Unspeakable amounts of money are spent to cover the consequences of cybercrime. It takes 11 million rubles for major companies, and 1.6 million rubles for medium and small ones to tackle a single hack, according to a survey by Allianz. The company concludes that 67% of Russian companies aren’t ready to deal with cyber attacks. Positive Technologies told RG that there had been several major incidents in the bank industry that had something to do with organized cybercrime groups sending phishing letters to banks to gain access to their infrastructure and withdraw money. One of such instances is an incident in a major bank where an equivalent of 2 million rubles was stolen from its ATM’s overnight.
Last year, 42% of Russian companies have lost information in cyberattacks at least once.
While at least one third of companies is insured agains cyberthreat in the U.S., the market is only emerging in Russia. Main actors there are Western insurers like AIG, GrECo, JLT Group, Horizont and Arsenal.
“Cyberinsurance market in Russia requires thorougly conceived government policy in this regard, which involves major market players,” says Tim Klau, technology development head at PwC Russia. “Cyberinsurance could be an efficient tool to mitigate IT security risks, and it should be considered in the context of corporate risk management programs.”
Experts believe that insurance against cyberthreats is still not really popular. “When companies make their decisions as to should they spend their money on improving security or insurance, they usually choose the former option,” says Sergei Tiunov, managing partner at BDO Unicon Outsourcing. The cyberinsurance market is only forming in Russia. Quite recently, Sberbank Insurance Broker has launched a few programs for protection of data operators and digital businesses.
Insurance is a way to save expenses in case of personal data leakage
An insurer told RG that the cost of such policies and difficulties in assessing insured risks are the two factos hindering development of this kind of insurance. This is the issue widely discussed in the midst of insurers today. There is some demand for such policies. According to Vladimir Trofimenko, the CEO of multipurpose centers My Cabinet, the infosecurity market grows by nearly 25 per cent a year. This involves companies operating databases of personal information like cellular operators, utilities companies and banks. In such cases, a leakage or a loss may result not just in reputation risks, but also in quite real expenses on restoration of databases.“Insurers offer protection not against cyberattacks but against their consequences,” says Yuri Nekhaichiuk of a major insurance company. “In this case, insurance is a way to protect oneself against leakage of personal data, or financial information on a business.”
IT security is a specific insurable interest. “It’s virtually impossible to assess the losses, and pretty hard to determine whether security level in the company is in compliance with best practices, was there a negligence, or the specialists actually did the best they could,” says Bolage Seidler, co-founder and CTO of Balabit. Those two issues complicate the process of cybersecurity-related situations modelling. The extent of possible divergence between expectations of a customer and the insurer’s capabilities can be pretty high.
The speed of cyberthreat unfolding dictates the necessity of new additional tools to minimize risks, SPSR Express security director Dmitri Manannikov believes. As protection systems alone cannot suffice any longer, such products have their demand. However, there’s an important nuance being the fact that insurers tend not to make the concluded contracts public as such information could be used as an indirect confirmation that a bank’s IT system is vulnerable, and therefore draw attackers’ attention, the head of Insurance and Social Economy Department at the Russian Government Financial University Alexander Tsyganov believes. He added: “Nearly all major insurers in Russia have an option of such a policy, and there’s a single-time practice of re-insurance. Prior to concluding a contract, the insurer always surveys the customer’s security systems and issues recommendations as to preventive measures that became mandatory once the contract is signed. This also increases the level of protection agains cyberattacks.”
Comment
Eugene Lifshitz, head of cybersecurity agency:Losses because of cyberattacks are beyond counting, mostly because companies rarely make the facts publicly available. It’s a major blow on their business image and reputation. Generally, they spend 3 to 4 per cent of operation budgets on IT, with only a minor share of those assets accounting for information security. Particular sums depend on what business we’re talking about. I’d estimate Russia’s cybersecurity market at 60 billion rubles, which is less that 10 per cent of the entire IT market in Russia. Many foreign companies mandatorily insure themselves against cyber risks, and the product isn’t that expensive.
Source:
Subscribe to our publications
We write only about the most important. You will be the first to know about economic events that affect your business, how to reduce costs, optimize the company's operations and make the right management decisions without immersion in operational processes.
Subscribed
