The cyber threat is becoming more and more pressing and insurance coverage against cyber risk is growing among the defense strategies adopted by companies.
In fact, in the last year, insurance policies would have increased by 300%. The world of insurance has for some time included specific formulas to deal with this emergency, and companies, following the continuous increase in attacks and intrusion attempts, are increasingly choosing to adopt a system that can compensate for any damage deriving from a attack successful.
Certainly the insurance policy falls within what are defined as "risk management policies" but it cannot represent the only response of a company to the growing threat. Rather, insurance finds its place in a global ecosystem of attention, prevention, management and recovery aimed at minimizing the risks of a breach and the potential impact of unauthorized access on the corporate IT infrastructure.
This is obviously a relatively new risk area, the result of technological evolution and an increasingly computerized global context to which insurance companies have adapted, creating ad hoc solutions with relatively minimal differences from one company to another.
During these months of pandemic, thanks to a significant increase in smart working and consequently in IT risk, the companies that have taken out this type of insurance coverage have grown, starting with small and medium-sized enterprises. In times of crisis, it seems that spending on IT security has increased by 4%, also confirming a greater awareness of risk.
Are insurance policies the solution to counter cyber risk?
Absolutely not. In the United States, policies have grown but the costs of insurance premiums have also risen given that the risk of having to compensate for damages deriving from cyber attacks is decidedly high, making the current insurance model less and less profitable. Defining cyber risk is definitely more difficult than in other areas because it is something that is still new and above all highly dynamic, with variables that are difficult to predict. In short, the cost of claims can only grow and so can the demand from companies.
Alongside the difficulty of a correct risk assessment, all the difficulties of a correct and real estimate of the damage suffered emerge. Quantifying the damage resulting from a successful cyber attack is far from easy. The difficulties in fact concern both direct damage, for example deriving from the unavailability of an e-commerce site for a certain number of days, and indirect damage, for example reputational damage. In cases of industrial espionage, quantifying the damage appears even more difficult. In addition, many times you don't even notice that you have suffered data theft, or the company realizes it after a long time.