Should you buy cyber insurance?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.networkworld.com/article/3017025/security/should-you-buy-cyber-insurance.html


Cyber insurance is rapidly becoming an important part of many
organizations' risk mitigation strategy. While most businesses have some
sort of property or general liability insurance, those policies exclude
coverage for cyber liability, so cyber insurance has become its own
category, and it's the fastest growing area of insurance for businesses. At
least 50 major providers now offer this type of insurance, attracted by the
fact that demand for cyber insurance has been rising by double digit
percentages for the last few years.

According to the Insurance Information Institute, the number of reported
data breaches reached an all-time high in 2014, exposing more than 85
million records. As those numbers grow, so does the interest in cyber
insurance. Nearly half of all business owners carry some form of cyber
insurance, but small businesses lag behind, largely because they don't see
themselves as vulnerable to attack. However, breaches aren't always the
result of a cyber attack; many data breaches stem from something as simple
as the loss or theft of an unencrypted laptop or USB stick.

Industry pundits credit Target Corporation and Home Depot for raising the
profile for cyber insurance. Since Target's disastrous data breach two
years ago, the company has racked up breach-related expenses of $252
million so far. Of that, $90 million was recovered through insurance
policies. Home Depot's expenses have tallied at least $232 million to date,
and insurance has covered $100 million. CEOs and CFOs have taken notice of
the benefits of having cyber insurance and are exploring the options.

BITS, the cyber security and policy arm of the Financial Services
Roundtable, describes the value and importance of cyber insurance.
Obviously it can offset many of the costs associated with an attack or
breach, but insurance also is a risk-transfer mechanism. Cyber insurance
allows a company to share the cost of an incident among a larger pool of
insured companies. For the cost of a policy premium, company executives can
have peace of mind that there is a safety net to sustain their business if
something should happen.

The desire to have cyber insurance can be a motivating factor for a company
to follow good cyber security practices and to have a strong defensive
posture. Insurance providers don't want customers that are a big risk, so
those seeking a policy (or at least one with good coverage and rates) must
have their cyber security act together.

What cyber insurance typically covers, and what it doesn't

Insurance plans and coverage vary widely. According to the Financial
Services Roundtable, there are four main types of cyber insurance coverage,
including:

Data breach and privacy management coverage, which covers the costs
associated with managing and recovering from data breaches. This includes
the forensic investigation, notification of victims of stolen data, credit
monitoring for the victims, and associated legal fees.
Multimedia liability coverage, which covers defacement of websites, media
and intellectual property rights.
Extortion liability coverage, which covers the damages incurred from
extortion. For example, coverage might include the damages of having a hard
disk encrypted by Cryptolocker or having a DDoS attack knock out a website
or other services if a ransom isn't paid.
Network security liability coverage, which covers incidents like third
party theft and DDoS attacks.

Depending on how a policy is written, it might be expected to cover:
revenue lost during a cyber attack; legal fees associated with a breach;
the costs associated with fixing an exploited vulnerability; and credit
monitoring for victims of a data breach.

What the insurance rarely covers is the loss of intellectual property such
as product designs and business plans, since the insurance carrier can't
accurately assess the cost of this type of loss. Also, losses that
originate or occur within a company's supply chain might not be covered. A
big area of exclusions stems from intrusions and data breaches that are the
result of cyber warfare directed by state actors and terrorists. Most cyber
as well as general liability policies exclude coverage for losses arising
from war and terrorism.

A company that is buying insurance should have an attorney look at what is
what is covered and what isn't. For example, a policy could be written such
that the organization may not be covered for employee-owned devices that
could be the cause of the breach. This would have huge implications for a
company's BYOD policies and protections.

How to get the most from your policy

Al Berman, president of Disaster Recovery Institute (DRI) Inc., says
companies must really do their homework to understand what they need.

The first step is to do a risk assessment and impact analysis. Companies
must understand where their risks are and what the impact of a breach would
be on their business. For example, if a regulated company has a data
breach, it might be required by law to notify individuals that their data
was stolen, and the notification process can be quite expensive. However,
if the company is not regulated and not mandated by law to report the data
loss, the impact of the breach could be minimal. A thorough impact analysis
will help to understand what kind of coverage, and how much, is necessary.

When an incident occurs and a claim is made, the policy holder must
understand the requirements for proof of the event. For example, a forensic
investigation may be required to determine if the breach was tied to a
state-sponsored cyber attack, which could be excluded from coverage.

Berman stresses the need for legal counsel when selecting a policy. A lot
can be at stake and the wording of a policy can be the difference between a
large payout and deniability of a claim.

Cyber insurance is not a substitute for making smart investments in cyber
security and following industry best practices. However, it is an important
part of almost any business' risk mitigation strategy.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!