CEP 2020 Cyber Information SERIES Information for Senior Leaders Risk Mitigation through Cyber Insurance Current Business Practices Report from the CEP Cyber Insurance Working Group January 2015 2 Welcome Welcome to the Corporate Executive Programme’s 2020 Cyber Information Series. In 2005 twenty seven senior leaders met in Singapore to discuss the many components of information security, and its impact on their organisation’s business strategic goals. Ten years on, the CEP is celebrating its tenth anniversary. To mark this important landmark, the CEP is unveiling its 2020 programme. It recognises the technological advances of the last twenty years that have changed the way we work and live e.g. the Internet, Email, Laptops, Smartphones, Wi-Fi to name a few. The 2020 programme recognises that technological change continues and with it, the challenges of applying proactive security. It recognises that the lines between home and office computing are now blurred e.g. many people use only one device for both working at home and at the office. This means there are challenges in the ability to predict threats, identify vulnerabilities and understand associated risks. Our members have all spoken about the benefits gained from the sharing of information, experiences and expertise. The increase in cyber activity and associated malicious activities continues to impact businesses financially globally. The CEP 2020 Cyber Information Series will feature a series of White Papers on areas that organisations focus on as part of their cyber readiness and cyber management activities. It will highlight the ongoing work of its working groups, sharing with its audiences the outcomes of its research and surveys from which we hope others can benchmark or gather greater understanding for tackling current challenges and issues. The results of the research carried out by the Working Group on Cyber Insurance are the first in our Cyber Information Series. We hope you enjoy this and the rest of the series. 3 Foreword The Corporate Executive Programme (CEP) exists to identify new threats and trends in relation to information security and to help organisations deal with them. Dedicated cyber insurance is one of the newest developments within the marketplace aimed at mitigating risk, and is a product type which has grown somewhat organically out of the growing threat of cybercrime. It is not an area about which there has been in-depth discussion within industry or between industry and the insurance sector. Although this type of insurance has been available over the last decade, patterns in relation to take-up and business preferences have been unclear and CEP has become aware that a greater understanding would benefit the business and insurance communities. A CEP working group was set up to explore this subject in 2013, the first time that a not-for-profit organisation had sought to systematically develop understanding in this area for the benefit of business as a whole. It quickly became apparent that research was needed, with the group agreeing on project focus in August 2013 and work starting in autumn that year. This has been a preliminary study, helping to create a ‘snapshot’ of current business behaviour and to set the parameters in terms of topics of interest and aspects that would benefit from more in-depth analysis in the future. It has certainly confirmed that this type of cover is at an early stage in its lifecycle and not particularly well established yet, as illustrated by level of take-up and awareness amongst organisations globally. The research has also helped to throw some light on the extent to which specific factors are impacting on individual businesses’ approach to dedicated cyber insurance; for example, business size, sector and the way companies have organised themselves to manage, and purchase for, risk and security. CEP will use the findings to help identify the way in which dedicated cyber insurance and risk transfer should be tackled in its future work programme. We hope that you find this report interesting and informative, and that it helps you with dialogue and making decisions about dedicated cyber insurance within your own organisation. Dr Claudia Natanson FBCS CITP CISSP Chair, CEP [email protected] 4 Contents 1 Introduction 6 2 Executive Summary 8 3 The Survey Sample 10 4 Survey Methodology 12 5 Definitions 13 6 Survey Results 15 7 Additional Qualitative Findings 24 8 Conclusions and Next Steps 26 “ Dedicated cyber insurance is one of the newest developments within the marketplace aimed at mitigating risk, and is a product type which has grown somewhat organically out of the growing threat of cybercrime” Dr Claudia Natanson, Chair CEP 5 1 Introduction The commercialisation and socialisation of the Internet have brought huge opportunities, but these have been accompanied by significant and continually evolving threats. This has entailed a responsibility for organisations to protect that most valuable asset – their information – and by extension their people, customers and other stakeholders from the damage that could result from it being compromised. The risks from theft and loss of information are real and growing. Noncompliance with regulations and standards in this area results in damage to brand, revenue, reputation and loss of shareholder and customer confidence. We are seeing more and larger fines relating to failure to protect information adequately, and society’s reliance on online technology for the delivery of the most fundamental services is really raising the stakes. In this climate, organisations are looking to transfer some of the risk for more effective risk management and taking out