Increased Cyber Crime Could Mean That Your Organisation Must Meet New Security Requirements For Insurance Eligibility

Raytheon / Websense have predicted that due to the complexity and unpredictability of cyber attacks, insurance companies look likely in 2016 to move towards a ‘must have’ and ‘evidence based’ model. This will mean the customer organisations will be forced to meet new, more sophisticated minimum level requirements for policies to be eligible for coverage.

Why The Changes?

In recent years the frequency of attacks on organisations by cyber criminals appear to be increasing. Recent high profile victims include TalkTalk and JC Wetherspoon, and their stakeholders.

The sophistication of the criminal schemes and the willingness of criminals to widen their areas of attack and to play the ‘long game’ have also become more apparent in recent times. For example security firm Symantec recently discovered that dozens of fake accounts are used by hackers across the LinkedIn. The hackers are thought to be mapping the networks of business professionals and gaining their trust with a view to luring them to malware-laden websites, stealing their personal details, and launching spear-phishing campaigns!

Continuous technological advances and the growing value of data to organisations (and cyber criminals) are also major contributing factors to the inevitable evolution of cyber security insurance.

What Kind of Changes?

It is thought that cyber insurance actuarial models look likely to be based in future upon four factors:

  1. Market Cap - the perceived value of the company as well as the outstanding shares.
  2. Risk Profile - an organisation’s likely ability to defend against cyber attacks could be assessed onsite.
  3. Targeting Profile - a profile built from information gathered from multiple different cyber crime companies to show how often a company is attacked.
  4. Responsiveness - as the name suggests, how quickly breaches can be halted, attackers deterred, and control can be regained.

What Could This Mean For Your Organisation?

The short answer is of course greater cost and more hoops to jump through in order to make sure that your organisation’s insurance eligibility is protected.

This could mean:

  • The need to be able to demonstrate a better cyber history in order to get better customised policy rates.

  • The possibility that insurance companies will refuse to pay for breaches that are deemed to have been caused by ineffective security practices.

  • Premiums and payouts being more closely aligned to improved models of the cost of a breach.

  • More / different factors and variations being taken into account by insurance companies when trying to assess how at risk your industry sector and your organisation are e.g. the value of your stored data, your company profile and culture, and the training of your employees in IT security best practice.

  • The need to adopt third-party continuous monitoring of corporate networks for risky user behaviour.

  • More defensive decision making in anything related to data and online security.

  • The need to invest more money in greater end-to-end security and defensive technology.

  • The need to prepare for and accept cyber audits and penetration tests from insurance companies.

  • More due diligence.

  • Investment in more security personnel or professional cyber security services of different kinds as and when.

Already Happening in America

A recent Wells Fargo survey showed that 85% of US companies with over $100 million annual revenue have bought cyber or data privacy insurance. The same survey showed that 44% have since filed a claim after a breach.