Cyber incidents are costly. We know that. Just how costly has been a subject of debate, but a new study from Cyber Risk Management (CyRiM) project, a Singapore-based public-private initiative that assesses cyber-risks, gives some eye-popping figures.
While the study looks specifically at a ransomware attack, it represents just how damaging a major cyberattack can be. In the scenario presented in the study, retail and health care would be most affected by a ransomware attack, costing the industry upwards of $25 billion. Industry in the United States would be hardest hit, with a price tag of nearly $90 billion in loss of production and supply chain disruption, ransom payments and mitigation costs.
It’s a grim picture. Cyberattacks are going to happen, and they are going to be increasingly expensive as they become more sophisticated and their reach spreads beyond a single business to entire communities. We saw hints of that when Atlanta was hit with ransomware attacks and much of the city was at a standstill.
But the aftermath of these attacks is also survival. Can your organization financially survive a cyberattack, whether it is ransomware, a data breach or a DDoS attack? Cyber insurance would seem to be a plan-ahead solution—after all, you have insurance protecting your business in so many other ways. And in fact, cyber insurance is a growing market, expected to reach $9 billion by 2020.
However, there still appears to be some skepticism surrounding cyber insurance, with only a little more than one-third of organizations making the investment, according to a Spiceworks study.
Why the Cyber Insurance Skepticism?
“Some organizations are skeptical about cyber insurance because it only recently became more popular, so they don’t have much experience with it,” explained Spiceworks senior tech analyst, Peter Tsai. Even with the 38 percent who have purchased it, 45 percent have had their policies for less than two years.
Because cyber insurance is still a relatively new concept and because adoption isn’t mainstream, corporate leadership isn’t sold on the need for this type of policy. We’ve seen this trend play out before in cybersecurity. Over the years when I’ve asked experts why adoption of security tools or technologies has been so slow, the response was always, “They are waiting for someone else to test it and make sure it is worth adding to the budget.” It seems as though cyber insurance is following that trend.
But there is another issue at work: There remains a lot of uncertainty about what cyber insurance actually covers and the requirements to receive payment.
“The lack of observability makes it impossible for mid-to-large businesses to prove loss to their insurance carriers,” said Jack Kudale, founder and CEO of Cowbell Cyber, in an email comment. “The carriers face a similar issue as to being able to write accurate cyber coverage that is aligned to changing cyber-risk. When insurable threats are understood by the enterprises, and when aligned to exposures (both probability and severity of threats) by their carriers, risk and insurance will complement each other.”
Necessity or Luxury?
How leadership views cyber insurance may also add to the skepticism. Tsai thinks it comes down to how they view the worth of their data. For example, he explained, organizations that don’t handle much sensitive data might not see a use case for cyber insurance, making it a luxury purchase. On the other hand, if the organization is in a highly regulated industry and if cleaning up after a cyber incident would be complicated and expensive, then cyber insurance is viewed as essential and a necessity.
Budgeting issues may also make cyber insurance look like a luxury rather than a necessity, especially since the insurance coverage definitions are still a work in progress. However, in a blog post, Spiceworks Community member Bill Mack made what may be the best argument I’ve seen for the importance of having some level of insurance against a cyberattack: “I have to be right 100 percent of the time to prevent a breach,” he said. “The hackers only have to be right once to take it all away.”
Companies that are on the fence about getting coverage might want to do a cost-benefit analysis to see how much value cyber insurance offers their organization, looking at the financial implications of breach, both with and without insurance, Tsai advised.
But Mack makes the best point: The hackers will find you at some point. Your security system may be able to take the punch and fix the damage, but can you withstand a cyber incident financially?