The problem with Cyber insurance
There is cyber insurance, cyber insurance and then there is cyber insurance.
Confused, well you are not on your own. It’s an absolute minefield of terminology, jargon and this tech stuff, much of which bores the pants of many people.
Cyber attacks, hacking, call it what you wish, it’s going at such a pace that the level of innovation by the hackers is astonishing, in fact bordering on fascinating. Those being hacked and those providing cyber insurance cover cannot keep up with the pace.
Although the cyber insurance landscape is starting to level out there is still somewhat of a rush by insurers to have the best product available. When an insurer launches their all singing all dancing cyber insurance policy the fan fair is soon over because the following month it all starts again, but with a different insurer who is going to launch their product with a few tweaks, this is shortly followed by the next, anyway you get the picture.
The history of cyber insurance is still relatively short, but its meteoric rise to stardom in the world of insurance products hasn’t quite reached its true potential and from a brokers point of view, well those that have a good understanding, it still has a way to go.
Sitting at a table in a recent industry convention minding my own business I was joined by a couple of insurance brokers, the subject was cyber insurance and how they manage to sell it, a lot of it, to their clients.
The question eventually came round to me, them asking me do you sell quite a lot of cyber insurance because we do. It’s so cheap and it’s quite easy and of course everyone needs it. The look of dismay crossed their faces when my response, simple as it was, was quite negative… No was my response.
Sitting there looking rather puzzled, they couldn’t figure this one out so I couldn’t wait to explain my, what seemed to them, madness.
I explained that there are cyber products and there are cyber products and unless you really understand what you are selling it’s somewhat dangerous because to most clients the word cyber is far too encompassing, thinking they have wide ranging cover when actually they don’t.
Buying a cyber insurance product can be a little like buying certain makes of car you don’t know what’s missing until you need it.
Having sold the product to you our clients, you can rest in the knowledge that you have a cyber insurance product that comes with all the cover you need, or can you?
Do Cyber Policies include Crime and Social Engineering
As explained to the now even more puzzled industry colleagues, receiving the telephone call six months into the policy from a client who has just paid £10,000 to some hacker in Russia to be told, oh sorry the insurance you have doesn’t cover that, is somewhat sobering for the client and a little twitchy for the broker.
But I have a cyber policy, ah yes well what you have just done is paid the money to the crook in Russia voluntarily, they have asked for the money and you have paid it.
That isn’t cyber, that’s called social engineering and is crime which is a different thing altogether and needs either additional or separate cover, it is available but doesn’t necessarily come included with most cyber products.
The thing is, it’s like anything else, you get what you pay for and unfortunately in instances such as this where you really do need the cover it’s not necessarily there as standard.
Do you really need Cyber Insurance?
I went on to explain, do clients need cyber insurance cover, yes without a doubt, given the amount of cyber breaches and the number of businesses hacked it goes without saying, of course they need it.
The question then is do you want it? There is a difference between need and want, and brokers cannot make that decision. How does the saying go, we can take the horse to water but… well you know the rest.
See the problem with Cyber insurance at present is it can prove rather expensive for the covers that are really needed. But consider this, if a business is down for an hour because of a network hack then the business will probably survive and put it down to experience and probably blame their techies for not plugging the gaps.
What if its days, what if there is a considerable amount of damage and what’s even worse, there is the potential for reputational damage. The premium can then become insignificant, even some of the world’s largest companies have been hacked, so smaller businesses can be an easy target.
Even 12 months ago talk was around the likes of the NHS being hacked, Talk Talk and similar, and the very basic levels of security some of these companies had. These were the days when ransomware was rife and opening that email that said you have a speeding fine and look at the mugshot attached to make sure that it was you seem from the dark ages, but yet people still get caught by such things today.
Can I just reinstate the data?
Once your network was locked it was a simple case of getting your tech’s in to rescue your files and reinstall your data, all very easy… well not so.
What you didn’t know of course was that before it all happened some rogue in downtown wherever had put a bit of software on your system that you were actually backing up every day.
The ransom demanded that you pay silly money to get access to your files, well should you, or shouldn’t you, I guess that is or was the million dollar question.
The thing is nowadays the illicit business of ransomware is all very organised, they ask you for money and you pay it, and yes in many cases they will release your data. Why do they release your data?
