Insurance contracts have been around since the 14th century. The first know insurance contracts date from 1347, having been written in the maritime and commerce powerhouse that was the independent city state of Genoa in Italy. In the years that followed, maritime insurance took off, and premiums were varied alongside risk factors.
Fast forward a few hundred years, and you would be hard pressed to find something that you can’t insure. In 1993, a restaurant critic insured his palate, Bruce Springsteen has insured his vocal chords, and legendary crooner Tom Jones has a policy protecting his chest hair. Whilst these are the weird and wonderful, they all share one thing in common – they are all physical, tangible things. Many damage or coverage policies require damage to be precise, and more often than not this requires attribution to what caused the damage.
What are the hurdles?
This proves to be especially difficult to manage in the age of the cyber-attack. Identifying the exact cause and proving attribution of a cyber-attack can be a significant challenge, threatening to put a major spanner in the works for the cyber insurance industry. The ongoing disputes between Mondelez and Zurich, and now DLA Piper and Hiscox, threaten to scupper this industry before it sets sail.
You can attribute damages to your garage by the storm that caused the tree to fall on it and break the roof. Attributing a cyber-attack to a country, a person, group, or an Advanced Persistent Threat (APT) is far more difficult. The problem of attribution is one that the cybersecurity industry faces on a daily basis. Obfuscating the origin of cyberattacks is normal practice and therefore clarifying the origin of an attack is difficult. Mondelez’s policy, however, did not cover attacks by nation states, and nor did DLA Piper’s.
Unfortunately for consumers and businesses, Europol believes that a growing number of large cyber-attacks will be nation-state backed in origin. This makes for uneasy reading, should a company that holds our personal data be hacked by an unfriendly nation. As stated above, the second big question in the insurance industry is this: how can you underwrite data, whilst incorporating the level of risk that a country might pose to a specific company?
Is it even a good thing?
The industry still needs to figure out the above niggles, so is cyber insurance really worth it in the meantime?
For larger businesses, cyber insurance could lead to a culture of the bare minimum when it comes to cybersecurity, simply to adhere to policy. This is, of course a bad thing, and would be to the detriment of proper and sound security policy steeped in regular investment in solutions and continuous monitoring and testing. Continued pay-outs would of course not be good for a nascent industry; reaching into its pockets before it has had a chance to grow and create profit would create significant growth problems. Couple this with adversaries that are better equipped and more motivated to be antagonistic than before and you have a major issue.
However, if you look at this for example from an SME’s point of view, you get a very different picture. Paying out compensation or fines after a breach often isn’t feasible, and could spell the end for many smaller businesses. Cyber insurance could offer a safety net to the powerhouse of the UK economy, and allow it to learn from its mistakes – and more crucially: survive.
So, what to do?
Cyber insurance has its place, but businesses of all sizes need to understand cybersecurity and data regulations before they explore insurance policies. This is crucial for determining the level of investment in cybersecurity solutions and services that will complement any cyber insurance policies. Selecting best in show solutions for specific problems, and combining them with an insurance policy that works for that specific business is the way forward.
However, selecting those tools can be tricky, and even more so if your business doesn’t have a dedicated security team that knows how the security industry works. That is where a trusted partner can come in, and help you build a robust strategy that will work for your business, and allow you to focus on moving forward, whilst having the peace of mind that should the unimaginable happen, you’ll be prepared.
If you want to know more, why not contact us, and see what SecureData can do for you.