19 December 2019
If, like me, you think that paying more will guarantee greater safety then you may well be right.
I put an emphasis on may.
Because cyber coverage is still largely unknown by consumers and difficult to place by underwriters.
If, as a business, you do not know how to identify your own threat risks, then can you really trust your insurers?
Broadly speaking, there are three areas most companies would consider cyber insurance for:
1) Breaches of business-to-customer (B2C) e-commerce or a breach at a physical retail store.
2) Protection of intellectual property, trade secrets and the personally identifiable information (PII) of employees and recover from a breach into a manufacturing facility.
3) An Internet of Things (IoT) event.
Now, according to the experts, there is limited value proposition in cyber insurance for B2C cases. So, for a nation of consumers, this will ring alarm bells.
Meanwhile, for intellectual property, it is difficult to provide a financial value for what could potentially be lost because of variables such as who the attacker is, whether they are a nation-state or if they are simply a competitor looking to gain an upper hand. Perish the thought!
But the IoT events are becoming the most talked about within the cyber insurance industry, but just how does it plan on addressing the growth of IoT devices and the risk of cyber-related events targeting connected manufacturing facilities around the world? These include some of the most routine, day-to-day transactions which, when taken in that context, is easy to see why it overshadows a sector such as retail and commerce above.
Given it essentially covers all business types and sectors, companies need to put a value to a cyber event and explain it in a way that will make business sense so they can explain it to the insurance company. This is not always easy, and so a thorough risk assessment and threat management plan needs to be incorporated by professionals and cyber experts.
Fortunately, there are cloud-based enterprise risk management products out there that can help companies determine specific values to a security breach as it combines modern analytics with the Factor Analysis of Information Risk (FAIR) methodology.
FAIR breaks an event down into two discrete categories:
Naturally, such products would require time and cost to be fully workable.
But the important point here is that all businesses need to understand their risk profile, and particularly those that do business in or with countries with higher than normal levels of fraud and cybercrime, like Russia and Eastern Europe.
Companies also need to use available tools to get a better sense of what a breach will cost.
This article is provided free of charge for information purposes only. It does not constitute legal advice and should not be relied on as such. No responsibility for the accuracy and/or correctness of the information and commentary set out in the article, or for any consequences of relying on it, is assumed or accepted by any member of the law firm.
To find how our friendly and knowledgeable solicitors can help you, contact us today.