By: Sean Pyott, MD of thryve
Cyber-incidents represent a growing threat to companies, and many of them have started to respond. Understanding that a cyber attack is nearly inevitable, many businesses are mitigating the risk by adopting cyber insurance. And while this is a lucrative new revenue channel for insurers, they have to make sure to balance the risk and rewards. This will require a more hands-on culture with customers.
A cyber insurance policy will typically require an audit of a client’s security, and enforce certain expectations around security policies. For example, it would be foolish to insure a customer who rarely patches their systems. Yet these precautionary measures aren’t enough. Adequate security is a proactive on-going practice, and complacent security environments are much more likely to be attacked successfully.
Compliance is a significant reflection of a company’s security posture. It includes legal requirements such as the Protection of Private Information Act (POPIA) and data protection standards such as ISO 27001:2013, but also applies to internal policies that reinforce security.
Insurers can combine compliance oversight with their own cybersecurity experience to help customers safeguard themselves against attacks. The crucial ingredient for cyber safety is accountability, and insurers can use compliance to reinforce it. For example, they can request compliance reports that reveal the customer’s overall cyber-risk exposure.
The incentive for customers, other than staying safe, is the possibility of reduced premiums as well as adequate coverage. A cyber-incident can take on many forms and cause different issues ranging from brand damage to fines and litigation, opening the potential for several policy blind spots.
Yet compliance is convoluted and can devour many hours to establish and audit. Expecting customers to generate compliance reports several times a year used to be a ridiculous expectation.
This is why companies should invest in proactive and integrated risk management. When these concepts first surfaced at the start of the 2000s, they mainly sought to address reactionary risk management and turn it into a strategic asset for companies. In the years since, technology’s expanding complexity has created more compliance risks that need attention and not only during an annual audit. Integrated risk management renders compliance visible and tangible.
It’s important that insurers understand the value of integrated “sense and respond” risk management and encourage their customers to do the same. The more visibility and agility policyholders can produce around their compliance risks, the more they can prepare for an attack.
Cyber-incident insurance is comparable to healthcare insurance: prevention is better than cure, and good habits go a long way to keep insurance customers happy and loyal. Insurers and underwriters that promote integrated risk management to their cyber-incident clients, and use those insights to help customers improve their security, will win in the long run.
Think insurance. Now think again.
Western National Insurance Company Ltd, affiliates of the PSG Konsult Group, are authorised financial services providers. (FAIS: Juristic Reps under FSP 9465)