(Ping! Zine Issue 59) – In the cyber age is business insurance set to become a thing of the past now that a company’s main assets are data, an electronic presence and its reputation?
I am an insurance broker and make my living from providing insurance but I would be lying if I did not admit that insurance is a waste of money – unless you need to make a claim. I can cite numerous examples of clients who have paid a small fortune in insurance and never claimed but I can also give many examples of catastrophic claims that have been settled to policyholders who paid a pittance. But these claims involved physical damage to property or bodily injury to persons, now we are in a world where so many important things are intangible, virtual or in the cloud is there a need for insurance?
A few years ago a decent laptop would have been expensive and worth insuring, today a lost or dropped laptop can be replaced for less than the policy excess, so why bother claiming? Why bother insuring? An office with 20 computers and desks might be different, there is more at risk and the cost of a big claim could be difficult to shoulder. Therefore most businesses would cover their equipment and probably some business interruption costs should a major claim disrupt their operation or force relocation. However, a well prepared business could rent a new office, buy some new PCs, restore the computer backup and be running as normal within hours.
Perhaps this is an extreme example but it makes a point. If a business puts good risk management and security in place and has good business continuity and disaster recovery plans then the likelihood and severity of a claim will be reduced. Therefore it could be argued that the need for insurance is minimised. Realistically not many companies would be prepared to go without insurance but it could be tempting, especially for firms who are confident that the real value of their business is safely stored on a backup tape or distant server.
So is it as simple as that? Assuming the backup can be restored, the staff are still there and the business continuity and disaster recovery plans work correctly then perhaps; assuming the cause of the claim is something old fashioned like fire, theft, flood or storm. But what about modern threats to a modern business? A proper insurance assessment will look at what a business is dependent upon, thereby what needs insuring. For most businesses this will often be data – its storage, retrieval and transmission. So that lost laptop may only be worth £300 but how valuable is the data it holds and can that data be insured?
Some insurance companies are starting to respond to the importance of data and the new threats with insurance policies known under the generic term of ‘cyber liability insurance’. This rather vague title encompasses a real mixture of insurance polices of varying quality and scope; some provide very limited cover and are filled with restrictions whilst others offer genuine and comprehensive cover to businesses. The UK market is still in its infancy but a decent policy might offer the following covers:
· Loss, damage or corruption of data
· Business interruption / Lost income
· Forensic investigation costs
· Legal defence costs and financial penalties by regulators
· Reputational & public relations costs
· Cyber extortion
· Notification costs and credit monitoring service
It should also cover both first party losses (your own) and third party losses (other people’s) resulting from either accidental or malicious causes.
Anyone who follows the news will have seen the dramatic rise in cyber security stories concerning cyber warfare, cyber criminals, lost disks, viruses, malicious staff, malware, espionage, hacking, data protection, social media scandals, extortion, denial of service, worms, phishing, etc. Many of these stories involve international corporations or governments so can create an attitude that cyber risks are someone else’s problem. Unfortunately this is not the case and a little deeper reading will reveal the disturbing scope of the problem, not just of targeted hacks which make the best news, but everyday viruses and disgruntled or clumsy employees.
So if we return to that very model of a modern business, with its risk assessments, its physical security, its computer backup and its confidence that in the event of a disaster it can just rent a new office and start again – how safe is it from an employee accidentally emailing confidential customer data to his entire address book? What about the disgruntled member of staff who shuts down the system? Or the email that looks genuine but contains malware? How about your cloud provider whose postal address is in the UK but is actually who knows where? Or the staff who are encouraged to use their own smart phones and take laptops home on the bus? And the data stick you found next to your car? And the bloke who says he is from your IT support firm who spent half an hour on your system and made himself a cup of tea? And if your password is your dog’s name can we see photos of your dog on Facebook along with your date of birth, holiday plans and mother’s maiden name?
Suddenly the perspective of business risk catches up with the reality of the modern era. The first step is clearly to protect these assets and valuables with decent security measures. These need to be technological, physical and cultural – there is no use having an expensive firewall if it is never updated, the back door is unlocked and passwords are on post-it notes. A good way to do this would be to achieve or follow some of the principles of a cyber assurance standard such as IASME or ISO27001. Secondly, consider insuring against cyber risks with a decent cyber liability policy. Most of us have experienced the helplessness of computers freezing or the internet going down so imagine the consequences of a serious breach or data loss to your business in terms of costs, lost revenue, lost reputation, customer claims and data protection penalties.
But even if the idea of another insurance policy is not appealing there is evidence that cyber liability insurance could become a prerequisite in the tendering process making it a necessity in the supply chain. Businesses will not want to trade with organisations that might lose or damage their data unless there is insurance in place to compensate. Therefore, even if you still think insurance is a waste of money your customers and suppliers may disagree.