By Sanjeev Srinivasan
The recent spike in occurrence of cyber crime across the globe has made it obvious that it is no more a question of “whether” but a question of “when”. The average cost to the organisation of these breaches is estimated to be close to US$ 5 million. Multiple analyst reports place the average cost per breached record between US$ 78 and US$ 277. This cost is attributed to investigation and remediation activities, notifications to be sent to customers and other stakeholders, change in credit worthiness, reputation management, legal fees and settlements and any regulatory fines arising from the breach. Add to this, the intangible loss to the brand value and the change in customer behaviour in response to the breaches.
Organisations no more have the luxury of imagining that they will not be targeted by malicious hackers. Remember that the hacks need not just target the data an organisation holds – the compromised systems can also be used to launch an attack on third parties it interacts with. In such a scenario, the organisation may be held liable for the damage caused to the third parties. While a commitment to security is must, it is impossible to make any system 100 per cent foolproof. As such, it has become inevitable for organisations across industries and sizes to develop a good cyber risk management approach.
A sound cyber risk management plan will include increased cyber resilience through response and recovery, contingency planning, and as a last resort mitigation and transfer of financial risk through cyber insurance. The cyber insurance market is still nascent, and even in the markets where take-up for commercial property and liability insurance approaches 100 per cent, cyber insurance is purchased by anywhere between 20 per cent to 35 per cent of businesses based on the industry and size of the organisation. The variation based on size and line of business indicates that the low adoption rate is because of a lack of awareness in the market.
An analysis of cyber-attacks over the last three years makes it clear that an organisation’s defense is only as strong as the weakest vendor they interact with. Hackers have launched attacks on Fortune 500 companies using credentials they got off vendors like air conditioning and food delivery companies. The substantial difference in procedures and protocols followed at large and small organisations forces the larger player to fall back on cyber insurance as a way to transfer the risk arising from the weak links they have little control over. It is no surprise that while the take-up rates have increased in both small and large organisations, the gap between the two segments has actually increased over the last three years.
The very act of applying for a cyber-insurance incentives behavioural change in an organisation. Simple desire to get the coverage at as low a premium as possible drives the organisation to conduct gap analysis. The very first ask from underwriters is that all significant activities are logged against individual users and therefore login to the system are secure. Additionally, they require organisations to have disciplined procedures for patching software and put in place an incident response plan. They would also want to know if vendor networks are monitored regularly. Organisations would want to measure upto industry benchmarks like NIST framework and ISO 27001 as that would result in lower cost of insurance.
Further, once a policy is purchased, the insurer is invested in keeping the damage from any cyber-attacks at the minimum. This results in an additional layer of security through monitoring and rapid response services provided by the insurer to their policyholders.
While correlated risks arising from software vulnerabilities (like the “Heart bleed” discovered in 2014) and scalability of sophisticated attacks used by hackers makes risk assessment especially difficult, insurers have developed complex statistical models to facilitate evaluation of potential consequences arising from different damage scenarios. This allows the insured to work out the best contingency plans and ensure that the critical services are up-and-running at the earliest possible in case of a breach, keeping the consumer backlash at minimum possible.
While cyber insurance cannot protect an organisation against reputation risk or replace strong security controls and information security programs, it does act as a last line of defense and mitigates most of the financial risks arising from a breach. Further, it also incentivises cyber security discipline across the organisation.
(The author is the CEO & MD, Bharti AXA General Insurance)