Think your insurance will protect you in a cyber attack? Think again
General policies can leave businesses wide open when they’re targeted.
ALTHOUGH BIG IRISH companies have started to treat cyber security more seriously, the same cannot be said for many of their smaller rivals.
Data breaches now rank as one of the top issues for large firms, however only 1 in 10 SMEs view cybercrime as a business risk.
Zurich Insurance head of financial lines Scott Diamond told Fora it was a danger few small firms were prepared for as businesses generally weren’t covered for cyber attacks.
“There is perhaps a misconception among (small) companies that maybe they do have cyber insurance cover as part of their normal commercial insurance programmes … whether that’s public liability or employers liability.
“That is definitely the wrong way to be thinking. If there was a small element of cover available under one of their other commercial policies, it generally would not be adequate to deal with a cyber breach.”
In a world where hackers are often smarter than the safeguards trying to keep them at bay, cyber attacks remain an unfortunate modern reality for business.
Notable data breaches in recent years include the infamous attack on US retail giant Target and the breach of Home Depot’s system that saw the payment details of 56 million customers stolen.
In Ireland, ransomware has become a popular method of extortion used by hackers, who essentially hold a company’s data hostage until ransom fees are paid.
AIG Ireland financial lines manager Louise Kidd said every company needed some protection from the financial losses that could come with a data breach.
“It’s not just major public companies that are seeing these kind of breaches,” she said.
“It has reached across the spectrum … be that a small accountant or solicitor, right up to the top public listed companies in the country.”
Mitigating risk
Not shy of capitalising on an opportunity, the insurance industry has responded to the rise in cybercrime worldwide with standalone cyber insurance policies.
High-profile breaches, such as the embarrassing Sony hack of 2014, had previously pushed up premiums for those firms that do look for financial protection.
More recently, however, rates have begun to slide as a decrease in cyber attacks led insures to cut prices for businesses previously considered high risk in the retail and healthcare sectors.
PwC Ireland partner Paraic Joyce said the cyber insurance industry is one with a lot of potential, but it is being held back because of the difficulty in pricing policies.
“What’s holding them back is the lack of data in terms of the incidents themselves and the costs of those incidents is making insurance companies a little bit nervous about plowing ahead,” he said.
“Certainly the market is there and the (insurance) firms who get there first and price it properly will be in for a significant benefit.”
That “benefit” could be worth a couple of billion. Annual cyber insurance sales could reach $7.5 billion (€6.7 billion) by 2020, an increase from $2.5 billion this year.
Click here for a larger version
Cyber insurance in Ireland
Despite the Irish market for similar policies being relatively undeveloped, there are a few options for businesses willing to pay the price for peace-of-mind.
Four years ago, AIG launched a standalone policy called CyberEdge for firms trying to mitigate any losses from cyber attacks.
Kidd said the company also had a “cyber breach team” that was available around the clock to respond to any attacks.
“They would go in for a period between 48 and 72 hours and do what we call contain and control,” she said.
“At the end of the that period, they write up a report and inform the business of the situation and how the policyholder would need to correct things to bring their systems back in line following the breach.”
Click here for a larger version
Market will adapt
Meanwhile, in the near future, the appetite for cyber insurance has been predicted to spike as more-stringent EU rules on data protection are introduced.
Diamond said the new regulations could force businesses to fork out for expensive cyber insurance policies due to the costly repercussions of mishandling data.
“More customers buy (cyber insurance) in the US because the rules are more onerous … and the frenzy around hackers is a lot greater than what it would be here in Ireland.
“There is a new piece of EU data protection regulation coming in that will put increased obligations on how companies deal with data on a day-to-day basis.
“It’s only a matter of time before things change here locally. There have been a number of breaches in Ireland in recent times and businesses here are starting to turn on.”
