Cyber Insurance Offers More Than Just Protection Against External Cyber Attacks

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.entrepreneur.com/article/246037

Massive data breaches have become so prevalent that they are no longer big
news. The cyber attacks that do grab headlines typically involve banks or
large retailers, in which tens or hundreds of millions of records may have
been stolen.

Because most businesses do not maintain confidential information on that
scale, the chances seem slim that smaller firms would be the target of
hackers. This may be one reason many businesses don't buy cyber insurance.
But that decision misunderstands the cyber risks smaller firms do face.

In fact, most claims under cyber-insurance policies don't involve Target-
or Sony-style attacks, but more mundane events. These might include
employee or contractor mistakes in handling information, a lost or stolen
laptop, the failure to change a dismissed employee's network permissions,
or the unfortunate practice of leaving system data exposed.

Clearly, then, small businesses are not immune from external attacks. They
also have less sophisticated data-security protections, making them an
attractive target: Only one employee has to fall for a phishing email or
click a link that imports a worm or malware before the network is
compromised, leading to costs that can severely impact a company’s
reputation and financial well-being.

An example: In 2013, the owner of a specialty t-shirt store, 80sTees,
received notices from banks about suspicious credit card charges. Upon
learning of the problem, the company stopped accepting credit cards,
recoded the company’s website so that it no longer stored credit card
information and notified approximately 3,500 customers that their personal
information may possibly have been compromised.

The company assumed it was the victim of computer hackers. But the more
likely culprit turned out to be a former high-level employee who had set up
an unauthorized email account that captured information about credit card
transactions.

Despite the relatively small size of the breach, the response costs were
substantial. According to published reports, the breach caused $200,000 in
damages, not including lost sales during the period the company was not
accepting credit cards.

80sTees survived its breach. But not all firms do. In a 2012 study, the
National Cyber Security Alliance concluded that 60 percent of small firms
go out of business within six months of a breach. To mitigate the risk from
these events, then, and protect a firm's bottom line, companies should take
some basic remedial steps.

1. Businesses of any size must recognize that data security is not just an
IT problem but an enterprise risk-management issue.

Data-breach risks come from multiple sources, not just external threats.
Because data security should be administered on a companywide level, senior
management, not IT personnel, should set the company’s policies for data
management and protection, with IT’s input, of course.

2. As with any major business risk, insurance should be an integral part of
the equation.

At least once a year, companies should survey their insurance to ensure
adequate protection against cyber-related risks.

3. Businesses should not expect traditional insurance to cover this type of
loss.

Traditional products -- such as commercial general liability policies or
property policies -- are designed to cover bodily injury or damage to
tangible property. Data breaches and other cyber events, on the other hand,
involve damage to intangible assets such as information or computer
software. For protection against that risk, companies need cyber insurance.

Third-party cyber-risk policies protect against liability and other costs
arising from data breaches. These costs may include breach-notification
costs, free credit-monitoring for potentially affected customers, liability
and defense costs for civil lawsuits and costs to respond to regulatory
inquiries.

First-party cyber insurance protects the policyholder against business
interruption losses or costs to repair or restore lost data or software. In
the case of a breach, a forensic team probably will have to scour the
company’s system to identify and fix any problems -- and that process can
be expensive.

Cyber policies tend to offer targeted coverages for discrete harms, with
each coverage having a separate premium. One coverage part might apply only
to data breach notification costs and claims arising from civil lawsuits;
another coverage part might apply only to forensic costs to identify or fix
a breach; a third part might apply to the cost to respond to regulatory
proceedings.

Because cyber-related coverages tend to be compartmentalized, firms should
scrutinize the risks they face and ensure that their cyber policies
actually cover those potential losses.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!