In the Virtual Era, Who Needs Insurance?
By Duncan Sutcliffe
Perhaps this is an extreme example, but it makes a point. If a business puts good risk management and security in place and has good business continuity and disaster recovery plans, then the likelihood and severity of a claim will be reduced. Therefore, it could be argued that the need for insurance is minimized. Realistically, not many companies would be prepared to go without insurance, but it could be tempting, especially for firms who are confident that the real value of their business is safely stored on a backup tape or distant server.
So is it as simple as that? Assuming the backup can be restored, the staff are still there and the business continuity and disaster recovery plans work correctly then, perhaps; assuming the cause of the claim is something old fashioned like fire, theft, flood or storm. But what about modern threats to a modern business? A proper insurance assessment will look at what a business is dependent upon, thereby what needs insuring. For most businesses, this will often be data—its storage, retrieval and transmission. So that lost laptop may only be worth £300, but how valuable is the data it holds and can that data be insured?
Some insurance companies are starting to respond to the importance of data and the new threats with insurance policies known under the generic term of ‘cyber liability insurance.’ This rather vague title encompasses a real mixture of insurance polices of varying quality and scope; some provide very limited cover and are filled with restrictions whilst others offer genuine and comprehensive cover to businesses. Here in the UK market, its still in its infancy, but a decent policy might offer the following covers:
- -Loss, damage or corruption of data
- -Business interruption / Lost income
- -Forensic investigation costs
- -Legal defense costs and financial penalties by regulators
- -Reputational & public relations costs
- -Cyber extortion
- -Notification costs and credit monitoring service
Anyone who follows the news will have seen the dramatic rise in cyber security stories concerning cyber warfare, cyber criminals, lost disks, viruses, malicious staff, malware, espionage, hacking, data protection, social media scandals, extortion, denial of service, worms, phishing, etc. Many of these stories involve international corporations or governments, so they can create an attitude that cyber risks are someone else’s problem. Unfortunately this is not the case and a little deeper reading will reveal the disturbing scope of the problem, not just of targeted hacks which make the best news, but everyday viruses and disgruntled or clumsy employees.
So if we return to that very model of a modern business, with its risk assessments, its physical security, its computer backup and its confidence that in the event of a disaster it can just rent a new office and start again—how safe is it from an employee accidentally emailing confidential customer data to his entire address book? What about the disgruntled member of staff who shuts down the system? Or the email that looks genuine but contains malware? How about your cloud provider whose postal address is in the UK but is actually who knows where? Or the staff who are encouraged to use their own smartphones and take laptops home on the bus? And the data stick you found next to your car? And the bloke who says he is from your IT support firm who spent half an hour on your system and made himself a cup of tea? And if your password is your dog’s name can we see photos of your dog on Facebook along with your date of birth, holiday plans and mother’s maiden name?
Suddenly the perspective of business risk catches up with the reality of the modern era. The first step is clearly to protect these assets and valuables with decent security measures. These need to be technological, physical and cultural—there is no use having an expensive firewall if it is never updated, the back door is unlocked and passwords are on post-it notes. A good way to do this would be to achieve or follow some of the principles of a cyber assurance standard such as IASME or ISO27001. Secondly, consider insuring against cyber risks with a decent cyber liability policy. Most of us have experienced the helplessness of computers freezing or the Internet going down, so imagine the consequences of a serious breach or data loss to your business in terms of costs, lost revenue, lost reputation, customer claims and data protection penalties.
But even if the idea of another insurance policy is not appealing, there is evidence that cyber liability insurance could become a prerequisite in the tendering process making it a necessity in the supply chain. Businesses will not want to trade with organizations that might lose or damage their data unless there is insurance in place to compensate. Therefore, even if you still think insurance is a waste of money, your customers and suppliers may disagree.
Duncan Sutcliffe is Director of Sutcliffe & Co Insurance Consultants.