BreachExchange mailing list archives
Cyber insurance: Dare leave home without it
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Mon, 23 Feb 2015 18:56:41 -0700
http://www.washingtonexaminer.com/cyber-insurance-dare-leave-home-without-it/article/2560409?custom_click=rss When a mid-February report revealed that more than 100 banks were hacked in what appears to have resulted in over $1 billion stolen from these financial institutions, it was just another reminder of how ubiquitous cyberattacks have become.
From Sony’s systems shutdown to data breaches against Target, Neiman Marcus
and Coca Cola last year, virtually every company has been the target of cyberattacks, the occurrence as daily as waking up with a stretch. Not all the illegal intrusions are successful, the combination of firewalls, encrypted transmissions and stern warnings to employees about phishing doing their duty. But, with hackers increasingly deft at ferreting out security weaknesses, no company is Fort Knox. This is made clear by a January 2015 study by the Ponemon Institute, which conducts independent research on the incidence and cost of cyberattacks. In 2014, the benchmark sample of 59 U.S. companies surveyed annually by the institute experienced 138 discernible attacks per week, which translates into 2.34 successful attacks each week working out to $12.7 million in average annualized costs. Most companies prefer to keep this information close to the vest, given the reputational damage its release would cause. The volume of successful attacks is a sobering jolt, yet most companies fail to buy insurance to transfer the loss to an insurance company. According to the Ponemon Institute, roughly one-third of companies buy cyber insurance. Given the recent bank hackings, security experts and insurance professionals believe this decision should be carefully reconsidered. “As more well-known companies are attacked and the success rate of hackers increases, this simply reinforces the need for insurance protection,” said Ken Goldstein, worldwide cybersecurity manager at Chubb Group of Insurance Companies. Why Companies Fail to Buy There are several reasons why many companies pass on buying cyber risk insurance. Chief among them is the product’s complexity — there is no one-size-fits-all cyber insurance policy. Different industries and professionals require different types of insurance coverage, which are treated in different ways by the few insurers offering the coverage. “Our study indicates that companies are inhibited from purchasing the policy because they have concerns about all the confusing exclusions, restrictions and uninsurable risks that are in them,” said Larry Ponemon, chairman and founder of the Ponemon Institute. This is beginning to change. “Several insurers are becoming more explicit about what is covered and what isn’t covered,” said Robert Parisi, national practice leader for technology and network risks at insurance broker Marsh in New York. “We’re also seeing the addition of endorsements to policies giving buyers the added protections they want.” Another factor dimming interest in the product is its expense, which is based on the policy applicant’s previous loss history, industry sector and the desired financial limits of insurance protection. For $1 million in insurance, the premium can cost $1,000 annually for a one-person psychologist’s office, and upwards of $85,000 a year for a $4 billion pharmacy benefits management company. In this era where every corporate penny counts, perhaps the premium is money better spent elsewhere. But, with the recent bank hackings and the Ponemon Institute figures, companies may want to reappraise the value of the insurance. One forceful reason to buy it is that it compels better security risk management. “The insurers in the market generally require [policy] applicants to submit to a risk assessment of their security systems and procedures,” Parisi noted. "If not up to snuff and the company is denied insurance, it at least now knows where its vulnerabilities reside to strengthen them.” If the applicant is given a green light to buy the insurance, the company also receives free services in the aftermath of a data breach such as crisis management, victim notification and credit monitoring. Several insurers also will provide a free forensic analysis of how the cyberattack occurred. Interestingly, the companies that buy cyber insurance become more secure after the fact. Ponemon said that 62 percent of respondents to his institute’s survey believe the insurance has made their companies “better prepared to deal with security threats going forward.” All in This Together There’s another reason why buying cyber insurance makes sense — the more companies that purchase it, the better the U.S. government’s insight into cybercrime. “A key ally in the fight against cybercrime is the insurance industry,” Ponemon said. “Insurance companies share intelligence with different industry groups and with government agencies investigating these crimes.” He is referring to the National Council of Information Sharing and Analysis Centers, whose mission is to advance the physical and cybersecurity of the critical infrastructures of North America. Many cyber insurance companies and insurance brokerage firms are members of the council. If companies continue to maintain their dubiety over the need for the insurance, it is doubtful that the federal or state governments will require its purchase. “I don’t see a formal mandate,” Goldstein said. Neither does Parisi. “I think we’ll see a lot of legislation around security standards, but not insurance buying,” he said. “That said, a public company that does not have the insurance will have a lot of explaining to do to its shareholders why it didn’t buy it in the wake of a severe hacking.” Legislation governing security standards already exists in the healthcare sector (the Health Insurance Portability and Accountability Act) as well as in the financial services industry (the Federal Information Security Management Act). Nearly all states also require businesses to notify them immediately in the aftermath of a data breach. Some sectors, like the payment card industry, mandate their own security standards. “When industries do this, they become quasi-regulators,” said Nadia Hoyte, senior vice president of the FINEX division of insurance brokerage firm Willis in New York. Other industries are expected to follow suit. Nevertheless, as the bank hackings demonstrate, neither regulations nor top-notch security guarantees a company will not be hacked. Insurance is designed to address such possibilities. It’s important to note that even with insurance coverage, a company can still be on the hook for millions of dollars in losses, as no insurer provides unlimited financial protection. With more than 100 banks collectively losing more than $1 billion, the insurance industry does not have the capital to take on many more losses of this size. To absorb the rest, the U.S. government could to step in much like it did in 2002 with the Terrorism Risk Insurance Act. The legislation created a federal backstop for insurance claims related to acts of terrorism, picking up the brunt of losses beyond those absorbed by commercial insurers. A couple more hackings like the recent bank debacle, and this is not a farfetched reality. All the interviewees believe as time wears on and more hackings open eyes, companies will reach out to insurance companies to spread their risk of loss. Both Parisi and Hoyte, for instance, said they would not be surprised if the purchase of cyber insurance becomes mainstream corporate practice by 2020. Ponemon agrees. As he put it, “Things will only get worse before they get better.”
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Cyber insurance: Dare leave home without it Audrey McNeil (Feb 27)