Cyber Insurance: Security Tool or Hype?

Uploaded on 2016-05-25 in FREE TO VIEW, INTELLIGENCE--International, NEWS-Cybersecurity News

Cyber insurance fits into the broader context of a security strategy focused on risk mitigation.

At an executive or board level, the risk from a security issue (sometimes referred to as a cyber event) can be rolled up into two main categories at a strategic level:

● Near-term costs incurred because of incident response, liabilities, notification requirements, fines, penalties, legal fees, and other such expenses.

● Long-term costs incurred because of damage to the business, damage to the brand reputation, loss of customer confidence, loss of business partners, and other such losses.

There are, of course, many different types of risks and threats that an organization faces. At the tactical and operational levels, an organization needs to prioritize these risks and threats and understand what people, process, and technology are required to properly mitigate those risks and counter those threats.

What we quickly realise when we look at risk from a strategic perspective is that it all comes down to cost. There are many details and moving parts to a holistic security program based upon a sound and strategic risk mitigation strategy. But when boards and executives think about security, they think about costs. What will it cost for me to mitigate the risk that I will suffer significant losses and incur significant costs in the event of a security incident or breach? As security professionals, we may not like the way that point of view feels, but it’s important that we understand it.

When we think of security in these terms, we can begin to see how cyber insurance fits into the broader context of a security strategy focused on risk mitigation. In some cases, people, process, and technology may be able to mitigate huge risks and huge potential costs for a reasonable investment. In other cases, the investment required to properly mitigate a risk through people, process, and technology may be disproportionately high. If that is the case, what is an organization to do?

This is where cyber insurance can play a role in rounding out an organization’s risk mitigation strategy. Of course, cyber insurance varies widely in what it covers and at what levels, so it’s important to thoroughly examine coverage when shopping around.
 
When considering cyber insurance, it’s important to think about what risks you’re most keen to mitigate and match those to different types of coverage that may be available.

Here is a partial list of commonly covered incidents from a white paper that my company recently published:

● Forensics: This is the cost of investigating and analyzing an attack, often done by a third party with specialized expertise.

● Notification expense: In many cases, a breached entity will be required by law to notify customers, partners or suppliers who have been impacted by a breach. Even if this isn’t a legal requirement, many firms do this to help manage their brand and business relationships during and after a breach.

● Public relations: Depending on the size of a breach, extensive communications with the press and the business community might be required.

● Business interruption: If systems or data are unavailable due to an attack, and business is disrupted, this can be covered. This is generally the highest expense — in 2014 organizations suffered an average of $204 million in business interruption costs due to cyber-attacks.

● Credit monitoring: It is becoming standard for companies that have been breached to offer consumers credit-monitoring services to protect them from any subsequent identity threat or financial fraud.

● Breach coaching: A breach coach is a high-level response coordinator, working with technical experts to isolate affected data, notify customers, retain necessary forensics professionals and manage crisis communications. A breach coach is often the first responder to an incident and helps the company triage the response to a breach.

● Legal costs: These can be hefty, as lawsuits filed against breached companies only add to all the business losses. Hiring legal experts and settling the lawsuits can add up to tens of millions of dollars.

● Regulatory fines: If any violations of regulations such as the Health Information Portability and Accountability Act (HIPAA) or Payment Card Industry (PCI) rules occurs, your organization may be fined.

It’s also important to remember what cannot be covered, such as theft of intellectual property and remediation of a breach. Of course, it goes without saying that policies vary widely, so it’s important to review the policy thoroughly and understand what is and is not covered.

It’s easy to cynically view cyber insurance as yet another fad creating noise in the already crowded security market. What’s harder is to truly understand all of the necessary components in a sound and strategic risk mitigation strategy. Cyber insurance, like any tool, will not solve all of an organization’s problems. But it can help an organization round out its risk mitigation strategy.

Security Week: http://bit.ly/1YUx2xW

« Mobile Spying – What’s Possible, Ethical Or Useful?
Could Bitcoin’s Blockchain Run An Entire City? »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

eco

eco

eco, with more than 950 member organizations, is the largest Internet industry association in Europe.

CyberDef

CyberDef

CyberDef is a consulting company specialising in cyber defence services for small and medium enterprises.

Dreamlab Technologies

Dreamlab Technologies

Over the last 20 years, Dreamlab Technologies has established itself as a source of constant innovation within the information security landscape.

IBLISS Digital Security

IBLISS Digital Security

How cyber-resilient is your business now? We help companies to continuously answer this never-ending C-level question.

DarkLight

DarkLight

DarkLight is a cybersecurity platform that mimics human thinking at scale to build resiliency to Advanced Persistent Threats.

Business Hive Vilnius (BHV)

Business Hive Vilnius (BHV)

BHV is one of the oldest startup incubator and technology hubs in the Baltics, primarily focused on hardware, security, blockchain, AI, fintech and enterprise software.

UltraSoC Technologies

UltraSoC Technologies

Startup Capital Ventures

Startup Capital Ventures

Startup Capital Ventures is an early stage venture capital firm with a focus on FinTech, Cloud/SaaS, Security, Healthcare IT, and IoT.

Alcon Maddox

Alcon Maddox

Alcon Maddox is a niche recruitment and executive search firm specialised in sourcing exceptional Cyber Security sales and commercial leadership talent. Serving clients across the Middle East & Europe

e5 Lab

e5 Lab

e5 Lab seeks to develop solutions to challenges faced by the shipping industry including digital transformation, autonomous technologies and big data in order to promote safe and efficient operations.

Ethiopian Cybersecurity Association (ECySA)

Ethiopian Cybersecurity Association (ECySA)

ECySA was formed to play an influential part in the ongoing and dawning cybersecurity practices of Ethiopia, efficiently creating public and private awareness on all kinds of cyber risks and threats.

COPA-DATA

COPA-DATA

COPA-DATA is the only independent software manufacturer to combine in-depth experience in automation with new possibilities of digital transformation – reliable, future-proof and operating worldwide.

CNF Technologies

CNF Technologies

CNF Technologies is an award-winning cyber company providing technology-focused research and development to commercial, federal, and Department of Defense clients.

Liberty Technology

Liberty Technology

Liberty Technology has a host of highly trained, certified experts who assist our clients with immediate remote support as well as on-site service.

Downdetector

Downdetector

Downdetector helps people all over the world understand disruptions to vital services such as the internet, social media, web hosting platforms, banks, games, entertainment, and more.

Velstadt Cybersecurity

Velstadt Cybersecurity

Velstadt's team of experienced professionals works on identifying vulnerabilities, analyzing threats, and developing strategies to ensure the highest level of security.