Don’t Insure Against Cyber-Risk, Protect Against It

Written by

In the face of the most extreme risks, it often makes sense to share them. In business, we turn to insurers to safeguard organizations against the risks that are most difficult to mitigate. But as of the start of April, organizations can no longer turn to one of the world’s most famous insurance markets for a key element of risk management.

Lloyd’s of London is no longer offering insurance against the disruption caused by state-backed cyber warfare, what they term “systemic cyber risk.” This perhaps comes as no surprise – cyber-attacks targeting infrastructure can have such wide-ranging effects that the insurance market cannot absorb their collective cost. 

It is, however, an opportunity for the cybersecurity industry. That’s because cyber risk has morphed into an existential challenge for organizations, and this can act as a wake-up call for us all to take the threat seriously. 

As things stand, business-critical functions – and indeed wider society – depend on IT, meaning that if they experience an attack, any losses could significantly exceed what the insurance market can support. 

Meanwhile, challenges like cyber extortion are becoming equally seismic. Analysis by blockchain analytics firm Chainalysis shows that ransomware payments totalled at least $457m in 2022. Although that number was down year-on-year, the true total is expected to be much higher. The sheer variety of cyber threats and the inventiveness of cyber-criminals mean that organizations need to be prepared to prevent and manage them, as well as insuring against them.

Even if they could afford to, we can’t expect insurers to keep paying out on these issues because organizations have not prioritized undertaking the basic level of cybersecurity protection. While posing a clear threat, cyber-criminals aren’t invincible, and there are steps that organizations can take to protect themselves. As Microsoft’s 3rd annual Digital Defence Report notes, although nation-state actors engaging in cyber-attacks may be technically sophisticated and employ a wide variety of tactics, such threats can often be mitigated by good cyber hygiene.

Rather than seeing Lloyd’s’ decision as having the stabilizers removed, organizations need to view this as a catalyst to embed and improve cybersecurity. Rather than waiting for an issue to arise – and hoping it doesn’t – the exclusion in the Lloyd’s market is an opportunity for Chief Information Officers – indeed any business leader – to take proactive ownership of their organization’s cybersecurity. Insurers still have a role to play in protecting organizations from certain kinds of risk, as do national governments. However, building digital trust in an organization starts with the organization taking ownership of this.

The good news is that there is a clear way to do this. A pathway exists in the Four Ts of risk management. The first step is Tolerate – understand the risks organizations can afford to leave unaddressed. Business leaders must also appraise other figures regarding the organization’s cyber-risk tolerance levels and which datasets they will prioritize protecting due to compliance and brand reputation protection.

Where risk becomes intolerable, organizations will act to Terminate the risk. This might involve exiting operations in a particular country, ceasing to work with a particular entity, or changing how a process is done to mitigate the risk. In an extreme example from last year, the Ukrainian government began storing data outside the country to protect it from Russian cyber-attacks. 

Where possible, risk can also be Transferred to third parties. One of the most common examples is, of course, purchasing insurance. Another way of transferring risk might be to outsource specific processes to other organizations. Cyber insurance against non-systemic risks is still common worldwide, although the cost of coverage is rising

But in the end, the fourth T is the one that matters – Treating the causes of the most severe risks pre-emptively. Business leaders can attempt to control risk by mitigating either the likelihood of it occurring or its impact if it were to happen. The simplest example would be just setting up an incident response plan to be activated in the event of a cyber-attack.  

Ultimately, the decision to exclude systemic cyber risk from coverage in Lloyd’s insurance policies is a sign of the importance of building digital trust and designing a resilient digital ecosystem from the outset. The four Ts provide a roadmap for organizations seeking to proactively address cyber-risks of all kinds. Unfortunately, the cyber-threat landscape evolves incredibly quickly – so the best time to begin this journey was yesterday. Today would be a good start too.

What’s hot on Infosecurity Magazine?