Story image

Cyber insurance is only part of the overall security equation

24 Jan 17

Latest statistics show that more than 28 billion people will be connected to the Internet of Things in 2017, rising to 34 billion-plus next year. Such astronomical numbers give cyber-criminals an almost infinite number of devices – often poorly protected –to target during attacks.

Globally, authorities are beginning to urge companies to boost their cyber security initiatives, and to adopt cyber insurance. The market for cyber insurance is expected to reach US$7.5 billion in premiums by 2020, fuelled by demand from the finance industry, along with a forecast of new investments from the healthcare industry.

Cyber risks will move up the list of directors and officers (D&O) insurance priorities with the expected introduction of mandatory data breach legislation in Australia in 2017, according to partners of international law firm Clyde & Co, quoted in Insurance Journal. They explained that the law would enhance the potential for financial exposure and reputational damage for the company and directors, who may also incur personal liability.

“Directors will need to ensure that robust cyber resilience frameworks are embedded in their companies, consistent with the expectations of Australia’s corporate regulator,” the partners said.

It is good news that companies are taking increased measures by moving toward cyber insurance to underwrite potential losses generated from cyber attacks, such as lawsuits, investigations, and business ramifications from exposed trade secrets. Yet organisations should be aware that although cyber insurance can help to manage losses, it needs to go hand-in-hand with a robust cyber-security infrastructure in order to add real value to business.

Insuring the intangible

Cyber insurance can be likened to fire insurance, where most businesses insure and deploy significant detection, prevention and response measures such as fire suppression systems, fire resistant materials and fire drills, resulting in maximum risk coverage.

Likewise, companies should prioritise the deployment of a strong cybersecurity infrastructure that includes robust detection, prevention and incident response measures. Such a deployment will deliver an overall effective and efficient risk management plan that also lowers insurance premiums.

Financial services organisations are already making progress to support the distribution of cyber insurance. For example, credit rating services such as FICO Enterprise Security Score allow cyber insurance providers to access cyber infrastructure and measure risk exposure, as well as forecast the likelihood of cyber security incidents in order to tailor policies and premiums for companies with different needs.

The next step is for the governments to support the cyber insurance ecosystem through the enforcement of mandatory and regulatory laws on cyber security. Such legislation can benefit the industry as a whole as it ensures a minimum standard for any given company’s cyber infrastructure, which enables cyber insurance companies to lower their premiums.

Best practices

As cyber insurance can be a reasonably large investment for organisations, it is essential for companies to enforce strong cyber security fundamentals and best practices to maximise their dollars. For example, the financial industry is governed by mandatory laws that require banks to retain sensitive customer and transaction information, resulting in higher premiums.

However, for businesses that do not depend on transactions, holding customers’ payment information is counter productive. These companies should consider outsourcing payment methods to third-party providers, which will minimise large amounts of risk.

A strong cyber security infrastructure mandates the deployment of more than just antivirus software and firewalls. Cyber criminals have long advanced their methods of attacks beyond these traditional line of defences and companies need to beef up their cybersecurity technology. Today both public and private sectors should look to Next-Generation Antivirus (NGAV) and Next Generation Endpoint Security (NGES), which deliver full visibility to drive their detection and response strategies.

Just as companies conduct regular fire drills to ensure that employees know how to respond appropriately to a fire incident to minimise damage, they can similarly apply routines to a cybersecurity incident response plan. Employees at the IT frontline should be trained to minimise and contain the initial signs of a cyber intrusion, preventing it from escalating to a major breach.

Only with these preventive and risk minimisation measures in place can cyber insurance truly bring value to an organisation’s overall cyber security management plan.

Article by Kane Lightowler, Managing Director of Carbon Black for Asia Pacific and Japan.

Tensions on the rise after Huawei CFO arrest
“Recently our corporate CFO, Meng Wanzhou, was provisionally detained by the Canadian authorities on behalf of the United States of America."
Palo Alto Networks integrates RedLock and VM-Series with AWS Security Hub
AWS Security Hub is designed to provide users with a comprehensive view of their high-priority security alerts and compliance status.
Juniper simplifies data integration to improve threat detection
Updates to the Juniper Advanced Threat Prevention Appliances leverage third-party firewalls and security data sources.
Is mobile shopping compromising your enterprise security?
When employees do their holiday shopping on company resources, security teams have a challenge with the surge in browsing and online transactions.
Different approach to malware detection needed – VMware
Security needs to move away from the traditional approach of chasing after arbitrary forms of malware.
Modernising ERP systems can help organisations comply with GDPR
“Organisations need to look for modern ERP systems that are specifically designed with GDPR in mind."
APRA Prudential Standard CPS 234: How to communicate with the board
The Australian Prudential Regulation Authority’s standard, CPS 234, is aimed at minimising the threat of cyber attacks for APRA-regulated entities.
Cyber attacks develop complexity, target Windows sysad tools - report
The report explores changes in the threat landscape over the past year, uncovering trends and how they are expected to impact cybersecurity in 2019.