Cyber Insurance: Security Tool or Hype?

Cyber insurance fits into the broader context of a security strategy focused on risk mitigation.

At an executive or board level, the risk from a security issue (sometimes referred to as a cyber event) can be rolled up into two main categories at a strategic level:

● Near-term costs incurred because of incident response, liabilities, notification requirements, fines, penalties, legal fees, and other such expenses.

● Long-term costs incurred because of damage to the business, damage to the brand reputation, loss of customer confidence, loss of business partners, and other such losses.

There are, of course, many different types of risks and threats that an organization faces. At the tactical and operational levels, an organization needs to prioritize these risks and threats and understand what people, process, and technology are required to properly mitigate those risks and counter those threats.

What we quickly realise when we look at risk from a strategic perspective is that it all comes down to cost. There are many details and moving parts to a holistic security program based upon a sound and strategic risk mitigation strategy. But when boards and executives think about security, they think about costs. What will it cost for me to mitigate the risk that I will suffer significant losses and incur significant costs in the event of a security incident or breach? As security professionals, we may not like the way that point of view feels, but it’s important that we understand it.

When we think of security in these terms, we can begin to see how cyber insurance fits into the broader context of a security strategy focused on risk mitigation. In some cases, people, process, and technology may be able to mitigate huge risks and huge potential costs for a reasonable investment. In other cases, the investment required to properly mitigate a risk through people, process, and technology may be disproportionately high. If that is the case, what is an organization to do?

This is where cyber insurance can play a role in rounding out an organization’s risk mitigation strategy. Of course, cyber insurance varies widely in what it covers and at what levels, so it’s important to thoroughly examine coverage when shopping around.
 
When considering cyber insurance, it’s important to think about what risks you’re most keen to mitigate and match those to different types of coverage that may be available.

Here is a partial list of commonly covered incidents from a white paper that my company recently published:

● Forensics: This is the cost of investigating and analyzing an attack, often done by a third party with specialized expertise.

● Notification expense: In many cases, a breached entity will be required by law to notify customers, partners or suppliers who have been impacted by a breach. Even if this isn’t a legal requirement, many firms do this to help manage their brand and business relationships during and after a breach.

● Public relations: Depending on the size of a breach, extensive communications with the press and the business community might be required.

● Business interruption: If systems or data are unavailable due to an attack, and business is disrupted, this can be covered. This is generally the highest expense — in 2014 organizations suffered an average of $204 million in business interruption costs due to cyber-attacks.

● Credit monitoring: It is becoming standard for companies that have been breached to offer consumers credit-monitoring services to protect them from any subsequent identity threat or financial fraud.

● Breach coaching: A breach coach is a high-level response coordinator, working with technical experts to isolate affected data, notify customers, retain necessary forensics professionals and manage crisis communications. A breach coach is often the first responder to an incident and helps the company triage the response to a breach.

● Legal costs: These can be hefty, as lawsuits filed against breached companies only add to all the business losses. Hiring legal experts and settling the lawsuits can add up to tens of millions of dollars.

● Regulatory fines: If any violations of regulations such as the Health Information Portability and Accountability Act (HIPAA) or Payment Card Industry (PCI) rules occurs, your organization may be fined.

It’s also important to remember what cannot be covered, such as theft of intellectual property and remediation of a breach. Of course, it goes without saying that policies vary widely, so it’s important to review the policy thoroughly and understand what is and is not covered.

It’s easy to cynically view cyber insurance as yet another fad creating noise in the already crowded security market. What’s harder is to truly understand all of the necessary components in a sound and strategic risk mitigation strategy. Cyber insurance, like any tool, will not solve all of an organization’s problems. But it can help an organization round out its risk mitigation strategy.

Security Week: http://bit.ly/1YUx2xW

« Mobile Spying – What’s Possible, Ethical Or Useful?
Could Bitcoin’s Blockchain Run An Entire City? »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Caldew Consulting

Caldew Consulting

Caldew specialise in providing information assurance and cyber security consultancy, covering the full spectrum of the security life cycle.

Cyber Security Experts Association of Nigeria (CSEAN)

Cyber Security Experts Association of Nigeria (CSEAN)

Cyber Security Experts Association of Nigeria (CSEAN) is a not for profit group of professionals in the field of Information Security in Nigeria and Diaspora.

Quantivate

Quantivate

Quantivate is a provider of web-based Governance, Risk, and Compliance (GRC) software and service solutions.

Yubico

Yubico

Yubico sets new global standards for simple and secure access to computers, mobile devices, servers, and internet accounts.

G DATA CyberDefense

G DATA CyberDefense

G Data developed the world's first antivirus software. We now ensure the security of small, large and medium-sized companies all over the world.

sayTEC

sayTEC

sayTEC's mission is to develop and deliver next-generation products and services in encrypted data and voice transmission.

Quest Software

Quest Software

Simple IT management for a complex world. Whether it’s digital transformation, cloud expansion, security threats or something new, Quest helps you solve complex problems with simple solutions.

Arc4dia Labs

Arc4dia Labs

Arc4dia have developed SNOW, a cyber security solution to combat the world’s most sophisticated cyber threats.

Beyond Identity

Beyond Identity

Beyond Identity employs an elegantly simple concept, the personal certificate authority and self signed certificates, to replace passwords.

K2 Cyber Security

K2 Cyber Security

K2 Cyber Security delivers the Next Generation Application Workload Protection Platform to secure web applications and container workloads against sophisticated attacks.

Australian Cyber Collaboration Centre (Aus3C)

Australian Cyber Collaboration Centre (Aus3C)

The Australian Cyber Collaboration Centre (Aus3C) is committed to building cyber capacity and securing Australia's digital landscape.

SoloKeys

SoloKeys

SoloKeys provides the first open-source FIDO2 security key: Protect your online accounts against unauthorized access by using the most secure login method.

Truesec

Truesec

TRUESEC has an exceptional mix of IT specialists. We are true experts in cyber security, advanced IT infrastructure and secure development.

Mandiant

Mandiant

Mandiant deliver dynamic cyber defense solutions powered by industry-leading expertise, intelligence and innovative technology.

Certo Software

Certo Software

Certo are trusted experts in mobile security. At Certo, mobile security is not an afterthought, it’s what we do.

North Green Security

North Green Security

North Green Security is a UK-based cyber security training and consultancy company.