Is cyber-insurance the answer in fighting cyber-attacks?

Ransomware such as WannaCry and Petya can greatly disrupt organisations and costs society billions of dollars. New cybersecurity risks emerge every day in our digitalised world. However, cybersecurity is often not up-to-date in organisations.

What makes organisations decide to invest or not to invest in cybersecurity? TU Delft and partners have started the CYBECO project to get more insight in this matter in order to increase societal resilience to cyber-security risks. Katsiaryna Labunets, postdoc researcher at TU Delft: ‘In this 2-year project we will investigate choices organisations make in relation to cyber-security and -insurance. It will give recommendations to improvements or alternatives to current institutional and governance frameworks. Furthermore it will result in a software toolbox that gives small and medium enterprises insight in potential risks and security investments’.

General Data Protection Regulation

The General Data Protection Regulation, which will become operational in the EU as of May 2018, will likely boost the interest in cyber insurance. As of that date companies will be liable for data leakages, and will therefore be more inclined to better protect themselves against attacks. They are also obliged to inform the public about the hack. ‘However, in general it takes up to 200 days before a hack is being discovered by a business, and damage is then already done. So this obligatory notification is not foolproof’, says Labunets.

Economic loss

Lloyd’s of London, an insurance market company based in England, has released a report according to which a massive cyberattack could result in $53 billion economic loss. This loss is similar to that of natural disaster of Superstorm Sandy in 2012. This is why the European Union has set the economics of cybersecurity high on the agenda and is also sponsoring CYBECO under the H2020 programme.