Are you cyber insurance fit?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.lexology.com/library/detail.aspx?g=5bac313a-b120-47d0-9e80-59c75106b468

Cyber security is amongst the leading risks for organisations around the
globe but relatively few (outside the US) have purchased standalone cyber
insurance policies. That appears about to change as organisations give
serious consideration to whether the financial cost of cyber attacks can be
transferred to insurers.

What can be covered?

1- Indemnifiable first party losses including, for example, crisis
management costs (such as legal and public relations costs), data privacy
and security breach notification expenses, forensic investigation costs,
network business interruption (which would not ordinarily be covered under
traditional property/business interruption insurance), reputational damage
(although this may be constrained to public relations costs),
reconstitution of damaged digital assets/software and cyber crime/extortion
(which may be covered under traditional comprehensive crime insurance).
2- Indemnifiable third party liability exposures (where someone else has
suffered the loss) including, for example, third-party liabilities for data
privacy and security breaches, multi-media liability from published
content, defence costs, regulatory investigation costs and potentially some
fines and penalties.

How is the landscape changing?

In the US, take-up has been relatively high amongst large organisations
driven by laws mandating notification of data breaches. These notification
requirements can give rise to significant potentially indemnifiable costs
of, for example, large-scale customer contact exercises, setting up call
centres, forensic investigations and credit/identity-theft monitoring – as
well as third party liabilities and regulatory fines/penalties.

Given the increasing threat, sophistication and profile of cyber attacks,
we believe that the take up of cyber insurance is likely to increase quite
markedly outside of the US as organisations develop a better understanding
on the nature and severity of the risk and what insurance can (and cannot)
do for them.

There are already signs of this happening, not least in Asia.

Another real driver in the short to medium term is likely to be the
introduction of privacy laws mandating notification of data breaches, which
are on the cards in Europe, some Asian countries and Australia.

If the US example is anything to go by, these changes are likely to fuel an
increased understanding of the cyber risk, and an improvement of internal
policies and controls, leading to a substantial uptake in cyber insurance
around the world.

However, more needs to be done to overcome some common hurdles.

Firstly, understanding the full range of cyber risk – Some large
organisations, such as banks, tend to invest heavily in cyber security. But
others are simply not geared up to deal with cyber risk, carriage of which
often rests with IT departments (who may not be thinking about insurance).
As such, the organisation is left ill-equipped to evaluate and quantify the
potential impact of a security breach, let alone engage in stress testing
or recovery planning.

In these circumstances, substantial work may be required before the
organisation is ready to consider the pros and cons of insurance cover and
be seen by the market as insurable.

Secondly, understanding insurance policies – Many senior managers are
unaware whether or not the organisation has bought cyber insurance or have
misconceptions about whether such insurance is required and what it may
cover.

Further confusion may arise from the fact that aspects of cyber cover can
be found in various traditional classes of business (such as comprehensive
crime and professional indemnity insurance), which may result in a
misunderstanding or overestimation of what is covered – in reality, there
are many gaps (the costs of dealing with data privacy breaches or network
business interruption are good examples).

Thirdly, issues with the coverage presently available – There is a degree
of scepticism about the efficacy of standalone cyber insurance policies,
which are often complex and lack uniformity across the industry.
Underwriters are also struggling to get a real handle on cyber risk and how
to quantify it. This is not helped by a dearth of underlying claims data to
model the risk.

Large policyholders in particular may face market capacity limitations, not
least given concerns about systemic aggregation risks – for example,
exposure to multiple policyholders using the same Cloud service provider to
store data. The result is that cover may be expensive (relative to other
classes of business) or not as extensive as the policyholder would ideally
like.

Cyber security risk will continue to evolve and so organisations must
continually do all they can to protect their valuable assets and those of
their customers. Cyber insurance is a tool in that arsenal and should not
solely be relied upon in the fight against cyber crime.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!