Do you trust cyber insurance products?

Virtually every business now has some form of online presence. From the smallest startup to the largest multinational, the internet provides substantial and wide-ranging benefits. But it also presents some significant challenges – arguably none greater than cyber attacks.

The scale of the problem is demonstrated by a recent study from Isaca and the RSA Conference, which revealed that more than four in five organisations expect to be hit by one of these attacks at some point in 2015. Adding to this fear is the difficulty of recruiting sufficiently skilled professionals for vacant security jobs: 35 per cent of respondents said they were unable to find people to fill these positions.

Furthermore, research from KPMG found that 79 per cent of businesses believe cyber security threats are likely to increase over the next 12 months, with three in four predicting that the biggest threats will come from organised crime and state-sponsored activity.

Given these concerns, insurers offer a set of insurance products designed to protect businesses against losses from cyber attacks. But do they work, and are they proving popular with security heads?

What does cyber insurance actually do?

Cyber insurance is not a new service – these products have been on the market for around ten years, although a significant number of security professionals appear to be largely unaware of them.

A range of products can be grouped together under the umbrella term ‘cyber insurance liability cover’. Although the specifics vary from package to package, coverage can include:

Extortion liability cover – protects against losses related to a threat of extortion, plus professional fees for dealing with the threat.
Data breach cover – this can include coverage against the cost of managing such an incident, as well as legal costs and regulatory fines.
Network security liability – provides protection against third-party damages stemming from denial of access, along with costs for data theft on third-party systems.

What do senior security heads think of cyber insurance?

The potential benefits of cyber insurance coverage are clear, and the size of the threat posed by such an attack is substantial. Yet despite these factors, it appears that senior security professionals are unconvinced by these insurance products. Three-quarters of businesses surveyed by KPMG had not taken out any form of cyber insurance, despite the overwhelming majority of firms predicting an increase in attacks.

Numerous barriers to adoption exist, with many stemming from a general lack of trust in insurers and specific concerns about the products themselves.

Almost one in three information security professionals surveyed were worried that the cyber insurance market is not yet sufficiently mature.

Furthermore, of those businesses that have purchased cyber cover, almost half believe that the policy may not pay out if they need it.

Mark Waghorne, head of KPMG’s International Information Integrity Institute (I-4), admitted it is “worrying” that so many businesses are prepared to forego insurance to protect against a threat that they view as increasingly serious.

“Insurers will need to deliver more comprehensive packages in order to convince the business community that they can and will protect against losses on cyber crime,” he added.

“However, discussions during a later debate at the most recent I-4 Forum showed that the availability of specialist, focused cyber-related insurance has much improved during the past year, with clear evidence that carriers do pay out.

“Indicating that those organisations which have avoided cyber insurance in the past should perhaps revisit their positions.”

Our 2015 Security Market Report combines our review of the prevailing conditions in the security recruitment market together with the results of our 2015 employer survey.