“Cyber insurance cannot replace relevant security technology”, explains Malcolm Randles, CEO of London Cyber Security, a company specializing in the assessment of risk management for the global cyber insurance industry. “I don’t think we will reach the point where an organization chooses an insurance policy over information security measures. Cyber insurance has two main purposes – covering financial losses suffered by third parties caused by cyber attacks, and covering the financial expenses involved in assessing, addressing and dealing with the resulting crisis. Insurance is not a protective measure against attacks”.

Whoever thinks cyber insurance is a new business, is wrong. Cyber insurance as a stand alone product has been available since 2004. According to Randles, everything started when an American multinational hardware and software manufacturer realized that its enormous insurance portfolio was lacking true coverage for a newly evolved class of risk, Cyber. The story goes that AIG was the first insurance company in the world to provide this stand alone insurance policy.

Why is cyber insurance necessary? Well, one aspect is covering losses incurred by the company, such as the issuing of new credit cards in place of those that had been compromised in a data breach. When we talk about a breach in which hundreds of thousands or even millions of cards compromised, the losses from this event alone are substantial.

A second aspect relates to expenses involved in handling the outcomes of the attack. This may include legal counseling, distributing notifications to customers, hiring a special team of professionals (forensics) to conduct the investigation while the company continues its ongoing operation, and defending the company against a class action law suit.

“Currently, insurance companies are having a difficult time correctly assessing the insurance applicants risk level”, explains Ram Levi, partner and founder of London Cyber Security. “We want to close this gap by preparing a customer risk profile for insurance companies. For this purpose, we use Israeli technologies. This is a process that will be beneficial, not only, to the insurance companies, but to the customer as well. From what we see today, many customers – particularly the small and medium sized businesses – do not have adequate cyber protections in place. In the assessment we prepare, these gaps are revealed, so they can improve their business’s cyber security and equally the insurance company gets a clearer understanding of the true state of the applicants infrastructure and breach protocols”.

The London Cyber Security team explains that one of the dilemmas with which a company is faced after a cyber attack, is whether to allocate IT department personnel to investigating the event or to the business’s ongoing operation. In most cases, the company’s IT department is already extremely loaded with ongoing activities, and any additional task can damage the business’s work. The insurance company funds and allocates experts on its behalf who investigate the event and free up the IT department to continue their usual work.

One of the many questions concerning the cyber insurance is what are the mandatory (I think he means minimum rather than mandatory conditions a business should fulfill in order to qualify for cyber insurance. Is it necessary for the insurance company to utilize a third party firm to assess the risk on their behalf? Or is it sufficient that the business conform to certifications such as ISO 27001? “Certifications are good and important, but one should remember that a certification only applies to the day it was issued. Over the course of a year, after the certification inspection, no one necessarily enforces the certification until the next inspection”, explains Randles.

“The risk assessment process reviews every element – technological and human – connected to information security, and is based on the business’s behavior under normal conditions. You can look at the certification and risk assessment processes as complementary layers. One possible course of action is for the insurance company to provide the business – through us – with ongoing cyber intelligence that would assist in converting the company’s protection from passive to proactive. This is what we want to implement with Israeli technology”.

A risk assessment is also important when the organization finds it is being forced to take part in a proxy attack against another organization. This is a situation where party A attacks party C through party B. In such a case, party C can sue party B for the damages caused by the cyber attack, although it is possible that party B didn’t even know party A was using its facilities for the attack. “In such a case, the insurance company checks whether party A has implemented acceptable cyber protection practices”, explains Randles. “The business will need to demonstrate to the insurance company that it has done everything in its power to prevent other entities from using its facilities to attack a third party”.

Undoubtedly, cyber insurance is one of the “hottest” fields on the market today. Among other reasons, this happens as a result of the fear experienced by businesses that private claims or class actions would be filed against them as a result of cyber attacks. This fear has particularly increased after the attack on Sony, which has led businesses to realize that regardless of your size and financial success, everyone could be a potential target. However, in the final analysis everything adds up to money. In other words: how much the insurance policy would cost. If insurance companies required mandatory protections that cost businesses large amounts of money, small and medium sized businesses would not be able to afford cyber insurance. Alternatively, if insurance company lost money by providing this type of insurance, they would stop marketing it.

Another element that can affect the cyber insurance market is regulation. Just like every car owner is forced to purchase mandatory insurance, the state can obligate every business to buy cyber insurance. However, based on the most recent draft of cyber regulation posted on the Internet, this doesn’t seem to be the direction in which things are going. In this area at least, the Israeli regulator seems to prefer leaving the cyber insurance component to the forces of the market.