By Christopher Camejo, Director of Threat and Vulnerability Analysis, NTT Com Security
Robert Mueller, the former head of the FBI, is quoted as saying, “There are only two types of companies — those that have been hacked and those that will be.”
These words will continue to ring true as the role of technology continues to expand, encompassing cloud-based technologies and services, smartphones and other mobile devices, the Internet of Things, and more. As a result, organizations that typically insure their business against conventional losses are also increasingly looking offset potential losses from cybercrime and the millions of dollars in damages and liabilities it can cause.
To meet this challenge, many companies are considering purchasing cyber insurance policies to offset financial and related business losses in the event of a breach. Because the cyber insurance industry is still in its infancy, purchasers and underwriters face a variety of demands and challenges when defining coverage inclusions and terms.
For businesses, one of the most challenging aspects of procuring cyber insurance is to assess their true risk, define the specific measures they already have and plan to enact to address that risk, and determine exactly what a cyber insurance policy needs to cover. In performing due diligence to establish these criteria, businesses need to carefully identify and evaluate these factors in order to best determine the coverage they need to adequately protect themselves.
Conversely, before an insurer will underwrite a cyber policy, the organization will need to demonstrate a complete understanding of their risk exposure, as well as the true need for protection. This information will be used to validate an organization’s policy application much like an insurer would require a physical for a health or life insurance policy, and enables the insurer to create a policy that is most relevant to that particular business.
A comprehensive risk assessment of the business’ network infrastructure, whether done in-house or by a third-party contractor, will highlight gaps in security as well as critical areas of risk that may need immediate attention. The network risk assessment will help an organization prioritize actions and develop a strategic plan for ongoing risk management, including a timeline for any required actions. The organization can then share this information with a potential insurer to demonstrate that security and risk management are core business competencies.
Assessing And/Or Implementing Preventive Measures
No insurance policy should be perceived as a security solution in and of itself — and is certainly not a license to be reckless. Policies are written to help offset high-impact scenarios that can damage the overall health of a business or organization, such as an organized attack that exploits a previously unknown vulnerability.
Like any insurance policy, cyber insurance is not a replacement for preventive data security policies and programs. Insurers will demand certain steps be taken and measures implemented prior to even considering writing a policy. Organizations serious about addressing risks are those that implement a security framework that includes both technology and process controls to prevent breaches — and consider an insurance policy a supplement to, rather than a replacement for, the risk-based security program they’ve implemented. The importance of having preventive measures in place before looking to insure data assets cannot be understated.
Determining Necessary Coverage
As with many types of insurance, cyber security insurance policies will vary based on the organization, terms of coverage, and liabilities. Therefore, it is vital an organization clearly define the terms of their coverage as to what each policy covers and, more importantly, what it does not cover.
One important coverage consideration is whether data held by a third party or stored in the cloud is covered. It’s also crucial to understand what actions — or lack of action — could potentially invalidate the policy. These may include failure to keep current with security updates, breaches initiated from an employee’s personal device, former employees still having access to systems, and other factors — many of which an organization may not even think of. Given the complexity of these agreements, it’s a good idea for organizations to engage cyber security specialists to review policies.
Although cyber insurance can help mitigate the financial losses of a cyber-attack, it is not a fail-safe. Only when combined with strong network security technologies and practices, and the above mentioned due diligences, can business management rest easier.