The Wall Street Journal has published an interesting article quoting Warren Buffett talking about cybersecurity insurance and his view that it is a bad risk.
Speaking at a Berkshire Hathaway Inc. meeting, Buffett said: “We can figure the probability of a quake or a hurricane but don’t know as much in cyber. It’s uncharted territory on the insurance side and will get worse, not better.”
In his remarks, Buffett discouraged the Berkshire Hathaway management from going too deep into the cyber-insurance market, commenting that they should go no further than “writing some cyber policies to remain competitive.”
Is Warren Buffett right to be so circumspect in his assessment of cybersecurity insurance?
That’s a matter for speculation, but one thing is for sure: broadly speaking most companies are much better prepared for hurricanes and earthquakes than they are for cyber-attacks.
According to figures from AIG, only about 55% of Fortune 500 companies have cybersecurity insurance. For the majority of enterprises, the figures are even lower: just 35% of small to medium-sized businesses are insured against cyber attack.
Compare that to statistics on cyber-attack recently released by the Australian Government which show that cybercrime attacks have increased by 300% since 2015 and 60% of smaller businesses that experience a major data breach go out of business within six months.
An insurance POV on cybersecurity
Paul’s expertise bridges cybersecurity, software design and insurance management, so I asked Paul to help me understand the cybersecurity/insurance formula better.
Me: I read an article recently where Warren Buffett said about cyber-insurance, “we can figure the probability of a quake or a hurricane but don’t know as much in cyber. It’s uncharted territory on the insurance side and will get worse, not better.”
Buffett seems to be circumspect about cybersecurity; why is it perceived to be such a tricky insurance proposition at the moment?
Paul W: The cyber-insurance industry is relatively new and it’s evolving. It’s a bit different to other insurance offerings because the cyber environment is always changing. There are new threat vectors being pushed out daily and that makes it difficult for insurers to calculate the potential losses. At the moment, insurers are relying on historical data to rate premiums and calculate probable loss events and I don’t think that approach to underwriting is sustainable long term. I think it’s that unpredictability that makes people like Warren Buffett uncomfortable with the market.
Me: So are there ways to make the cybersecurity situation more predictable?
Paul W: Cybersecurity forms part of an organisation's overall defences, but here’s the thing: most of the issues with respect to cyber events relate to humans, not machines or software. Configuring the human is the challenge. We need to better educate employees, contractors and third parties - all the people we do business with - about the impact a data breach can have. It’s a behavioural and attitudinal change and that sort of thing takes time.
Me: What are the main cybersecurity threat vectors?
Paul W: With the proliferation of end-points, there are really a lot of cyber-threats now that organisations need to be prepared for.
You have the well-known ransomware-type event; simple but quite dangerous.
We’re seeing rapid evolution of BEC (business email compromise), which is becoming more sophisticated now on the way they lure their victims. There’s also and the rise of user credential farming, to think about. That’s a very serious issue because it provides the cybercriminals with front door access to organisations. Rather than trying to break through the cyber perimeter that most organisations have in place, they’re just tricking people into letting them straight in. Those are the areas of cybercrime that we’re seeing on a frequent basis.
Me: Paul, what are the important most important things to do if your company is getting cyber-insurance?
Paul W: An off-the-shelf cyber-insurance product isn’t necessarily going to be the right approach. Cyber-insurance is complex and needs to be tailored to suit an organization's specific risk profile. My advice to managers is; before purchasing cyber-insurance your organisation first needs to undertake a detailed risk analysis of their business. That should include looking at you own data assets as well as relationships with third-party service providers. The second and most important element of the risk assessment process is to find out what level of cover is required for each of the risk areas you’ve identified. Once you’ve done that detailed analysis, then you’re ready to insure.
Protect the bottom line
Cybercrime can result in massive financial losses but it’s not just the immediate theft that’s the problem; very often cyber-attacks leave company’s computer systems crippled or corrupted and that can bring an entire business operation to a grinding halt.
"When it comes to cybersecurity, being prepared isn't just having a wall that will block and protect from attacks. Instead, being prepared means minimising risk... No police force can guarantee that they will eradicate crime completely. But we can make it a lot harder if the windows aren't open, the doors are locked, and there is a strong cop on the beat."
Prevention is really the only effective strategy for dealing with cybercrime. We have to use every defensive resource available to us; one protective layer just isn’t going to cut it. It would be great to see more businesses taking out cyber-security insurance to help them cope if the worst happens and they are attacked. But no amount of insurance can protect a company from the devastating implications of a data breach or ransomware incident.
Whether or not your company has cyber-security insurance, you need a proactive defensive policy.
New regulatory regimes like the NDB and GDPR, which provide for serious penalties for companies whose data is breached, make it more vital than ever for every business to acknowledge and address their cybersecurity responsibilities.
Businesses are losing millions of dollars to cyber-attacks that could have been prevented. Cybersecurity is seen as an IT issue by a lot of CEOs who leave it to their IT departments to take care of; but good cybersecurity policy is a leadership issue, and requires the involvement of all levels of management, with a commitment to educating every member of the team.
- Audit your data and IT resources
- Seek professional guidance on establishing a cybersecurity policy
- Enable effective endpoint security
- Deploy cloud-based threat protection to prevent malicious incursions
Once your company has taken these essential steps to protect itself from cyber-attack, then you will be in a better position to consider your insurance needs.
Tackling the challenges of cybersecurity implementation can be daunting for non-technical people, and that includes most CEOs.
If you’re unsure where to start, you should download and read my e-book: Surviving the Rise of Cybercrime (a Non-Technical Executive Guide).
It’s a plain English handbook explaining the most common cyber-threats and it provides essential guidance on managing business risk in the online sphere.
Rob Sloan, Cybersecurity Research Director at Wall Street Journal, said this about my book:
“Cybercrime is a serious and growing business risk. Building an effective cybersecurity culture within an organisation requires directors and executives to lead by example. Surviving the Rise of Cybercrime is a must-read for directors and executives across business and in government and provides strong foundations for leaders determined to address cyber risk.”
Download your copy of Surviving the Rise of Cybercrime for free, here.
Hi, I’m Craig McDonald; MailGuard CEO, founder of GlobalGuard and cybersecurity blogger.
Follow me on social media to keep up with the latest developments in cybersecurity; I’m active on LinkedIn and Twitter.
I’d really value your input so please join the conversation.