Cyber insuring for a rainy day
A determined hacker has only to be right once, and he could potentially cause untold harm to a business’ reputation, productivity and not to mention, finances. With the realisation that attacks from cyber space are coming faster and becoming more furious, the reality that cybersecurity is a board-level issue, a CEO issue and a business issue, is sinking in, surely and surely as well as more pervasively than before.
Not too long ago, the widely reported Yahoo hack saw a Yahoo legal counsel relieved of his position in the company. Microsoft APJ’s Associate General Counsel and Director of Corporate and Legal Affairs, Jeff Bullwinkel rationalised it, “You are an officer of the company and you are accountable to give advice to the Board of Directors about the liabilities (incurred) if you do not act (upon warnings of cyberthreats).”
The losses are real, and insurance brokers are starting to see a rise in queries about insuring against cyberattacks. KPMG’s Head of Cybersecurity in Singapore, Daryl Pereira shared that KPMG does offer gap analysis service, an assessment to determine an organisation’s current level of cybersecurity and how far that level is from the ideally required level.
He pointed out a main challenge: How does an insurer determine if a business is a good insurance risk?
If there isn’t even the basic level of security, it would be very difficult to move things along and Pereira observed that cybersecurity spending; often a subset of IT budget spending; needs to be higher depending on the risks involved. An online commerce service which has a majority of its business and customer data online, for example, would be more at risk than an old-fashioned retailer which still stores everything on tape drives.
Circling back to the main hurdle of determining good insurance risk – it all boils down to it being almost impossible to accurately determine the extent of damage of an attack. Also, what is the value of policy that a business should insure itself for?
Pereira opined however that, “As the industry matures and data on claims increase, it could help determine what is a good risk.”
Pereira points out that there is improvement in cyber security awareness and action among businesses.
“There is intention to improve their cyber security levels,” he said adding that the incentive to do so is due to being attacked by cyber criminals.
“So, availability of cyber insurance now, is helping drive change in cyber security levels, but it is a second-hand effect.”
Cyber insurance and the need to quantify loss and damage in ringgit and sen, may be the incentive needed for C-suites and boards of directors, to take a good hard look at whether they are putting the right budget amount into securing their businesses.