The insurance gag goes: “I think you misunderstood. The million-dollar umbrella policy only covers you for claims involving an umbrella.” It’s just a joke, but there could be an ounce of truth to it when it comes to understanding what your hard-earned money will insure you against – particularly when buying an emerging product such as cyber insurance.
The numbers around the growth of cyber insurance are impressive. It is one of the fastest growing areas of the insurance industry with growth rates of 28% year-on-year and rough estimates of global annual premiums between $3-4bn. With mandatory data breach reporting laws on the horizon, more Australian organisations are beginning to see cyber liability insurance as a standalone policy and a way to manage for unplanned expenses in the event of a breach. These expenses are usually caused by forensics investigations, containment, remediation and the effects of business disruption.
But the cyber insurance industry is complex and the dynamic nature of cyber threats poses a challenge for calculating cyber insurance premiums.
Professor Shaun Wang, Director of the Insurance Risk and Finance Research Centre at Singapore’s Nanyang Technological University spends much of his time running a public-private partnership project involving industry, academia and Government to tackle challenges facing the development of a robust cyber risk insurance market place.
Launched in 2016, the Cyber Risk Management (CyRiM) project, which also counts Verizon as a contributor of publically available and anonymised cybersecurity intelligence is seeking to develop a more reliable methodology or benchmarks of calculating premiums for both insurers and their customers.
How do you determine the likelihood (vulnerability) of a company’s weakness being exploited? What is the likely loss amount from a data breach? How does a company’s cybersecurity spending impact its cyber insurance premium? Those are some of the questions the CyRiM project are hoping to address.
There is also a gap between current cyber insurance product offerings and the perceived need by organisations.
When considering cyber insurance products and policies, executives need to be sure they include the packaging of pre-event prevention – including cybersecurity and incident response capability assessment, proactive threat monitoring and mitigation and post-breach response services.
Policies also need to provide broader coverage of losses from data breaches, for example, by removing exclusions and reducing waiting times for losses incurred from business disruptions. Ultimately, insurers will be compelled to partner with information security service providers in the midst of a breach.
Greater sharing of data breach information, which we will see here in Australia from February 22, will force the industry players to collaborate closer than ever before.
Cybercrime is almost never random. There are usually patterns – which means predictive analytics and data have an important role to play in enabling the good guys to stay ahead of the game. In particular, cyber insurance is an effective risk management tool for small and medium businesses that don’t often have the funds to fend for themselves and unregulated industries.
Ultimately, for Professor Wang and his team of experts, the biggest challenge is making sense of sketchy historical data and piecing it together to develop a methodology with data feeds of emerging cyber threats and historical economic losses.
It’s been almost two years since the project’s inception and the CyRiM team has reached a key milestone: developing an analytical framework for quantifying an organisation’s cyber threat attack surface and the cost-benefit analysis of cybersecurity spending. This will help businesses measure up against best practices in both pre-breach mitigation and post-breach response, as well as in customising cyber insurance policies to better estimate cyber insurance premiums.
Robert Le Busque is Verizon’s Managing Director for Australia, New Zealand and India.