dedicated cyber insurance is one way they are seeking to achieve this. There are a number of categories of risk against which organisations could potentially seek to insure themselves (Figure 1). Figure 1: Information security and privacy risks faced by organisations Enterprise Level Information Security & Privacy Risks Data Breaches: PII Data Damage to Breaches: Reputation IP/Trade Secrets Online & General Social Media Privacy Exposures Enterprise Practices Risks Business Interruption & Cyber Crime Supply Chain Loss of / Damage to Damage to Physical Digital Assets Property Note: PII – professional indemnity insurance; IP – intellectual property 6 Dedicated cyber insurance is a relatively new product, technology is evolving fast and security is always playing catch-up, meaning there is a real challenge involved in objectively identifying companies’ needs in relation to insurance and what constitutes an effective dedicated cyber insurance product in specific circumstances. How much cover is needed, what areas of activity and risk do and should qualify for insurance, who should determine purchase and what does the ideal product look like? These are all questions that need to be answered. This survey begins to explore these issues for the benefit of both purchaser and insurer. The CEP working group responsible for this research intends that the findings and any follow-up projects the programme carries out will make a significant contribution to bringing clarity to this important new issue for today’s organisations, whether they are large or small, global or local. 7 2 Executive Summary Only 20% of businesses had dedicated cyber insurance Heads of information security were not involved in insurance purchase decisions The US had higher levels of dedicated cyber insurance cover than the UK (40% versus 13%) • Only 20% of respondents said their organisation • The retail sector had most organisations had dedicated cyber cover. 20% said they had purchasing cyber cover (37% of those with no cover. dedicated cyber insurance in this survey), followed by the finance sector (25%). • The legal function was most likely to make cyber Self-insurance was mostly done by the cover purchasing decisions (in 50% of cases manufacturing and finance sectors. where such cover existed), followed equally by the head of risk and the Executive/Board- • Every company in the survey had third party level of the organisation (25%) each. Heads of and/or outsourcing deals in place. Of the information security appeared to have little role companies with cyber cover, only 50% did to play in purchase decisions. thorough checks to confirm continued insurance cover through the supply chain. 70% of those • 25% of respondents said their organisation had with no cyber cover reported doing checks to suffered a business impacting cyber incident see that their third parties had cyber cover. within the last year; 30% of these had dedicated cyber insurance. • The US had considerably higher levels of dedicated cyber cover than the UK (40% • Companies that had experienced an incident versus 13%). and had insurance cover had had this cover before the incident. • The most popular route for businesses in the billion pound revenue range was self-insurance • Companies with decentralised risk functions (33%) while the most popular for those in the seemed to be more likely to have dedicated million pound revenue range was cover through cyber insurance than those with centralised existing business policies (31%). functions (31% versus 15%). Companies with centralised risk functions were more likely to • Most heads of information security interviewed be covered by self-insurance or other business did not have knowledge of the types of policies (28% versus 16%). dedicated cyber insurance products available. We now go on to describe methodology, findings and conclusions in more detail. 8 9 3 The Survey Sample The target population was drawn from within the CEP membership, and consisted of a random sample of 40 organisations. These are organisations that could be said to have good information security awareness in relation to the commercial community as a whole, and typically fall within the larger categories of businesses. We aimed to achieve responses from a good spread of organisations, but as a preliminary, exploratory survey, there were no specific targets in terms of size, global versus local, sector or annual revenue. The breakdown is detailed in Figure 2 below and Figure 5 on page 11. Figure 2: Sector breakdown Figure 3: Regional breakdown 48% 25% 17% Largest 12% Survey Sectors Participants Participants by Region 15% 8% 75% Finance Manufacturing IT Services Retail Other US UK The most represented sectors are highlighted in Figure 2. The remaining 48% of respondents came from a wide variety of sectors including; travel, logistics, legal, pharmaceuticals, telecommunications, manufacturing, engineering and marketing. The size and scope of the sample were selected to successfully reach and carry out interviews with senior leaders on a potentially sensitive subject within reasonable time frames. They also enabled more detailed qualitative discussion. Interviews were undertaken on the basis of maintaining anonymity of respondents and their organisations. These practical considerations meant that interviews were restricted to US and UK companies. However, this also enabled us to gain an impression of differences between the US and Europe. Traditionally, take up of cyber cover in Europe has lagged behind the USA. The survey aimed to gain insights into whether these regional trends had changed in recent years and, if so, possible drivers for a shift in purchasing patterns. 10