Take cover - the insurers are coming

Wallix's Bruce Jubb explains why he thinks the channel needs to get behind cyber insurance

Cyber is considered one of the main threats to UK businesses and government research shows 90 per cent of businesses suffered a security breach in the last year.

While not every breach results in the kind of public shaming experienced by TalkTalk, that particular hack did serve as a reminder of why cyber threats have become a business issue not just an IT problem. A drop in share price, calls for resignations at the top, a badly damaged reputation and a furious customer base are just some of the repercussions of that breach. It's no wonder then that faced with those outcomes, businesses are increasingly looking to share some of that risk.

Paying an insurance company to share some of the risks makes good commercial sense. That's why the cyber insurance market has grown so quickly - global gross written premiums quadrupled in just two years, from $850m in 2012 to $2.5bn in 2014. Of course IT departments will play a role in the process of getting cyber cover, but according to research carried out by my company, the chances are that the role will be a lesser one rather than a greater one and that IT departments may themselves be running for cover in the event a claim is made on the policy.

The ideal form of cyber risk management is achieving the right balance between internal IT security measures and the transfer of some risk to an insurance company. However there are stringent conditions surrounding these policies. If these conditions are not met in the event of a claim, they will not pay out, leaving the IT department with a serious amount of explaining to do. In this disconnect between the risk managers and the IT departments I see a real opportunity for the channel.

Let's consider just three aspects of our research which may provide food for thought.

One of the questions we asked in our survey was when ‘considering purchasing cyber-insurance do you anticipate this will require a change to your existing IT security policy? Most (41 per cent) felt it would not, whilst 32 per cent said they didn't know, thereby putting the majority directly on a collision course with the insurance company. This stance assumes the IT security policies are already of a sufficiently high standard to satisfy an insurance company. And yet, due to cyber insurance being still a fairly new market, the bar has been set very very high. A vital first step will be understanding what the policy weaknesses are, auditing the current security measures and ensuring the security policy and practices adapt to pass the fitness test.

The second area of concern in our research was the amount of attention being paid to security updates. This should be basic, bread-and-butter stuff, but nearly half of those questioned thought it would be either quite difficult (43 per cent) or very difficult (10 per cent) to ‘identify whether...security software fails to make critical updates'. Needless to say, a policy will not pay out if security patches are not being kept up to date.

Once a trusted VAR is in discussions with a client abut cyber insurance, it would be well worth asking about staff access, the third area of concern. In our study, 50 per cent of respondents felt it would be either ‘difficult' or ‘very difficult' to identify whether an ex-employee (or ex-contractor) still had access via accounts to resources on the network. In the event of a cyber-attack triggering a claim, information access control is one of the first areas the insurance company will look at and in those circumstances it looks like our unlucky 50 per cent will have some explaining to do.

And yet, improving access management and in particular privileged access, is a relatively simple method of ensuring maximum visibility including a full audit trail exists in the event of a breach, which will go a long way to satisfy the insurers and of course will go a long way to reducing the chances of an attack in the first place. One reason TalkTalk was hacked so easily by a bunch of wily youngsters is poor security credentials at the privileged user level, which essentially enabled access to a vast array of assets and information.

The role of the VAR will become increasingly relevant in the ‘cyber security arms race' (as Dido Harding, TalkTalk's CEO put it) both in providing access to the best security technologies and in navigating the path to cyber insurance policy compliance.

Bruce Jubb is head of UK and Nordics at Wallix