Can you imagine a scenario in which a major cyber security event had zero impact on your business and the bottom line? It would mean that you did not need your computer files or server data, wouldn’t even miss them and would spend zero time or money at all to restore your information.
If that sounds like quite a stretch of the imagination, it’s because it is: cyber security events cost big money, which is why more companies are turning to cyber insurance as a means of protecting their digital assets.
Insuring Against Catastrophe
If you are in the insurance business, you understand the game of how probability begets profitability. Insurance companies use complex algorithms, looking at several key factors, such as:
- The likelihood of a particular type of event.
- The recovery cost associated with such event.
- The premium to charge that will attract sufficient business (lower cost = more customers willing to purchase that premium).
- Sufficient influx of said premiums to pay any outgoing recovery costs and yet remain viable (and profitable).
That means that insurance companies are in the business of prediction. From natural disasters to faulty doctor decisions, they optimize worst case scenario guesswork to turn a profit.
But the field of cyber security is relatively new. The internet hasn’t been around anywhere near as long as the automobile and insuring a different product works very differently. What’s more, global attacks spawn other attacks, a data breach can lead to another, making cyber events difficult to predict.
Some Hard Numbers
Despite the difficulties associated with predicting the likelihood of a cyber attack, cyber insurance companies must do so in order to determine premiums and cost/risk assessments. Some of the costs associated with a cyber attack include:
- Lost production time when systems are down.
- Stolen data that may generate legal responsibility.
- Restoration of servers, websites, or other digital functions (which includes both physical materials, like replacing servers, computers or software, but also employee compensation for digital recovery).
While these primary things might not sound like much, they can add up to billions. In fact, an “extreme event” such as the major disruption of a cloud storage service, which may host the data for a large number of clients, could cost as much as $121.4 billion. To put it in perspective, that’s as much as a hurricane like Katrina, which destroyed houses and lives in a large region.
Therefore, we are likely to see more of two things in the world of global cyber attacks: companies seeking cyber insurance, and insurance companies requiring certain preparations and infrastructure.
Just as you have fire alarms and sprinkler heads in office buildings in the event of a fire, to help minimize damage (and therefore risk and expense), the future will likely bring more demand for preparation. Companies have already started detailing what is expected of the insured, and exemptions to coverage as a result of inadequate preparation. What, then, will the insurance companies consider protection against a cyber threat? For one, expect cyber threat intelligence to weigh heavily. Just as the weather predicts a hurricane, collecting data on cyber threats and risks will help read the cyber wind.
Secondly, expect insurers to demand internal cyber threat preparation against human events. The global virus WannaCry played on unsupported Windows software. More than half of all cybercrime events are suspected to be the result of an inadvertent human error, such as weak passwords or clicking on malicious links. Insurers are taking note of such errors and want to see companies make internal employee education a priority.
Benjamin Franklin said, “An ounce of prevention is worth a pound of cure.” Preparation, therefore, keeps costs down.