Data breaches, malware infections, phishing, ransomware and other cyberattacks have affected small and large companies alike, despite many of them following strong cyber-security protocols.
The frequency of cyberattacks and the costs involved both have multiplied many folds and businesses are bearing the brunt. As they look to further strengthen their IT security in the COVID-19 era, cyber insurance has a significant role to play in managing the consequences of cyber attacks that happen despite hardened security.
In its effort to provide better value to policyholders who suffer a cyber attack, the insurance industry is working overtime to address the following challenges:
Low awareness of both cyber risk and cyber insurance: Many organizations don’t acknowledge the full extent of cyber risks confronting them and are unaware of the insurance coverage available to secure themselves against such risks. It is only after they have suffered a cyberattack that they realize the value of insurance. To reduce the number of such organisations having to learn about cyber insurance the hard way, we have been at the forefront of sharing knowledge about the types of cyberattacks, different threat actors and the financial consequences of a security breach with industry so that forewarned they can be forearmed.
Incomplete underwriting information: Underwriters rely on information provided by potential customers wanting to buy cyber insurance to provide the right kind of insurance cover at the right terms. To make it easy for customers to provide the right kind of information, insurers require a proposal form or questionnaire to be completed by customers. Many a time this questionnaire is not answered completely, leaving the underwriter uninformed about the risk to be covered and the customer’s security preparedness to deal with cyber risk. The result is sub-optimal coverage or in some cases even no coverage.
It is useful and beneficial for companies that they provide complete information sought in the proposal form.
Sometimes, it is lack of clarity about one’s own cybersecurity measures that makes it difficult for customers to answer the underwriter’s questionnaire; other times there are apprehensions about providing the answers. Since insurance is a contract of utmost good faith, care must be taken to provide the information asked for by the underwriter. Insurers have started using cyber risk assessment tools to get a better picture of the customer’s security preparedness. These tools provide a cybersecurity rating, which is similar to a credit rating but on security parameters, and this recent development is helping underwriters better assess and price the risk.
Budget vs Premium- There is sometimes a debate whether to buy cyber insurance or spend on improving cybersecurity. Even though cybersecurity budgets have increased, can any system be 100% secure? There is a growing sophistication seen in cyber attacks today. Several well known Fortune 500 companies have succumbed to cyberattacks like NotPetya and WannaCry. A recent attack on one of the most well-known cyber-security firms was a wake-up call for all companies, that 100% security is a myth. Given the various loss prevention services which are being provided by leading cyber insurance companies today, cyber insurance is as much an investment in cybersecurity as a spend on security hardware or software.
While cyber insurance pays the bills incurred by policyholders to deal with a data or network security breach, the benefits of cyber insurance are significantly higher as risk assessors identify vulnerabilities, conduct security assessments and provide peer benchmarking to assist clients to strengthen their cybersecurity. and protect their reputation as reliable business partners more than anything else.
* PS Market Research
Views expressed in this article are the personal opinion of Najm Bilgrami, Deputy Vice President & Head- Financial Lines, Tata AIG General Insurance.