Has the Time Come to Consider Cyber Risk Insurance?

Cybercrime is dramatically increasing. The losses now exceed the dollar amount of the illegal global drug trade. Computer crime is a low risk, high reward proposition. Major losses can easily occur without the immediate knowledge of the victim. Law enforcement is powerless to stop it.Everyone who depends upon technology to conduct business and commerce is at risk. The threats are expanding and very few business owners are prepared to stop the data breaches. Yet these businesses have a legal obligation to do so.How vulnerable are you? Test your understanding by considering the three questions below:1. Have you inventoried and classified all of your digital records?
2. Do you have a formal information security plan?
3. Does each of your employees maintain an appropriate level of information security awareness?Your cyber risk is elevated if you answered anything but “yes”.What type of losses can occur as a result of a data breach?An organization can suffer a loss of revenue or be driven out of business as a result of a cyber attack. One company, for example, had two laptops stolen and was required by law to notify more than 800,000 clients of a possible security breach. The total cost was more than five (5) million dollars. Very few organizations would be able to survive.Included in the cost of an information security breach are:a. Legal fees to defend against civil suits and regulatory fines
b. Determining the cause and extent of the intrusion (forensics)
c. Messaging to protect the organization’s brand
d. Credit monitoring of customers whose data was lost
e. Loss of sales
f. Public relations expenses
g. Legal settlement for damages including down-stream liability
h. Repair or replacement of damaged hardware and softwareWho is behind the threats against your digital infrastructure?The perils faced by an organization’s digital resources can arise from anywhere at any time. Employees can make an innocent mistake and spawn major security incidents. Certain threats can be deliberate, calculated and a matter of life or death. Owners of computer networks need to consider the full range of threats that they face.Among the groups that threaten an organization’s computer systems are:a. Organized crime (cyber criminals)
b. Competitors wishing to harm your organization or to steal proprietary information
c. Insider threats – innocent or intentional
d. Hacktivists
e. Nation states
f. TerroristsEach of the above threats can result in the loss, destruction, alteration or damage to your data and information infrastructure. These threats can originate in your office, while working at home, while traveling or while using mobile devices.What can be done to reduce the risk?Any liability arising from a successful cyber attack can’t be re-assigned by hiring a third party to provide security. Your organization is exclusively responsible for the safe operation of its information resources.There are a few things that can be done to reduce the risk. The company can work to establish a culture of security within the organization. A comprehensive computer security plan can be implemented. Cyber security awareness training is a must. Everyone in the organization must be aware of his or her responsibilities to help stop threats. An intrusion detection system, for example, can be installed. Sophisticated encryption software can be deployed.An organization can also hedge its bet against significant loss by transferring risk and using cyber insurance. It allows an organization to selectively assure that risks can be mitigated.Should you consider cyber risk insurance?Computers, by their very nature, bring new risks to the doorstep of modern commerce. A cyber attack against a company’s information system can expose confidential information, directly damage a client and result in a lawsuit. Risk based insurance that covers losses caused by a cyber attack is a relatively new concept.Many organizations, in the past, have purchased what is known as E & O insurance policies. They typically protect a company from losses due to a failure to perform services to the satisfaction of customers and clients – real or perceived.Cyber risk insurance, however, is a different concept and the need for it is growing. Insurance to cover digital losses mainly consists of first-party and third party protection. The first-party dimension insures against successful attacks that result in damage to a company’s information infrastructure, loss of revenue and direct cost associated with recovering from a successful network compromise. Third-party cyber risk insurance, on the other hand, covers losses incurred by others such as clients and outside organizations.The cyber insurance market is highly segmented and lends itself to customizing policies. Many cyber risk polices can be built ala carte. Items that can be included in coverage range from loss of revenue to expenditures associated with notifying people who are victims of the security breach.So how can an organization mitigate risk and defend resources?Our digital infrastructure exists and operates in a massive threat environment. Any business owner and organization using computers is at risk of an attack. When a breach occurs significant losses can happen. Businesses can suffer serious financial losses and can be legally liable for the losses caused by third parties.You can’t re-assign your liability to a third party. You are still responsible for the loss of confidential information and for the losses suffered by others because of a lack of due diligence on your organization.An organization should complete a risk analysis related to your information processing system. Implement appropriate technology-based solutions (i.e. installing specialized software) and create a comprehensive information security plan. These alone could prove that you took reasonable steps to counter cyber threats.Every organization should have an information security policy and it should be based on accepted international standards and controls (such as ISO 27000) and cover information assurance from the creation of records through their use and ultimate destruction. Your cyber security plan should also include a vigorous cyber security awareness-training component.Has the time come to seriously consider transferring the risk faced by your computer resources and purchasing a customized cyber risk insurance policy? The sheer magnitude of the threats suggest that it would be prudent to do so before it is too late.

» Tags:

Comments are closed.