Attacks in cyberspace: The business of cyber-insuring
Experts view recent ransomware malware and attacks as only the tip of the iceberg. Just from the WannaCry malware, over 230, 000 computers across over 150 countries were infected, including UK’s National Health Service, Spain’s Telefonica and FedEx.
Protection measures aside, what steps are orgnisations taking to shield themselves from the financial impact of cyberattacks?
Marsh Insurance Brokers, a leader in insurance broking and risk management, and presence in over 130 countries, has its leading expert in Casualty and Placement Practice at Marsh, Devakumaran Palnisamy, speak to Enterprise IT News about his insights and experience when it comes to cyber-insurance.
EITN: Please explain what Marsh does.
Deva: Marsh is equipped with experts to help clients anticipate, quantify, and more fully understand the range of risks they face.
Marsh has specialist divisions within a multidisciplinary team environment to meet the specific needs of clients and they work with clients of all sizes to define, design, and deliver innovative solutions to better quantify and manage risk. The range of services includes risk management, risk consulting, insurance broking, alternative risk financing, and insurance programme management services.
EITN: Was ransomware ever recognised as a risk by cyber insurers like Marsh?
Deva: Cyber risk as defined by insurers covers a variety of risks associated with the breach of cyber security.
Ransomware is simply one facet of cyber risk. As a recognised leader in cyber innovation, our policies cover a wide range. We have been assisting our clients in assessing and managing all kinds of cyber risks, not just ransomware.
EITN: How do you go about evaluating the value of policy that a company should take? What are the characteristics of cyber insurance compared to other kinds of insurance an organisation may get?
Deva: This is a very good question often posed by our clients. There is no ‘one size fits all solution’ be it in terms of limits ( i.e. how much should be covered) or how much of the risk a company can actually retain on its own.
However, we do have specialists who are able to quantify the impact of a cyber event on any given company and help them to develop a solution that fits their needs. We do not push companies to opt for the most extensive plan.
Rather, we work with our clients to see what sort of risks they are most likely to face and tailor the plan to suit them.
Cyber insurance policies specifically address network and security liability exposures and they typically contain two main coverage parts. The first component is the expense that a client incurs to respond to a breach, for example, getting forensics to examine its security system, restoring any loss of information as a result of the cyberattack, etc.
Then you have third party coverage which covers the client’s liability to third parties from its failure to keep data secure. For example, if a client faces a lawsuit from its clients due to the breach of privacy, the legal fees can be covered under the cyber insurance policy.
In short, a comprehensive cyber insurance plan can effectively take over most of the costs that arise from a cyber-attack. While not all companies will go for such an extensive plan, it is definitely available. At Marsh Risk Consulting, we have a step-by-step approach to help our clients assess, manage and respond to current and future cyber threats in an efficient and cost-effective manner.
- • Risk Identification and Assessment: We work closely with the client to identify any credible cyber risk sources and scenarios that can impact the organization.
- Risk Mapping: Taking what we learned from the risk identification and assessment, we work with our clients to align the risk with their objectives. These are prioritised by the likelihood and impact severity of the risks.
- Proprietary Modelling: Using our proprietary and award-winning Privacy IDEAL (Identify Damages, Examine and Assess Limits) model, we quantify the likelihood that a client will incur a breach and we can estimate the associated costs per breach.
- Coverage Gap Analysis: We review the client’s current insurance policies to determine if any coverage may already be available to respond to cyber claims and losses. This helps to avoid any potential coverage duplication.
EITN: How often do organisations think of cyber-insuring themselves with services from companies like Marsh?
Deva: Being both a global and domestic leader in the risk consulting space, we do receive a lot of enquiries.
The first cyber insurance policy was written about two decades ago. Since then, interest for the product has been increasing both globally and locally. While the take-up rate is still relatively low in Asia, as compared to the more mature markets in the United States and Europe, we are seeing more interest from Malaysian companies towards cyber insurance policies.
Marsh has responded to a number of enquiries, particularly, after the recent Wannacry ransomware attack.
Some companies in Malaysia, however, still view cyber risk insurance as an additional and unnecessary cost as they do not realise how financially damaging such an attack can have on their business.
EITN: For a typical ransomware attack like Wannacry, what is the amount an organisation should be insured for? Can you share industry- specific solutions that could help organisations manage risk?
Deva: Wannacry-like incidences are more than just ransomware. In addition to paying the ransom, victims must also pay for the incident response costs which include incident management, forensics costs, fraud remediation, legal consultation, public relations and call centre costs.
Thus, a ransomware attack can be very costly, with expenses far exceeding the amount demanded of the ransom. The amount and type of coverage will depend very much on the industry the organisation is in, its size, the amount of data it collects and the sensitivity of the data.
Apart from the incident response costs, a policy may also pay for data recovery costs, business interruption losses, privacy liability exposures and other liability exposures. We do have a model of helping clients assess the amount of coverage they should be purchasing to make an informed decision, but as I mentioned earlier, there is no ‘one size fits all solution’.
EITN: What are the types of risks that Malaysian companies face? What are best practices for the top three sectors, to manage the top three most prevalent risks plaguing our Malaysian businesses?
Deva: In this increasingly globalised environment, the main emerging risks that can impact the Malaysia business community are cyber risk, trade credit risk, product liability, currency fluctuation, political and country risks as well as climate risks.
The best practice for all business sectors is for them to map and prioritise their risks accordingly, so they know what sort of coverage they need and how much of it they need. At Marsh, we help our clients to better understand their risks by providing insurance solutions and a risk management frame work to mitigate against losses.