DUBAI: Companies across the region are increasingly taking out insurance policies against cyberattacks in the face of unprecedented threats, according to senior executives from insurance broker Marsh.
“We are going to be grappling with the issue of cybersecurity for the rest of our careers,” said Peter Beshar, Executive Vice-President, Marsh & McLennan Companies.
“If you track the evolution of cyber threats, it has accelerated dramatically over the past three years, and we predict it will double over the next three years,” he continued.
In the past, attacks focused on credit cards and individuals. Now, Beshar argues that attacks threaten the very core of organisations and countries. These highly sophisticated, well-thought-out attacks are causing businesses throughout the region to sit up and take notice. Many organisations are beginning to take out insurance policies on their systems and data, much in the same way that they would’ve done in the past with physical assets, such as money in a bank vault or merchandise in a shop.
“We’re seeing different types of people looking at cyber insurance at the moment. They’re either very keen to get a policy in place, their IT department knows they need to, and their risk department knows they need to get one in place,” said Simon Bell, Cyber Lead, Marsh, MENA.
He added that other companies, however, were not quite so aware of the need for coverage, and despite some departments calling for protection against cyberattacks, they did not yet “have the buy-in of the entire enterprise.”
A cyber insurance policy, sometimes referred to as cyber risk insurance or cyber liability insurance coverage (CLIC), is intended to help an organisation mitigate risk exposure by offsetting costs involved with recovery after a cyber-related security breach.
This may encompass reputational damage, loss of customer data, government fines, and system downtime.
A report by specialist insurer Allianz Global Corporate & Specialty (AGCS) in 2015 found that cyber insurance premiums would grow globally from $2 billion (Dh7.3 billion) per annum, to over $20 billion by 2025, a compound annual growth rate of over 20 per cent.
Insurers often set up conference calls with specialists and non-invasive testing of systems to search for vulnerabilities during the appraisal process, although Bell notes that this is no easy task.
How an underwriter appraises the risk and puts a value on data, as opposed to traditional assets, is “the difficult question,” he said.
To begin with, “there’s a proposal form which details the information a company holds, how it is stored, how it’s secured.”
“From a business interruption stand point, you can look at how they mitigate the potential impact through disaster recovery planning and so on, but in reality, quantifying the exposure from a data perspective, because you don’t know how much the data is going to be worth until something happens to it, is very difficult,” he said.
“You just don’t know. It’s intangible.”
Underwriters tend to price risk in terms of the repercussions of a breach, instead of simply on the value of the data.
“It’s about quantifying the repercussions following a breach or a cyberattack that takes down their productions facilities, for example. That way, they look at it in terms of business interruption through outage,” Bell said.
“They can look at what data is held. Different data will have different values to sell if it is breached,” he noted.
How data is stored and held is factored in to the underwriting process.
Last year, Marsh stated in a report that firms across the financial and related professional services industry need to take urgent action on cyber risk
According to Beshar, cyber insurance is acting as a catalyst for companies to take notice.
This is happening, Bell says, because it’s making people more aware inside companies.
“It’s raising awareness. Questions are raised about potential damages of an incident, so then questions are raised about how to minimise cost and therefore risk, which is good,” he said.
For Bell, companies with a Chief Technology Officer or Chief Information Officer “are usually very mature, and usually indicates they’ve acknowledged the risks present.”
He goes on to state that even if they haven’t taken out an insurance policy, they will have typically gone through a full risk assessment procedure already.