Tech-focused economic observers predict that as a global business community, we will spend more than $1bn on cyber-insurance premiums in 2016. This is astounding growth for any industry and fully supports the theory of continued market expansion within the global tech risk space.
With the merry go-round that is the global threat landscape shifting on an almost daily basis, combined with corporate life starting to feel more and more like ‘start up life’ (littered with organisational change and innovation pace, driven by a fear of crippling opportunity cost) one is tempted to ask: “why bother implementing better controls to mitigate technology risk when you can just insure against it?” This would surely mean your organisation is protected against all potential security threats. And even if your organisation did succumb to a publicised cyber-attack, there’s no such thing as bad publicity right?” Wrong. And it’s the wrong approach to take.
At Protega, we work with numerous customers who are still getting a handle on their organisation’s technology risk profile, making insuring against the ever prevalent threats almost impossible. The bottom line is, if your organisation can't claim a comprehensive understanding of your risk profile how can an underwriter produce a policy to cover you? To put things into context, I’d like to discuss a whitepaper on this matter which has been a hot topic throughout the Protega offices recently:
The paper suggests that 45% of United States underwriters and brokers believed that a lack of internal knowledge prevented cyber security policies being completed for their customers. Alarmingly, 72% of the same group stated that ‘a lack of exposure understanding’ from their customers was the principal obstacle in securing sales and writing policies. An additional 40% of the same group felt that a cumbersome application process was a hindrance. These statistics point to both insufficient expertise on the insurers’ behalf but also to a severe lack of structured, comprehendible data from customers as the primary obstacles in insuring against technology risk.
The reality is that cyber insurance is not the answer to all of your technology risk concerns. Simply reading just one of the vaguely drafted policies openly available should instantly send alarms bells ringing around your organisation’s board room. Could your business truly rely on the policy if and when you are hit?
To be unequivocally clear: I believe that Cyber Insurance is actually one of the most valuable steps our industry has taken in quite some time. I also believe that a well-defined policy could (and should) be a tremendous asset to your company in the mitigation of tech-driven risk for the foreseeable future. The point, however, is that just selecting a seemingly all-encompassing policy will leave your organisation grossly exposed and prevent true cover against the numerous risks that are out there.
The only way to ensure your organisation can get maximum value from a cyber-insurance policy is to first assess and understand your company’s risk exposure, which will highlight where a targeted attack would hurt your business most. Once you have established a priority list of organisational risks, you can then begin to mitigate these threats through quality policy creation and continuous first-rate standards of IT practice and systems. This will need to be followed up with the promotion of consistent, solid security awareness in all of your employees.
Then and only then can you insure against the remaining risks.
If this article sparked interest, why not check out Protega's other blog posts on our LinkedIn