The cyber loop to cyber insurance
26 October 2022
The Asia Pacific region has been experiencing several high-profile data breaches recently. The impact of some of these events has led to governments of the region making some changes to their data laws and regulations, with the aim of securing their citizens and also making businesses accountable for their data.
For many organizations, the recent data breaches in Australia
, Singapore and other APAC countries have also been a wake-up call on the importance of implementing the best practices of cybersecurity. In fact, the average data breach today cost about US$4.35 million globally and continues to increase every year.
As such, organizations are looking at measures they can ensure they are not only well secured and protected but also have the backup they need should they experience a cyber incident. This includes taking up cyber insurance.
While cyber insurance does offer coverage to organizations to protect them from data breaches and other cybersecurity issues, it is still very different from normal insurance coverage for a business. To understand more about cyber insurance and how it is becoming a prerogative for some organizations today, Tech Wire Asia speaks to Adam Peckman, Aon’s APAC Head of Cyber Solutions.
Adam Peckman, Aon’s APAC Head of Cyber Solutions
According to Peckman, the risks businesses face in the Asia Pacific are pretty much the same as the rest of the world. As businesses become more interdependent on each other, especially for global businesses, the risk increases. Be it cyber threats or geopolitical challenges, businesses need to be prepared to deal with these risks, especially for companies that rely on a huge amount of technology to operate.
When it comes to cyber insurance, Peckman explained that what Aon does is it tracks incident trends
, which includes the volume of cyber incidents that they’ve been seeing. At various points over the last two years, cyberattacks were up at least 469%.
“During that two-year period, there were lots of operational and organizational challenges for companies. Companies deployed more technology to overcome those challenges from managing remote workforces to supply chain challenges. We were surveying clients about how they were adapting to all this technology and digital transformation, and worryingly only two in five were saying that they think they were on top of all of the new cyber risks associated with it,” stated Peckman.
However, Peckman pointed out that Aon saw this proliferation of digital transformation that created a massive attack surface as there was a lot more data. That’s why the world is now seeing this massive spike in cyberattacks.
“When we talk about the value of cyber insurance. We think of insurance as a part of the company’s overall cyber resilience strategy. If you think of what cyber insurance does, it tries to manage the balance sheet, market capitalization, and volatility associated with cyberattacks. You’ve got your technical controls and risk management practices. And at the end of the day, you have insurance to create a hedge for those worst-case situations that happen. You want to protect your shareholders and the financial stability of the company. And that’s where we see cyber insurance as a complementary part of the overall resiliency,” said Peckman.
Simply put, cyber insurance plays a role in the overall cyber resilience strategy
. It manages the potential financial volatility and erosion of shareholder value in a company. However, cyber insurance needs to be implemented alongside cybersecurity and risk management practices.
The four pillars of Cyber Insurance
With cyber insurance critical to a company’s cyber resilience strategy, Peckman also highlighted that when it comes to insurance coverage, it’s actually built over four pillars – Prevention, Assistance, Operations, and Liability.
“We often talk to clients about process. This includes the assessment, mitigation, transfer, and response. And in terms of resiliency, if you’re missing one component, there’s a potential that you’re creating a greater risk exposure. We often talk about it in the context of a cyber loop. And the reason we call it a cyber loop effectively is to get clients into the behavior of constantly reexamining, reassessing, and revisiting the risk because it’s always changing.”
For Peckman, cyber insurance should be considered in the context of that, in terms of what software insurance covers. It’s the full lifecycle of an event. It’s all the out-of-pocket expenses and impacts on business performance and abilities throughout that lifecycle. And this is where the four pillars of cyber insurance come in.
The first pillar, Prevention, basically means a business gets access to vendors for assessment services. This includes pre-breach assessments, access to pre-vetted vendors, and cybersecurity information.
The second pillar is Assistance. Supposedly an organization faces a cyber incident, they use the services associated with it. This can range from cyber forensics to legal services. It also includes notification services if customer data is involved, credit monitoring as well as crisis management components.
Operations is the third pillar. When it comes to operations, organizations will need to keep track of the costs incurred to keep or return the business to operate. There will be a loss of revenue, from income and turnover costs. There are also costs incurred to recreate and restore data and information.
The last pillar is Liability, which is made up of the legal costs and damages from claims alleging privacy breaches or network security failures.
“This is the full sort of gamut in terms of what gets covered under cyber insurance. It’s quite broad. The four pillars – the prevention, the assistance, the operations, and the liabilities are what you hope to have covered under a cyber insurance policy,” said Peckman.
Standard cyber insurance policies will typically include:
- Network Business Interruption
- System Failure
- Dependent Business Interruption / System Failure
- Cyber Extortion
- Digital Asset Restoration
Privacy and Network Security
- Privacy and Network Security Liability
- Privacy Regulatory Fines and Penalties
- Media Liability (varied but includes slander, copyright infringement, etc)
- PCI Fines and Penalties
- Breach Event Expenses
The Cyber Loop
From here on, it is all about building trust and fixing reputational damage after a cyber incident
. Reputational damage can impact clients through a broad array of losses. This includes losing consumers, employees, and even licenses to operate. Hence, building back trust is not only a function of the corporate response to the event but also a clear demonstration that the corporation took appropriate actions to manage the threat. This is articulated via the steps of assess, mitigate, transfer, or recover.
Going back to the cyber loop, Peckman believes that the reason why it matters is that everything gets done in a silo. As CISOs are starting to learn and understand cyber insurance, they are still figuring out how to articulate it in the context of an insurance product.
“When I started this process more than seven years ago, you didn’t have CISOs involved in financial analysis and speaking to the insurance market about trying to get the best terms in place for their companies. I see CISOs now being much more financially savvy, especially on what insurance does and how it benefits them. CISOs are becoming much more financially savvy about articulating the cost-benefit of cyber resilience, the return on investment, and what cyber insurance does,” added Peckman.
As such, CISOs are now getting much more involved, because they start to realize that if they can add value in this process, they can demonstrate a good security posture, saved the company money, or got better insurance.
With that said, businesses need to approach managing cyber risk with insurance as they do other enterprise risks. This includes adopting a framework to continually re-examination, renewal, and revise the strategy based on the evolution of the risk profile. The cyber loop can make a difference for them.