September 5, 2017
Companies overlooking cost of cyber risks as variety and number of breaches increase
Cyber risk is becoming increasingly common while the types of breaches are becoming more diverse, claims a new white paper by the audit and accounting expert BDO. For instance, ransomware is now the fifth most common type of malware; with the cost of freeing up computer systems from ransomware tripling since 2016. Yet organisations are continuing to spend up to four times more on insuring other company assets (e.g. property, equipment etc.) than on cyber insurance, despite an increasingly widespread belief that their cyber assets are in fact up to 14 percent more valuable. The report also finds that as cyber incidents increase, they become more difficult – and therefore more expensive – to defend. In the new cyber insurance white paper, BDO’s global cybersecurity leadership group stresses the importance of businesses gaining an understanding of their unique risk profiles in order to ensure the right cyber insurance for their needs. Cyber insurance: managing the risk does include some of the positive trends around cyber security – for example, both the level of Board involvement and investments in cybersecurity have increased significantly in the last 2-3 years.
However, there is a lack of understanding around which cyber insurance policy to choose – and the landscape is further complicated by the fact that there are no standard cyber insurance policies currently available, meaning that the terms, grants of coverage, exclusions and conditions vary hugely. A recent report noted up to 19 different categories of coverage on the market, relating to data breaches, cyber extortion, business interruption, data and software loss and physical damage, as well as death and bodily injury.
Gregory A. Garrett, Head of International Cybersecurity: “An organisation’s cyber insurance policies must be suited to its particular risks and exposures and is an essential factor in implementing an effective and holistic cyber risk defence programme.”
Given this reality, companies need to ensure that the cyber policy they purchase is appropriate for their specific cyber risk profile. BDO advises following the agile roadmap below before negotiating the purchase of a cyber policy:
Identify critical business assets and their associated cyber risk
Cyber insurance can cover risks as diverse and exceptional as industrial espionage, employee misconduct, crisis communications and forensic investigation. The first step is to establish an organisation’s risk profile
- Evaluate risk exposure and quantify risks
The value of those critical assets can be quantified by modelling the potential financial impact – i.e. the cyber risk exposure – of a cyber attack against non-defendable assets - Decide if the current level of protection is enough
Assess whether any identified risks can be remediated or whether financial protection in the form of an insurance policy is required, in the event of a cyber incident - Implement a security risk remediation programme to address the identified gapsEvaluate cyber insurance needs for those risks that cannot be remediated and select an appropriate policy.
To download the full white paper click here.