance policies when, in fact, those traditional policies are somewhat ambiguous and therefore potentially inadequate when it comes to mitigating cyber risk,” Neary said.
“Insurers need to re-engage with clients and explain to them where they are currently exposed regarding their coverage. This could be achieved through a dedicated education campaign, which would help promote discussion and raise awareness of the potential threat of losses incurred as a result of insufficient cyber insurance coverage,” he added.
To date, insurers have been held back somewhat by roadblocks in offering cyber insurance, such as a lack of historical data for underwriting it, a continually-morphing risk profile, and a still-developing skillset.
According to CSC, there are three key phases insurers should work through:
- Threat intelligence gathering: Experts should gather threat intelligence, which could include a threat map that profiles a client’s position.
- Risk assessment: This may include activities such as penetration testing, security audits, and white-hat hacking campaigns to get a clear view of the client’s risk profile.
- Training: It’s important to get training for the insurer, the brokers they work with, and for clients, who may be entitled to reduced premiums if they have certain requirements in place such as security certifications and accreditations.
David Jarvis, national practice lead for Cyber Security at UXC Consulting (a CSC company), said, “Cyber insurance is an emerging product that is likely to grow exponentially over the next few years. There is a clear market opportunity in Australia for insurance providers to cover cyber risk. The most effective way for insurance providers to develop workable policies fast enough to take advantage of the skyrocketing demand is to partner with providers that can provide the deep cyber security knowledge and skills needed to understand risk and assess claims."
Neary summed it up, “This partnership with organisations that provide cyber security skills will be a similar model to that used by life insurance providers, who rely on doctors and return-to-work specialists to evaluate policies and claims.”
CSC has just released a white paper: Cyber Insurance. The Next Frontier, about the cyber insurance market and risks.