How Much Cyber Insurance is Enough?

01 June 2017

If, like me, you think that paying more will guarantee greater safety then you may well be right.

I put an emphasis on may.

Because cyber coverage is still largely unknown by consumers and difficult to place by underwriters.

If, as a business, you do not know how to identify your own threat risks, then can you really trust your insurers?

Broadly-speaking, there are three broad areas most companies would consider cyber insurance for:

1)    breaches of Business-to-customer (B2C) e-commerce or a breach at a physical retail store,

2)    protection of intellectual property, trade secrets and the PII of employees and recover from a breach into a manufacturing facility,

3)    an Internet of Things (IoT) event.

Now, according to the experts, there is limited value proposition in cyber insurance for B2C cases. So, for a nation of consumers, this will ring alarm bells.

Intellectual property, meanwhile, is difficult provide a financial value for what could potentially be lost because of variables such as who the attacker is, whether they are a nation-state or if they are simply a competitor looking to gain an upper-hand. Perish the thought!

But the IoT events are becoming the most talked about within the cyber insurance industry, but just how does it plan on addressing the growth of IoT devices and the risk of cyber-related events targeting connected manufacturing facilities around the world? These include some of the most routine, day-to-day transactions which, when taken in that context, is easy to see why it overshadows a sector such as retail and commerce above.

Given it essentially covers all business types and sectors, companies need to put a value to a cyber event and explain it in a way that will make business sense so they can explain it to the insurance company. This is not always easy, and so a thorough risk assessment and threat management plan needs to be incorporated by professionals and cyber experts.

Fortunately, there are cloud-based enterprise risk management products out there which can help companies determine specific values to a security breach as it combines modern analytics with the Factor Analysis of Information Risk (FAIR) methodology.

FAIR breaks an event down into two discrete categories:

1)    Primary loss includes downtime and response and replacement costs

2)    Secondary loss which takes into consideration fines (such as those due to come in under the EUGDPR next year), reputation loss, reimbursement of money stolen and the cost of credit monitoring services.

Naturally, such products would require time and cost to be fully workable.

But the important point here is that all businesses need to understand their risk profile, and particularly those which do business in or with countries with higher than normal levels of fraud and cybercrime, like Russia and Eastern Europe.

Companies also need to use available tools to get a better sense of what a breach will cost.

For further advice on cyber security threat management planning, contact Aaron Pearson at Three Graces Legal on 0151 659 1070 or This email address is being protected from spambots. You need JavaScript enabled to view it. or This email address is being protected from spambots. You need JavaScript enabled to view it.