By Barry Cashman, Regional VP UK, Veritas Technologies
In January this year, an historic shift occurred at one of the world’s oldest insurers. Lloyds of London’s insurance syndicate, Beazley, announced the first-ever cyber catastrophe bond, signalling that the financial risk of cyber attack is startlingly real and potentially catastrophic.
While such bonds have typically existed in relation to the risks of natural disasters, this is the first time such a financial instrument has been used to protect against the man-made threat of cybercrime. The $45 million bond provides insurance coverage for companies against large-scale cyber attacks and is designed to cushion insurers by transferring some of the risk presented by cyber attacks from the insurer to investors.
What lessons, then, should companies take from this development, and what mitigating measures must they take to ensure that should the worst happen, a cyber insurance policy will pay out?
What is a cyber catastrophe bond?
The cybersecurity insurance market is proliferating as the frequency and severity of cyber-attacks increase. 2022 saw a 38% increase in attacks from the previous year, with the cost of data breaches reaching record levels. Alongside a surge in sophisticated nation-state activity targeting critical infrastructure, the demand for cyber insurance has rocketed, leading to rising premiums and more rigorous underwriting standards.
As a new approach, the cyber catastrophe bond works by issuing bonds to investors, with the proceeds from the bond sale used to fund a pool of money used to pay out claims in the event of a cyber attack. The bondholders assume the risk of a cyber attack in return for the potential return on their investment.
The bond typically covers losses resulting from a cyber attack, including costs associated with data breaches, business interruption, and liability to third parties. It is designed to protect the insurer from the risk of potentially massive payouts in the event of a devastating cyber attack.
For businesses, the benefit of specific cybersecurity insurance policies such as this includes provisions for covering the costs of a data breach or cyber attack, such as the cost of hiring a forensic investigator. It can also provide access to specialist legal experts to navigate the legal and regulatory landscape in the aftermath of a cyber attack while helping to comply with regulations such as GDPR.
Key cyber insurance considerations
The variety of cybersecurity insurance policies on offer has grown exponentially as the number and sophistication of hacks have ballooned. When selecting an insurer in this space, companies must consider a number of factors, including the scope of coverage, exclusions, and limits of liability – as they would with any insurance coverage. They should also consider the financial strength of the insurance company and its track record of paying cyber breach claims.
However, companies must not only assess the insurer but must also turn the focus inwards. For example, companies must have a thorough understanding of their cyber risk profile and assess any associated insurance policy against their specific needs. In what is still an emerging area of risk management, assessing cybersecurity risks is a specialist task where expert vendors and channel partners can add significant value.
Alongside realistic measures of risk, insurers will also expect companies to prove robust data protection and management systems when determining eligibility for cyber-specific policies.
Beware; insurers have eyes on your blind spots
Maintaining the robustness of an organisation’s data protection and management provides protection against possible attacks and should be the bedrock of all resilience strategies. However, when considering cyber insurance, proving the strength and appropriateness of an organisation’s cybersecurity strategy is also instrumental in ensuring the successful payment of claims.
For example, when considering today’s multi-cloud environment, a multi-layered data security strategy is especially essential. Consider that 58% of IT professionals don’t have visibility of their data footprint. Any such blind spots could spell disaster not just in terms of openness to attack, but also in terms of refused insurance payouts.
For example, the issue of ‘dark data’ (untagged or unstructured data) and ‘ROT’ data (redundant, obsolete or trivial data) is a pervasive one across many organisations. What you cannot see, you cannot protect. As dark and ROT data is often left to languish without updated permissions and subject to obsolete security policies it is much more susceptible to breaches. And in the face of such a breach, an insurer may have cause to refuse a claim.
Maintaining robust security in the face of evermore sophisticated criminal tactics, while ensuring complete visibility is a challenge. This is where specialist, comprehensive tools that offer unified data management and protection can ensure demonstrably robust approaches. Specialist partners also allow enterprises to harness external, expert support to ensure strategy meets shifting organisational needs, no matter how complex.
Backup, testing, continuous maintenance and more
Alongside protective measures, it is vital to ensure that a solid backup plan is in place, to ensure business resiliency for when and if the worst happens. Insurers will also have a keen eye on backup and recovery measures and continuity plans. In the event of a cyberattack, having a rapid recovery response plan is crucial, as is the ability to conduct continuous maintenance and testing of systems.
Testing and retesting defences regularly is central to any security strategy but is also vital in maintaining insurance eligibility through stress testing. This can include testing the effectiveness of firewalls, intrusion detection systems, and incident response plans. Working with a partner that can facilitate regular, non-disruptive rehearsal and validation can ensure third-party, expert insight into any areas for improvement.
Ensuring cyber insurance pays
Specific cyber insurance policies will increasingly become part and parcel of business. Now, alongside growing regulation and compliance requirements, companies must also be prepared to provide detailed information about their cybersecurity measures and practices in order to qualify for insurance coverage. If any enterprise is in doubt about the strategic imperative to put defence, backup, recovery and cyber maintenance first, the insurance market’s response to soaring cyber risk should be yet another stark wakeup call.
Uma Rajagopal has been managing the posting of content for multiple platforms since 2021, including Global Banking & Finance Review, Asset Digest, Biz Dispatch, Blockchain Tribune, Business Express, Brands Journal, Companies Digest, Economy Standard, Entrepreneur Tribune, Finance Digest, Fintech Herald, Global Islamic Finance Magazine, International Releases, Online World News, Luxury Adviser, Palmbay Herald, Startup Observer, Technology Dispatch, Trading Herald, and Wealth Tribune. Her role ensures that content is published accurately and efficiently across these diverse publications.