Other parts of this series:
The costs of cyber-attacks are soaring—measured in loss of revenue, loss of customer trust and loyalty, and costs of litigation and higher insurance premiums. Aon Benfield reports that annual global gross written premiums for cyber-security insurance policies have reached $1.5 billion. For insurers, it’s a double-edged sword. Revenue from insurance premiums is growing as more carriers launch cyber-risk products, but the risk to their own business is also on the rise.
BITS, the technology policy division of the Financial Services Roundtable, reports that the demand for cyber-security insurance increased by 21 percent across all industries in 2014.
According to one global insurer, cyber-attacks cost businesses a total of up to $400 billion a year for the initial damage as well as for ongoing disruption. Research firm Gartner expects companies across the globe will spend approximately $170 billion on cyber-security by 2020, a growth rate of almost 10 percent a year over the next five years.
Because many incidents go undetected and impacts may not always be immediately visible, the true scale of the problem is most likely even greater. But insurers can bolster themselves against cyber-risks by becoming more resilient. To develop cyber-resilience they should:
- Re-architect business processes to reduce the access to, dissemination of and reliance on highly sensitive data.
- Re-architect infrastructure and systems to limit the extent of damage when an attack occurs, or when systems and processes fail.
- Re-work ways in which legal and liability protections are incorporated into service agreements to prevent fraud-related losses or expenses associated with remediating impacted customers.
Insurers also need to incorporate front-end security, business risk/reward decision making, and risk management and control techniques, and secure employee adoption. In the event a cyber-attack occurs, insurers should have an event response plan in place as well as a crisis management process to manage incidents and notify affected parties. A response plan should include:
- Validating that the event is taking place and mobilizing the response team.
- Putting in place the firewalls and stopgap measures to make sure the exposure isn’t expanding. This requires pre-planning and regular testing.
- Determining the timing for alerting authorities and regulators, as well as the firm’s external media team.
- Carefully managing public relations. Some firms have appeared stronger and more organized after a breach whereas others have lost significant brand value.
Only with these measures in place can insurers expect to more effectively mitigate the risks of cyber-events and reduce the impact if one does occur.
To learn more, see the Cyber-resilience: Answering the cyber-risk challenge infographic or download the Making your Enterprise Cyber-Resilient report.