Cyber security: what the hack?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.deallawwire.com/2015/11/19/cyber-security-what-the-hack/?utm_source=Mondaq&utm_medium=syndication&utm_campaign=View-Original

In a previous blog post, we discussed how to manage cyber security risks
during the negotiation and due diligence stages of an M&A transaction. In
this post we discuss cyber security insurance as a tool for managing this
unwelcome risk.

The cyber security risk

Although businesses have been ramping up their information security
systems, the pace of cyber security breaches is not slowing down. One study
estimates that cybercrime will cost businesses $2.1 trillion globally by
2019. And, as recent security breaches have taught us, a security breach
can have reputational, moral, and deeply political complications. The 2014
hack of Sony Pictures cost the company $100 million, derailed plans for the
distribution a movie concerning North Korea, and raised ethical questions
about the appropriate response to cyber terrorism.

On top of this, businesses will soon face stricter legal requirements
around the disclosure of security breaches in Canada. New rules regarding
the mandatory disclosure of security breaches were approved by Parliament
in June 2015 and may come into force at any point. The Digital Privacy Act
amends the Personal Information Protection and Electronic Documents Act and
requires that an organization report any breach of security safeguards that
reasonably creates a real risk of significant harm to an individual.
Notification must be made to the Privacy Commissioner and to the individual
involved. Significant harm under the statute includes financial loss,
bodily harm, damage to reputation or relationships, and loss of employment,
business or professional opportunities.

Cyber security breaches and their associated financial, reputational, and
regulatory risks are here to stay.

Insurance as part of the solution

While the key to managing cyber security breaches will always be to
implement strong data protection systems, cyber security insurance is
becoming a popular way to address the financial consequences of cyber
security breaches. A cyber security policy insures against risks to a
company’s information technology and data assets, and leaves the insurance
company with the uncertainty of actual damages in the case of a breach.

In the context of M&A, the problem with cyber security risk is valuing and
allocating risk among parties. Similar to reps and warranty insurance
(which we discuss here), cyber security insurance allows a company to
allocate risk by transferring some to the insurance company and leaving the
buyer and seller to allocate any remaining risk that falls outside the
policy. Cyber security insurance is also valuable before M&A. Having a
policy in place may help ease concerns of acquirers as the insurance would
cover security breaches that may have already occurred prior closing but
have yet to materialize. This has been found to hold true in jurisdictions
that have data breach notification laws like the ones currently pending in
Canada. Coverage can be a standalone product or can be built into existing
policies such as business continuity insurance or supplier chain insurance.

Cyber security risk represents a new and significant risk to businesses.
Simply being aware of this risk is critical in an M&A deal. Once
recognized, however, placing appropriate security measures, conducting IT
due diligence, and allocating risk by way of negotiation or insurance will
help all parties cut through data breach uncertainty and settle material
issues efficiently.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!