Cyber is one of the hottest topics in insurance and, as a line of business, it’s projected to experience phenomenal growth in the years ahead. But cyber is still a relatively new market and can be made unnecessarily complex by industry jargon, buzzwords of the day, and a lack of standardization in policy wordings. As such, many companies find themselves confused about how cyber insurance actually works and are skeptical about whether it makes sense for their business to purchase a policy. To clear up the confusion, here are six of the most common misunderstandings that businesses tend to have about cyber insurance and how to overcome them.
“We don’t need cyber insurance. We invest in IT security…”
This might be the single most common objection to purchasing a cyber insurance policy. Not purchasing a cyber policy because you have ‘good IT security’ is akin to suggesting that you don’t need theft cover on a property policy because you have high-quality locks on your doors, or fire cover because you have a sprinkler system in place.
There is a big difference between vulnerability and risk. And while a client that has invested heavily in IT security may be less vulnerable to certain types of cyber attack than an organisation that has invested very little, they still have risk exposure. Cyber threats are rapidly evolving and there are a plethora of ways in which attackers can access networks.
Even large corporations that spend vast amounts of money on IT security every year still get hit. People are often the weakest link in an organisation’s IT security chain.
According to IBM, 95% of successful cyberattacks and incidents are the result of human error. Technology and training may reduce the likelihood of an employee accidentally clicking on a malicious link in an email, or being tricked into transferring funds to a fraudster as part of a social engineering attack, but it can’t eliminate those risks completely. And no amount of investment in IT security can stop employees from leaving their laptops on a train or a rogue employee from releasing sensitive data on the internet.
The short answer
No matter how much a company
invests in IT security, they will never
be 100% secure. The purpose of an
insurance policy is to respond in the
event that the worst happens.
“We outsource all of our IT, so we don’t have an exposure…”
Using a third party for IT might change your exposure, but it doesn’t eliminate it.
Consider what happens in the event of a data breach. If an organisation
outsources their data storage to a third party and that third party is breached,
they could be forgiven for thinking that responsibility for notifying affected
individuals and dealing with any subsequent regulatory actions that may arise
would rest with the breached third party. But that’s generally not the case.
If an individual has entrusted their personal data to an organisation, it is the
organisation that is responsible for looking after that data, regardless of whether or not a third party is utilised to look after it.
If that data is lost or stolen, then it is the organisation that will be accountable for any notification requirements, regulatory investigations, fines or penalties that
do arise, and it will be their reputation that suffers, not the third party’s. Of
course, it isn’t just breaches of data at outsourced IT providers that could leave
Many businesses rely on third parties for business-critical operations, and should those providers experience a system failure, it could have a catastrophic effect on the company’s ability to trade, resulting in a business interruption loss and additional costs incurred to continue trading. Claiming back these losses from a third party can also prove to be easier said than done. Most third-party technology service providers tend to have standard terms of service that
completely limit their liability in the event that a breach or system outage
causes financial harm to one of their clients
The short answer
Even if you outsource your IT,
the chances are you’re still liable.
Assuming you’ll be successful in
claiming back damages from a
third-party is a risky gamble.
“We don’t collect any sensitive data, so we don’t need cyber insurance…”
Cyber insurance is about much more than data breach and privacy risk. In fact, two of the most common sources of cyber claims are funds transfer fraud and system damage or business interruption as a result of ransomware. Funds transfer fraud is often carried out by criminals using fraudulent emails or conducting social engineering over the phone to request the transfer of funds from a legitimate account to their own.
In many cases, fraudsters will pose as a senior executive appearing to give urgent instructions to a junior employee. Any business that wires money to and from a business bank account is susceptible to funds transfer fraud, and many of the victims of these losses hold next to no sensitive personal data. Additionally, 2017 saw the WannaCry and NotPetya ransomware outbreaks cripple many organisations within the manufacturing and logistics industries.
These attacks did not involve the theft of data, but rather the freezing or damage of business-critical computer systems. NotPetya alone is estimated to have cost businesses over £1 billion2, and nearly all of that loss was due to operational disruption leading to large drops in turnover and the significant cost of rebuilding or replacing systems. The core exposure in both cases was not data breach but system business interruption and system damage.
The short answer
Any business that relies on a
computer system to operate,
whether for business-critical activities
or simply electronic banking, has a
very real cyber exposure.
Want to learn more download the pdf
file_download 6-cyber-Myths-Debunked.pdf (5 downloads)