In a presentation at the inaugural Cyber Security Start-up conference in London on Wednesday, Philip James, partner in the technology and digital media groups at Sheridans, spoke about intellectual property, security and how critical cyber-insurance is to a company’s security strategy.
He mulled over what coverage cyber-insurance policies give you, and whether it can also cover suppliers such as web-hosting companies. This question alone, suggested James, should be one companies, including start-ups, are asking themselves.
“If you have an insurance policy hopefully it will cover certain instances, such as for PR and penetration testing costs, but it might not necessarily cover everything. There will be exclusions, and it’s important to look at all of these.”
James also said that cost could be an issue, citing one ‘sizeable’ customer who had been quoted £100,000 a year for a ten-year insurance cover. “It’s not workable at all,” he said, further adding that companies would naturally split security expenditure as a risk mechanism. “Don’t put all your eggs in one basket.”
James picked up on his point highlighting a former boss of his – a CISO at a small financial services company who would later move onto to the CIO position, who didn’t care if Russian hackers were “bleeding £50,000 to £60,000” from his company a day, so long as they didn’t interfere with the platforms generating billions of pounds each day.
“It’s that scale, and about having that perspective,” the lawyer added.
Sarb Sembhi, director at Storm Guidance, was also at the event, and speaking to SCMagazineUK.com afterwards he said that the market is still in its infancy.
“I think it’s true that there are exclusions,” he said, citing policy limitations and terms and conditions as potential loopholes.
“One of the problems with insurance policies is every policy may be different in how they define what malware, a virus or a PC is…or you may find out it doesn’t cover a member of staff, which doesn’t make sense in this age where insider attacks are just as likely.”
He admitted that there is a ‘danger’ cyber-insurance gets used instead of – rather than as a bolt-on to – good security practices, but expects this to change over time.
“I think there’s a danger that might happen in some cases, but this happens with immature products. The premium for these people adjusts accordingly as the market matures.”
Part of this maturity, says Sembhi, could see cyber-insurance follow the health insurance market in adopting an assessment before a premium is quoted – which enables the insurer to evaluate the risk before agreeing to a policy.
Sembhi’s Storm Guidance is currently working with the Association of British Insurers (ABI) on a good practice guide for cyber insurance policy wording.
Cyber-insurance is expected to grow exponentially this year and during this last week alone, there have been some good examples of an emerging trend. One cyber-risk expert at German insurer Allianz told WSJ that the “number of deals had increased significantly”, while Lloyds CEO Beale said that 90 percent of insurance is being purchase by US firms.
“The US companies are ahead of the curve,” said Beale when speaking to Fortune. “Insurance used to be about concrete, protecting the loss of physical things. Now you have to get companies to insure against more intangible things.”
She added that the maximum cyber-insurance coverage any firm can purchase from Lloyds is US$ 300 million (£198 million). UK insurer Axa is considering offering similar policies in the country.
But James and Sembhi are not the only ones to cast doubts on cyber-insurance policies and premiums, as well as how secure these firms are themselves.
Shaun Crawford, global head of insurance at EY, said in an email to SC at the start of the year: “Cyber-risk will certainly be one of the biggest challenges to the insurance market in 2015. Cyber-crime is a moving beast, making it impossible to quantify the risks neatly or to calculate them in an informed or consistent manner. With so much unknown, it’s not surprising that premiums are wildly different across the market, and without cross-market stability, the industry will most likely be operating on significant indemnity losses.
“It will no doubt be a matter of time before insurers simply refuse to accept the undefined transfer of risks. But, in the short term, it is likely that they will start to demand evidence of adequate cyber-risk controls from businesses that demonstrate they are taking cyber-crime seriously and are taking the necessary steps to avoid opening themselves up to attack. This will present a whole new problem of benchmarking what does and does not constitute ‘adequate control’, which could put a spanner in the works, and result in cyber-risk effectively being incompatible with the insurance model.”