Cyber attack insurance – is it worth the money?

Demand for cyber attack insurance has risen significantly in the past year, according to one broker, which raises the question – can you insure against the risk of cyber attack?

The answer is – it depends. Firstly on what you are defining as cyber attack, and secondly what the likely impact is. Large organisations that have recently reported significant compromises (such as Apple and Microsoft) appear to have continued on with no apparent consequence (and indeed have gained some kudos for standing up acknowledging the problem).

Presuming the aim of the attackers was industrial espionage, then the consequences may not become apparent for some time, if ever (as it can be hard to pin loss of market share on any one factor). As a rule of thumb though, espionage is not a zero sum game. If there is something to be gained by by stealing your commercial secrets, it usually means you will lose out at some point. So could you realistically insure against this loss? Insurance relies on quantifying impact in someway which in this case would be very hard to do.

Attacks that have a more direct impact, such as a denial of service attack against a commercial website, may have a more quantifiable impact (we do revenue amount X per hour, and could not trade for 12 hours, X * 12 = loss). Less easy to quantify is the loss in customer confidence and damage to reputation that comes from being unable to deliver a service.

In other words, whilst it may be able to insure against some of the cost of a cyber attack (depending of course on the definition of the term), it is not possible to pass all of the risk and financial consequence to the insurance company. Companies considering insurance like this should think very carefully about they are buying and likelihood, and usefulness, of any payout.