Think about it, if they don’t then they will start to get themselves a bad name. Can you believe that, yes they will get themselves a bad name, what is the world coming to?
Your telephone system can be your enemy
Then of course there is your telephone system, all this modern technology that if I was so minded and a bit of a crook, erm which I am not by the way, I could make myself a fortune from ringing you, and you know what you wouldn’t even know I was there…
Want to make yourself a few thousand for doing nothing this coming weekend? Well this is what we are going to do, let’s get a few premium rate lines, like £40 per minute premium rate and then we will set up our bank account.
We will pick on a company that has a few lines and we know they finish early on a Friday so when they aren’t looking we are going to hack their phone system and ring ourselves back. Well how novel is that, remember that yacht you had in mind, well it can match mine, but I am having the gold taps!
The thing is though this is also getting a little old fashioned and now as companies have cottoned on to this sort of thing happening, they have ensured their comms company have barred international calls as well as premium rate, which to be honest is going to make our phone system hacking a lot more damn difficult.
So, if our phone system is hacked our cyber policy will pick this up wont it? It’s cyber, we have been hacked, our insurers will pay. Well may be not, this all depends on the policy you have, and that cheap and cheerful cyber policy might not be as good as originally thought.
Are you keeping up here, not all cyber insurance policies are the same.
Data, hah, let’s move onto data, now that really is worth a few quid, wonder if we could steel some data instead, well ok you really have to figure out what data is worth steeling.
What the local WI members like to cook isn’t really going to be worth a lot to anyone, well a cookery school perhaps but really, not very interesting.
So, we have to go for the really good stuff, all that lovely data that contains user personal information, and the holy grail of all, the lovely bank details.
Remember that yacht, well now we are talking big yachts and the cars to go with it. Stealing data for many can be a relatively simple process, don’t forget this is very organised; they drop onto a vulnerable website or hack networks and find a way in…
But insurance will of course pick this kind of thing up won’t it, well remember what was mentioned about cyber insurance and cyber insurance? In fairness though most cyber policies even with a low level of averageness can have a “regulatory” section but what does it mean?
GDPR, yes there we go it’s been mentioned again.
Remember when the world of data was going to end on the 25th May 2018 and it actually didn’t, we are taking GDPR I will mention it only once as most people are still sick of hearing about it almost a year on.
In fact it’s probably at the same level a Brexit, yes I will mention that only once because that is a whole new thing to moan about.
So back to that GDPR thing, if you are hacked and you lose your customers personal data then you are in the two camps of doom, what do you do, ignore it, pray every night to whichever god of luck you can and hope it drifts off with no consequence, or do you accept that it could very well come back to bite you. The obvious course of action is that you quickly call the ICO where hopefully some helpful fellow is going to come to your rescue.
Well you are certainly going to need help, if you tell them, you are going to be in for a bumpy ride as you have lost the data through a breach of your systems, if you don’t tell them and the data is used then it’s going to get a whole lot bumpier and not to mention the expense, oh the expense!
Luckily as long as you have the regulatory cover in place this should respond to a data breach that the ICO may pursue you for.
I could go on and on and cover things like cyber liability, where the hacks come from and what about that employee that is no longer the model employee, yes you know the one that looks after the IT or your business networks and website… yes that’s the one, you know who I mean now, he/she can bring your business to its knees in a matter of minutes.
Insurance for the Cyber Age
The moral of the story is that cyber insurance comes in many forms but it still at the stage of perceived value against actual value. Whilst everyone knows cyber-attacks are and it’s going on at many levels most haven’t really seen the devastation it can cause because they haven’t witnessed it.
Would you consider not insuring your home against fire? Most people wouldn’t entertain the idea of not having fire insurance cover.
If you burn down then your insurer will put it back together and the thing with fire is that when it happens there is usually those large red and orange things with varying degrees of choking haze – the point is you can see it and the devastation that it could cause to your business.
Cyber attacks on the other hand are pretty invisible, you usually don’t know it’s happened until it has and then it’s too late.
Having the correct cyber insurance in place is essential and one of the main areas is damage limitation, getting the experts involved can save your business massively, this is why your business needs a Cyber insurance policy that provides wide cover.