Insurance payout ‘threat’ a push for better cyber-safety

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.timesofisrael.com/insurance-payout-threat-a-push-for-better-cyber-safety/

A major – or even minor – hack attack on a business lives on long after the
malware has been neutralized. If credit card data is stolen, for example,
customers might sue, new security systems have to be installed, and the
damage to the company’s reputation practically guarantees a dropoff in
business.

One way to limit the sting of the damage is to get someone else to pay for
it – by buying insurance and spreading the risk among a large pool of
fellow insurees. Those seeking to go the insurance route will find a warm
welcome at AIG Israel, one of the largest insurance sellers in Israel, and
the world’s biggest seller of insurance against hackers.

Just be sure that you’ve shored up your system’s defenses and trained your
workers to avoid opening up rogue emails or surfing to suspicious sites,
said Sharon Shaham, deputy director of the commercial insurance department
of AIG Israel. “We expect customers to install well-known, proven software
to keep hackers out. It’s not our job to assess how customers defend
themselves, but if they expect an insurer to step up and offer assistance
after a data breach, they need to take all necessary steps to protect
themselves.”

The prospect of an insurance adjuster limiting or even holding up
altogether payments for damages due to a major data breach will, said
Shaham, be an incentive for companies to take steps to protect themselves,
as it would with other forms of protection, like fire insurance. “In our
experience, 80% of cyber-attacks in general are due to human negligence,
where a worker opens up a suspicious link that leads to the installation of
malware on a network, thus enabling hackers to get control of a system.”

If the claim is big enough, adjusters will comb through the system to see
where the attack came from and how it got into the system, Shaham said,
with the information analyzed to determine what kind of settlement the
company gets. The better the protection, the better the payout.

Like in other forms of insurance, insurers offer coverage to soften the
blow from major damage due to a hack attack. That coverage could include
payment for direct costs (lawsuits by customers, demands for refunds or
other payments, etc.), as well as coverage for other outgrowths of an
attack, such as losses to company stock prices, reputation, and even market
share. AIG Israel, said Shaham, has “hundreds of customers in Israel and
thousands around the world who have bought special insurance to protect
themselves against damages.”

Despite the headlines that highlight some of that damage – including
high-profile attacks like the one on Sony last December, or a previous one
on Target, which the retailer is still feeling – many businesses have held
off on buying cyber-insurance, whether because of the extra cost or the
belief that they will recoup losses from other forms of business insurance.
While that could be the case, it isn’t always, said Shaham, so companies
would be much better off with an insurance package that covers all aspects
of a hack attack. “We’ve been selling insurance like this in Israel for the
past year or so, as well as worldwide for the past decade, although in less
comprehensive forms that what AIG offers today.”

And while many business owners look askance at new insurance “products”
like this, as consumers do when offered different forms of life or health
insurance that may duplicate coverage they already have, Shaham sees her
company’s insurance as a good way to make sure businesses pay more
attention to shoring up their cyber-defenses.

“With so many hack attacks the result of human error, we strongly encourage
our clients to ensure that their workers are aware of the damage and of
what behaviors to avoid on order to prevent attacks. In fact we offer
programs to help them set up educational programs for clients to train
their personnel. We’ve found that for many companies this kind of awareness
helps bring down their chances of being attacked, saving them – and us –
the significant costs that can result from a data breach.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!