National Cyber Directorate: Businesses Are Unaware of Need for Cybersecurity Insurance

While major Israeli corporations have taken measures to protect themselves, those in the civilian business sector have yet to consider such cautions

A Cyber Week conference at Tel Aviv University, June 26, 2019.
Avishag Shaar-Yashuv

Only 13% of Israeli companies have insurance covering the risks posed by cyberattacks and many senior executives at Israeli companies in fields like agriculture, construction and wholesale commerce are not even aware that insurance is available to cover the risk, according to results of a survey conducted by the National Cybersecurity Directorate, released last week.

The survey was commissioned as part of an effort to develop recommendations regarding cybersecurity insurance. Security agencies and major Israeli corporations are well aware of how to protect themselves from cyberattacks, but the issue is being neglected in the rest of the civilian business sector.

Cybersecurity insurance is considered an area of potential growth for insurance companies. Sales have grown sixfold in the past five years and the market is continuing to expand at a similar pace.

The National Cyber Directorate is part of the National Cyber Authority, which was established in 2015 to address the growing threat that the business sector has been facing from cyberattacks. The directorate’s survey polled executives and decision-makers in a range of business sectors and insurance companies. Respondents said the main reasons for purchasing business cybersecurity insurance are risk management and their obligation to their customers and investors.

By contrast, their main reasons for not purchasing the insurance coverage is a lack of awareness about the threat posed by cyberattacks and the absence of an economic feasibility in purchasing coverage. Many respondents from industry, agriculture, construction and retailing admitted not knowing that cybersecurity insurance even existed for their companies. But contrary to the impression that many cybersecurity experts have, when companies do purchase the insurance, it is generally an additional budget item and does not come at the expense of the companies’ existing cybersecurity budgets.

The Cybersecurity Directorate said that among the challenges the insurance companies face in getting businesses to buy cybersecurity coverage are first of all a lack of knowledge, since it is a relatively new product and businesses don’t have actuarial information about the risks they face. It is also difficult to quantify the risk from a cyberattack. This tends to boost the cost of the insurance and limit the extent of coverage, which may be capped at a level that does not fully compensate an affected business.

A second challenge is a lack of demand for the insurance, which is often a result of businesses’ ignorance of the risk involved and the benefits that coverage would provide. Then there is the process of underwriting for the insurance, which is not terribly exacting. It generally involves a simple questionnaire rather than a more comprehensive survey of a company’s technology or ongoing monitoring of the risk posed to the firm’s operations.

But insurance companies are coming around to understand the importance of systematic monitoring of businesses they insure to assess the risk of harm that cyberattacks can cause, and how to minimize it. Several Israeli start-ups are offering the technology to do so.

As the Cybersecurity Directorate sees it, insurance is an essential aspect of what is required for the economy to recover from a major cyberattack. The directorate is currently promoting a new program designed to encourage the purchase of coverage, including direct contact with the management of companies to suggest that they get the coverage.

It is also seeking to educate insurance agents on the issue, improve the nature of the coverage and regulate insurance services in the field. The directorate is developing technology to help set uniform measures when it comes to managing the risk and assessing the preparedness of businesses and government agencies in facing cyberattacks.

Teething pains in a new field

Shani Sharvit, the senior department director for policy and organization at the directorate, noted that cybersecurity is a relatively new field and there are gaps in understanding how to manage, protect from and assess the risk of the threat.

“The technology process is complicated. There is an absence of sufficient information on past events and a difficulty assessing the probability that an organization would in fact be attacked, in addition to the difficulty in estimating the cost of the attack. This makes the evaluation by insurance agents difficult. Insurance companies understand the risk and are learning how to prepare for it,” she said.

A recent study that the Cybersecurity Directorate undertook in cooperation with Lloyd’s insurance made an economic damage assessment of a catastrophic worldwide cyberattack at $193 billion. But as of this year, insurance companies in the field project that they would be required to pay out $27 billion in insurance claims, meaning that companies and countries would in large measure be left to fend for themselves in recovering from such a catastrophe.