Cyber security readiness: An insurance industry view
Much has been written about the growing and increasing maturity of the cyber security insurance market. There is also no shortage of (rather depressing) surveys of companies and breaches to give scale to the size of the cyber security problem. In Australia the research done on past breaches by ACSC led directly to the formulation of the Essential 8 cyber mitigation strategies.
What is interesting, and the subject of this blog, is the intersection of the two – the view of cyber security readiness from within the insurance industry itself. This was brought into sharp focus by the recent Hiscox report on security breaches. Hiscox is an international specialist insurer with over 100 year’s experience of underwriting a diverse range of personal and commercial insurance risks.
Probability of a cyber security breach
One factor in any risk (or underwriting decision) is the likelihood of an event occurring. There is an adage in cyber security that “it is not if, it is when”. Which means, over a long enough period of time, every business will suffer an attack. However, that’s not a very useful statistic (the probability equals 1); and in insurance terms there is greater value in talking about the probability within the term of a cyber insurance policy. Hiscox found the following:
More than three out of five firms (61%) reported an attack in the last year
The frequency of attacks has also increased
This is a worryingly high figure and, if the frequency is increasing as the survey indicates, then the problem is getting worse.
Data breaches by company size
Traditionally it was thought that cyber security was an issue that only affected large/high profile businesses and that smaller firms with lower profiles and smaller target sizes would slip under the attackers radar. The survey findings show this is no longer the case:
While larger firms are still the most likely to suffer a cyber attack …
… the proportion of small firms (less than 50 employees) reporting one or more incidents is up from 33% to 47%.
For medium sized firms with between 50 and 249 employees the proportion has leapt from 36% to 63%.
Almost half of small firms reported an incident and two thirds of medium firms said likewise. It seems that even if you are a small business you are as safe as the toss of a coin at best.
Impact of a cyber security attack
The other major consideration in risk management is the impact of a risk occurring. Here the challenge is exacerbated by the nature of the business and the other controls in place (how quickly the attack is detected and how well the business responds). However, the figures for the cost of a breach do not make good reading:
The mean figure for losses associated with all cyber incidents among firms reporting attacks has risen from $229,000 last year to $369,000
The costs have therefore risen by 60%. This trend will affect premiums for cyber insurance policies and focus the need for cyber security investment in controls, but security budgets cannot just escalate forever.
Supply chain security risks
One area of widespread concern is the risk from the third parties, partners and suppliers that a business relies on. This category of risk is significant as it is difficult to control and police (without some form of effective measurement of the external risks). The survey figure is, yet again, a worry:
Nearly two-thirds of firms (65%) have experienced cyber-related issues in their supply chain in the past year
You can read our blog post on supply chain risks here.
What are companies doing about cyber security?
The survey found that firms of all sizes are responding to the growing threats by investing more in cyber security controls. As a risk management strategy this is understandable, but with increased investment comes a greater need to show that the spend is delivering value for money, that controls are effective and processes are working.
The average spend on cyber is now $1.45 million and the pace of spending is accelerating. The total spent by the 5,400 firms in our report comes to a remarkable $7.9 billion.
In the face of this it is hardly surprising that the cyber security industry – products, services and consulting – is seeing growth.
Where new technologies or managed services are put into play the business benefits of lower risk could mean a lower chance of a breach occurring (lower likelihood) or lower costs if one does occur (faster detection or reduced data losses and exposures).
Two-thirds of respondents say they plan to increase their spending on cyber by 5% or more in the year ahead.
An interesting follow up question would be: How will these businesses judge the value of that spend? Or, what proportion will measure it at all? One of the biggest challenges is knowing where to start…
The decision about where to focus effort, just like the assessment of the effectiveness of controls, requires accurate knowledge of the risks faced. Perhaps the insider threat is your biggest issue, perhaps malware, or web site vulnerabilities being used to extract data. Investing based on the latest market trends or as a response to the recent news stories of breaches is tactical, reactive and externally influenced.
Measure cyber risk alongside other business risks
Security teams and the business must agree on major risks and control requirements (and hence the acceptable residual risk) and measure this in an easy to report way (in a dashboard or “balanced scorecard”) then security risk management will match other streams of business activity that quantify challenges and requirements, and measure performance to drive decisions.