Prepare before you head into the breach on cyber cover

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.businessinsurance.com/article/20151108/ISSUE0401/311089994/business-insurance-perspectives-preparation-good-cyber-insurance

Information is the fuel that drives our 21st century economy. The rapid
growth of big data, virtualization, cloud storage and other service
applications doubles network bandwidth requirements every 18 months,
seriously challenging security solutions. Factor in the growing
sophistication of cyber criminals and their diverse motivations for
attacks, and you have a recipe for disaster.

Cyber security breaches are one of the biggest risks businesses face — not
just in terms of immediate dollar loss, but also as a threat to long-term
growth and carefully built brands. Recent high-profile attacks, such as
those against Premera Blue Cross and Anthem Insurance Cos. Inc. this year,
highlight the substantial effect and significant costs associated with
these attacks. And the breaches we hear about are just the tip of the
iceberg, as a growing number of companies know they have been attacked but
don't report the breach because no data were stolen.

The risk of attack continues to mount while readiness remains a challenge.
A recent Ponemon Institute study estimated the average annualized cost of
cyber attacks at more than $12 million per U.S. company, and
PricewaterhouseCoopers L.L.P. estimates that cyber incidents have increased
at a compound annual growth rate of 66% since 2009. The broad range of
recent attacks means that no business is immune to a problem so pervasive
that some companies are collaborating — even with competitors — to combat
cyber crime.

Are you prepared?

Don't be lulled into complacency because you haven't (or think you haven't)
been breached. While most cyber attacks might have been easily detected and
remediated just a few years ago, that's not the case today.

Threats have evolved from pranksters looking for bragging rights into more
sophisticated attacks by individuals, organized crime, disgruntled
employees, competitors, nation states and cyber terrorists — their motives
running the gamut from profit to revenge to mayhem. This is a constantly
shifting battlefield. Threats can morph, move laterally or lie dormant as
ticking time bombs. And the attacker may already be behind that “wall”
you've built, waiting. The inevitability of cyber attacks isn't really in
question, only their timing and severity.

Planning your approach

Cyber security is no longer just an issue for the information technology
department. It should be understood at the highest levels of management as
a key strategic issue and approached with a glaringly realistic attitude.
It should be an integral part of corporate strategy, addressed at the
C-suite and board levels and permeating your organization.

Risk and governance should have policies and procedures in place. Human
resources should ensure that employees are adequately trained, and security
should ensure that physical access to sensitive information is limited.
Department and practice leaders should understand the technology that
supports their business and its vulnerabilities.

It's also crucial to recognize that cyber security is not a “set it and
forget it” thing. It requires a customized, proactive approach to stay
ahead of the creative people who are trying to hack your systems. You need
a dynamic, layered approach because there are so many possible attackers
and means of attack, internal and external.

There's also no one-size-fits-all solution. Constant updates of antivirus
and antispam programs aren't enough. You need to take on an “only the
paranoid survive” attitude, matching your protection to the speed and
complexity of your networks and systems. Still, operations must appear
seamless to users.

Getting good legal advice is key. According to Walter Andrews, a Richmond,
Virginia-based partner at Hunton & Williams L.L.P., many companies are
seeking advice from law firms with dual expertise in post-breach legal
preparation and the evolving case law on cyber insurance products.

Having a plan can make a huge difference in insurance protection and
claims. As evidence, Paragon International Insurance Brokers Ltd. in London
handled 35 cyber breach claims in the first six months of 2015. There was a
noticeable difference in the cost of those claims, which involved companies
that were “prepared” for the event by having a tested incident response
plan as opposed to those that didn't.

On top of this, even the best counterstrategy is likely to fail at some
point. I have conversations with corporate executives who are unsure about
the effectiveness of their organizations' cyber security strategy. What
they are sure of is that they have a growing need for cyber insurance. No
wonder U.S. spending on cyber risk insurance continues to rise, nearly
doubling to about $2 billion from 2013 to 2014, including companies new to
the market and those that purchased additional coverage. And the number of
companies buying cyber cover has tripled through September, according to a
BDO USA L.L.P. survey.

Cyber insurance: key considerations

The expanding number of carriers entering the cyber insurance market is
certainly positive from the standpoint of cost and capacity for the buyer.
But the lack of a standard product makes comparing carriers a challenge,
heightened by the disparity in understanding the risk and the
sophistication of the underwriting teams. If you don't have cyber insurance
or are re-evaluating your coverage, there are several things to consider.

• It is important to understand that cyber coverage is part of a risk
management process and not a solution. Because insurance is the financial
backstop when all else fails, a mitigation plan is critical.

• Look for providers with a solid grasp of emerging case law, evolved
actuarial models and a firm commitment to the space.

• Consider a company that helps minimize your risk by bundling security
solutions with insurance. Brian Branner, managing director of insurance at
Overland Park, Kansas-based RiskAnalytics L.L.C., predicts that this
approach, similar to loss control as part of a property/casualty placement,
will become the standard in the cyber insurance space.

Finding a provider with the perspectives and information to help you make
an informed decision is key. Look beyond marketing hype, test products and
go with experts with third-party certifications. Check references from
several customers, including back-channel references. Integrate cyber into
directors and officers renewal discussions, too, because several high
profile cyber events, including the 2013 breach of customer data at Target
Corp., have triggered D&O claims.

Above all, engage with a broker who can help you scale to your current and
future needs, who can guide you through the operational risk elements and
not merely hand you an application. Applications, though useful, merely
grab the information a carrier requires to price your risk to its policy
form and should not be the sole basis of a risk discussion. A broker that
understands the disconnect between insurance jargon and the specific
technology and risks of your business can be the difference between a
covered and uncovered claim.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!