Story image

Cyber insurance is only part of the overall security equation

24 Jan 2017

Latest statistics show that more than 28 billion people will be connected to the Internet of Things in 2017, rising to 34 billion-plus next year. Such astronomical numbers give cyber-criminals an almost infinite number of devices – often poorly protected –to target during attacks.

Globally, authorities are beginning to urge companies to boost their cyber security initiatives, and to adopt cyber insurance. The market for cyber insurance is expected to reach US$7.5 billion in premiums by 2020, fuelled by demand from the finance industry, along with a forecast of new investments from the healthcare industry.

Cyber risks will move up the list of directors and officers (D&O) insurance priorities with the expected introduction of mandatory data breach legislation in Australia in 2017, according to partners of international law firm Clyde & Co, quoted in Insurance Journal. They explained that the law would enhance the potential for financial exposure and reputational damage for the company and directors, who may also incur personal liability.

“Directors will need to ensure that robust cyber resilience frameworks are embedded in their companies, consistent with the expectations of Australia’s corporate regulator,” the partners said.

It is good news that companies are taking increased measures by moving toward cyber insurance to underwrite potential losses generated from cyber attacks, such as lawsuits, investigations, and business ramifications from exposed trade secrets. Yet organisations should be aware that although cyber insurance can help to manage losses, it needs to go hand-in-hand with a robust cyber-security infrastructure in order to add real value to business.

Insuring the intangible

Cyber insurance can be likened to fire insurance, where most businesses insure and deploy significant detection, prevention and response measures such as fire suppression systems, fire resistant materials and fire drills, resulting in maximum risk coverage.

Likewise, companies should prioritise the deployment of a strong cybersecurity infrastructure that includes robust detection, prevention and incident response measures. Such a deployment will deliver an overall effective and efficient risk management plan that also lowers insurance premiums.

Financial services organisations are already making progress to support the distribution of cyber insurance. For example, credit rating services such as FICO Enterprise Security Score allow cyber insurance providers to access cyber infrastructure and measure risk exposure, as well as forecast the likelihood of cyber security incidents in order to tailor policies and premiums for companies with different needs.

The next step is for the governments to support the cyber insurance ecosystem through the enforcement of mandatory and regulatory laws on cyber security. Such legislation can benefit the industry as a whole as it ensures a minimum standard for any given company’s cyber infrastructure, which enables cyber insurance companies to lower their premiums.

Best practices

As cyber insurance can be a reasonably large investment for organisations, it is essential for companies to enforce strong cyber security fundamentals and best practices to maximise their dollars. For example, the financial industry is governed by mandatory laws that require banks to retain sensitive customer and transaction information, resulting in higher premiums.

However, for businesses that do not depend on transactions, holding customers’ payment information is counter productive. These companies should consider outsourcing payment methods to third-party providers, which will minimise large amounts of risk.

A strong cyber security infrastructure mandates the deployment of more than just antivirus software and firewalls. Cyber criminals have long advanced their methods of attacks beyond these traditional line of defences and companies need to beef up their cybersecurity technology. Today both public and private sectors should look to Next-Generation Antivirus (NGAV) and Next Generation Endpoint Security (NGES), which deliver full visibility to drive their detection and response strategies.

Just as companies conduct regular fire drills to ensure that employees know how to respond appropriately to a fire incident to minimise damage, they can similarly apply routines to a cybersecurity incident response plan. Employees at the IT frontline should be trained to minimise and contain the initial signs of a cyber intrusion, preventing it from escalating to a major breach.

Only with these preventive and risk minimisation measures in place can cyber insurance truly bring value to an organisation’s overall cyber security management plan.

Article by Kane Lightowler, Managing Director of Carbon Black for Asia Pacific and Japan.

Why SD-WAN is key for expanding businesses - SonicWall
One cost every organisation cannot compromise on is reliable and quick internet connection.
New threat rears its head in new malware report
Check Point’s researchers view Speakup as a significant threat, as it can be used to download and spread any malware.
Oracle updates enterprise blockchain platform
Oracle’s enterprise blockchain has been updated to include more capabilities to enhance development, integration, and deployment of customers’ new blockchain applications.
Used device market held back by lack of data security regulations
Mobile device users are sceptical about trading in their old device because they are concerned that data on those devices may be accessed or compromised after they hand it over.
Gartner names ExtraHop leader in network performance monitoring
ExtraHop provides enterprise cyber analytics that deliver security and performance from the inside out.
Symantec acquires zero trust innovator Luminate Security
Luminate’s Secure Access Cloud is supposedly natively constructed for a cloud-oriented, perimeter-less world.
Palo Alto releases new, feature-rich firewall
Palo Alto is calling it the ‘fastest-ever next-generation firewall’ with integrated cloud-based DNS Security service to stop attacks.
The right to be forgotten online could soon be forgotten
Despite bolstering free speech and access to information, the internet can be a double-edged sword, because that access to information goes both ways.