Police can't stop cybercrimals, but maybe insurers can

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.zdnet.com/police-cant-stop-cybercrimals-but-maybe-insurers-can-7000035514/

Can insurers help cut cybercrime across UK businesses? Whitehall is hoping
so.

Most organisations are constantly being probed by hackers from across the
globe. However, stopping, investigating, or prosecuting attackers is all
but impossible as in most cases police lack (among other things) the
jurisdiction, skills, evidence, and motivation to pursue such cases.

This means most companies have been left to defend themselves against
hackers and they aren't doing a brilliant job: one survey suggested that
across a number of countries, there were 1.7 successful digital attacks per
company per week on average.

Encouraging the creation of an insurance market for online crimes could
help enforce standards of security, just as home insurers insist on a
particular type of locks on doors and windows before they will agree a
policy. This makes it harder for burglars to break in as well as
potentially reduces the burden on the police.

Earlier this week a dozen of the UK's biggest insurers met with the Cabinet
Office, officials from the Department for Business, Innovation and Skills,
and officials from surveillance agency GCHQ to discuss the issue.

The government argues that insurers are in a good position to encourage
businesses - small ones especially - to improve their cybersecurity by
asking tough questions about their breach and operational risk policies. At
the same time it also wants to promote London as a hub for the nascent
cyberinsurance marketplace. According the Financial Times, despite the cost
of cybercrime, only around $150m in related insurance is bought by
businesses across Europe each year.

A group of insurers will look at issues such as how insurance can improve
cybersecurity practice in UK businesses, modelling the impact of
cyberattack scenarios on UK businesses, and how the insurance industry can
help reduce the impact of cyberattack on critical national infrastructure.
The group plan to report to the Cabinet Office by April 2015.

Cabinet Office minister Francis Maude said: "Cyber insurance does not
replace the need for good cybersecurity practice but is an added protection
for businesses in the event of breaches." But like any other form of
insurance the risk with insuring against cybercrime is that businesses
become less vigilant knowing they are protected, Maude continued.

Mark Brown, executive director of cybersecurity at Ernst & Young, said many
firms are now focusing on how they protect against the consequential
financial impacts of a cyber incident and are turning to insurance as a
mechanism to alleviate risk.

But he added: "Whilst insurance offers financial protection to businesses,
it does not incentivise businesses to invest in enhancing their cyber
security defences." He said organisations that demonstrate good
cybersecurity should be rewarded through lower premiums, adding: "This
would align to steps taken by insurers offering protection against wider
business interruption and ensure that such risks were being appropriately
managed by businesses and not just managed through insurance coverage.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!