Cyberspace has become a dangerous source of crime and disruption. Data breaches are increasing both in terms of size and frequency, and companies need to rethink their risk strategies, especially when it comes to cybersecurity and insurance protection. Businesses can no longer simply rely on existing traditional insurance coverages such as general liability or property, and should be looking at the procurement of standalone cyber policies, not only to ensure the organisation is fully protected financially, but also for the risk-mitigation services that frequently accompany such policies and allow companies to become more cyber-resilient.
Cyber risk is still a difficult area for many companies to get their arms around. It is constantly evolving, is full of complexities and involves intangible data, which presents a challenge for many companies. However, boards are starting to get more involved and taking a high-level and holistic approach to how cyber matters are handled within organisations – and this is good news.
Changing regulations are also having an impact on the cyber landscape. In Europe, the recently enacted General Data Protection Regulation has spurred a spike of interest in cyber insurance policies. The US has long been considered to be a more mature market and has had data breach notification laws for many years, but it is worth remembering that every state in the US has a slightly different variation on what is required in terms of notification.
This can create a significant challenge for international companies that operate on a global basis, as the laws of the US and EU could apply, but also laws in Australia, Singapore and Mexico, to name a few. Brazil will also have a new law coming into effect in early 2020 – and the numbers continue to grow. It can therefore be a challenge for companies to understand what laws have to be complied with, and to whom and how notification has to be made. A standalone policy will provide the services of a network of experts to enable a company to follow that compliance process.
From an insurance standpoint, there is a growing awareness that traditional property-casualty policies were never designed for cyber-related risks. Standalone cyber policies, on the other hand, have been specifically designed to respond to these incidents and address the expenses and costs associated with cyber-related risks that a business might incur.
For example, a typical cyber policy will afford coverage for privacy breach costs that are generally incurred as a result of data breach notification laws, such as credit monitoring expenses, legal expenses, public relations and crisis management, and forensic investigations. Insurers also have relationships with expert firms that are well versed in cyber incidents. This is crucial because, every hour, every minute, is of the essence when responding to a breach.
But there is still an education process required around cyber policies, especially for mid-market companies that often have to weigh the cost relative to the scope of coverage provided. That said, publicity around cyber events has undoubtedly increased awareness of the need for cyber policies. Cyberattacks are increasing in terms of frequency and size, across all regions and all sizes of companies. There has been a significant surge in data breaches since 2015*, and the scale is getting much bigger in terms of the number of impacted records and the magnitude of business interruption.
We work with companies to help them become as cyber-resilient as possible. This is partly about helping them to protect their data and networks as best they can. But it is also about ensuring that they are fully prepared in the event of a cyber incident, have embraced cyber resilience at all levels of the organisation, and continue to improve and build their resilience over time.
There are three main elements to a successful cybersecurity strategy. First, it is about building a culture of awareness, making sure that the board of directors is engaged in the process and is setting the tone at the highest level. And making sure that this filters down through the c-suite, to senior management, all the way down to the employees, as they all play an important role in keeping themselves and their company cyber safe.
Secondly, it is about adopting a mindset of resilience. You can educate employees and have the best firewalls and intrusion-detection software, but at the end of the day an incident can still happen that affects the network and causes a data breach or a disruption. In the event of an incident, how quickly can you get back up and running? Organisations that have adopted that mindset of resilience are the most successful in handling any sort of cyber incident.
Thirdly, it is about practising – have a business continuity plan, a disaster recovery or incident response plan in place, but also practise it on a regular basis, engage in drills and exercises and different scenarios, just as you would with a fire drill.
The next frontier
Companies now have a much greater appreciation of the coverage included in cyber policies and the services that wrap around these products, whether that is pre-breach mitigation or post-breach response. These are important to ensure that a company is prepared for a cyber incident. It is all about cyber resilience, as for many big businesses, the question is not whether a cyber incident might occur – it’s simply a matter of when.
*As per Privacyrights Clearinghouse (www.privacyrights.org).
Contributed by Lori Bailey, global head of cyber risk, commercial insurance, Zurich Insurance Company