Is cyber-insurance the answer in fighting cyber-attacks?

Ransomware such as WannaCry and Petya can greatly disrupt organisations and costs society billions of dollars. New cybersecurity risks emerge every day in our digitalised world. However, cybersecurity is often not up-to-date in organisations.

What makes organisations decide to invest or not to invest in cybersecurity? TU Delft and partners have started the CYBECO project to get more insight in this matter in order to increase societal resilience to cyber-security risks. Katsiaryna Labunets, postdoc researcher at TU Delft: ‘In this 2-year project we will investigate choices organisations make in relation to cyber-security and -insurance. It will give recommendations to improvements or alternatives to current institutional and governance frameworks. Furthermore it will result in a software toolbox that gives small and medium enterprises insight in potential risks and security investments’.

Cyber-insurance decisions

Cyber-insurance is a relatively new service. Labunets: ‘We will build models that bring together knowledge of choices made by cyber attackers, insurance providers and owners of digital systems. Over the coming months I will be conducting interviews to better anticipate the behaviour of the different stakeholders and identify gaps in directives, cybersecurity standards and cyber-insurance services’. An insurance policy could even work counterproductive in fighting cybercrime. ‘There is a risk that the insured party may feel it is not necessary to secure its data, since the insurer will cover potential losses. On the other hand the insurer will also set minimum security requirements that insured parties must comply with’, says Labunets.

General Data Protection Regulation

The General Data Protection Regulation, which will become operational in the EU as of May 2018, will likely boost the interest in cyber insurance. As of that date companies will be liable for data leakages, and will therefore be more inclined to better protect themselves against attacks. They are also obliged to inform the public about the hack. ‘However, in general it takes up to 200 days before a hack is being discovered by a business, and damage is then already done. So this obligatory notification is not foolproof’, says Labunets.

Economic loss

Lloyd’s of London, an insurance market company based in England, has released a report according to which a massive cyberattack could result in $53 billion economic loss. This loss is similar to that of natural disaster of Superstorm Sandy in 2012. This is why the European Union has set the economics of cybersecurity high on the agenda and is also sponsoring CYBECO under the H2020 programme.