Insurance should complement cybersecurity, ‘not the other way around’

18 Apr 2023

Aon head of cyber solutions EMEA David Molony. Image: Aon

Aon’s David Molony discusses the ‘rigorous’ cyber insurance landscape and the steps businesses can take to assess their cybersecurity risks.

Click here to view the full Cybersecurity Week series.

As industries become more digitised and criminals evolve their capabilities, organisations are putting more focus into their cybersecurity efforts.

In February, a survey found that roughly 70pc of business leaders Ireland were either “very” or “extremely” concerned with potential cyberthreats to the continuity of their businesses.

This survey by the Institute of Directors in Ireland also revealed that around 41pc of organisations have experienced a cyberattack in the past, based on the responses of business leaders.

The rapid rise of ransomware and high profile attacks appears to have put more eyes on cybersecurity, with a greater focus on training and creating response plans within organisations.

But the evolving landscape has also caused cyber insurance providers to be “increasingly rigorous” when looking at companies. That’s according to David Molony, Aon’s head of cyber solutions for the EMEA region.

Molony told that companies now have to demonstrate “a coherent risk management strategy” to obtain coverage from cybersecurity insurance providers.

“The most prepared organisations don’t treat cyber insurance as a panacea; they treat it as a safety net when they’re already investing in controls assessment, quantification, innovative technologies, mitigation, business continuity management, incident response and disaster recovery,” Molony said.

“In addition, when you go to the insurance market, you want to have these aspects of your risk presentation covered.”

A compliment to cybersecurity

Molony said cyber insurance has two main components, which are intrinsic damage and third-party damage.

Intrinsic damage involves all the costs that would be directly incurred by an organisation, such as extortion payments, forensics costs, data, and system recovery costs. Third-party damage relates to sensitive information being lost that can impact others.

“In some cases, lawyers must be called in because data protection laws have been violated and defence costs must be paid,” Molony said. “Or there may be negative press coverage requiring a PR firm to be hired to help mitigate the reputational risk.

“There are also exciting additional coverages available in the marketplace for other areas, ranging from supply-chain challenges to catastrophe losses.”

Molony said any cyber insurance policy should be a compliment to an organisation’s cybersecurity strategy and “not the other way around”.

The first step for organisations – according to Molony – is to make sure the policy they choose is “relevant for your organisational profile and security posture”.

“In addition, you should have clarity on what protections you want the policy to achieve and seek to have the most appropriate levels of cover for those risks,” Molony said.

Some ways for an organisation to understand its own risks and requirements come from creating impact modelling and risk management programmes.

Risk management strategies

Molony said cyber impact modelling involves tailoring and targeting protection around “mission-critical assets at an organisational level”.

From his experience, Molony said many organisations don’t have a strong handle on “the financial risk associated with cyber incidents”, which can lead to underinsurance for potential events and “imbalanced views on investment when it comes to asset protection”.

“If we can build a financial picture of exposure, aligned to a view on security posture, this will allow us to develop targeted investment plans evaluating Return on Security Investment including insurance,” Molony said.

In January, a Typetec annual survey of 200 SMEs revealed that their average cybersecurity budget for 2023 has dropped by more than 50pc compared to 2022. Despite that drop, Typetec said nearly 80pc of these businesses had experienced a cyberattack in the previous 12 months.

Molony also explained the benefits of good cyber risk management programmes, as they focus on “adequate protection for real threats and tailored risk scenarios”.

He said many organisations focus on server vulnerability or IT issues, but noted that “cybersecurity is much broader than that”.

“A long-running, robust, evolving program that speaks directly to the people of the organisation and their challenges makes a difference,” Molony said. “The evolving challenge for organisations is to treat cyber as an enterprise risk with top-down accountability.”

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic