[BreachExchange] Do You Have Enough Cyber-Security Insurance?

Audrey McNeil audrey at riskbasedsecurity.com
Tue May 17 20:39:06 EDT 2016


http://www.baselinemag.com/security/do-you-have-enough-cyber-security-insurance.html

Cyber-liability insurance has been around for two decades, yet it’s been
widely marketed only during the past few years. This traditional product
provides policyholders with coverage for a variety of losses they incur
when remediating data breaches.

These include the cost of notifying their customers that a breach has
occurred, hiring consultants to perform forensic investigations and data
restoration, and mounting legal defenses against lawsuits arising from the
breaches.

That may seem like a lot of protection, but there’s a huge gap in today’s
cyber-security insurance policies: They provide little or no protection
against the physical damage to systems and hardware that results from
malware attacks.

Many of today’s traditional property insurance policies contain
“sub-limits” of $20,000 or $25,000 per incident to give policyholders a
modicum of financial relief for physical damage resulting from the
introduction of malware—just as personal auto insurance policies’ “med pay”
sub-limits offer modest coverage for no-fault medical claims.
Unfortunately, those malware sub-limits come nowhere close to what the loss
could be to organizations that have hundreds of computers and other devices
that could be physically damaged as the result of a cyber-attack.

Cyber-Attacks Can Result in Significant Losses

Cyber-security insurance policies typically have not covered physical
damage to IT systems. It was often thought that malware or a virus could
not actually damage hardware, in part because the BIOS is designed to
protect the system from physical damage, just as an electronic governor
protects an engine from damage caused by excessive speed. However, hackers
have shown that they can create viruses able to penetrate the BIOS.

Obviously, losses from physical damage to IT systems can be significant to
organizations of all sizes, not just large enterprises. A small law firm
that loses six months of work product as the result of physical damage
arising from malware can proportionately suffer as much loss as an
international telecommunications firm whose relays fail after a virus
replicates throughout its system.

Therefore, it’s important that policyholders have an open dialogue with
their insurance providers about options that might protect them against
physical damage from malware, in addition to any liability claims
associated with data breaches.

As hackers continue to infiltrate computers via new and increasingly
creative techniques, policyholders need to speak up to ensure they have the
necessary coverage.

The earliest data breaches focused on gathering personally identifiable
information (PII) for identity theft. As hackers became more sophisticated,
they started targeting intellectual property. Today, the highest threat
levels involve cyber-terrorism that attacks infrastructure, both public
(such as electrical grids and defense systems) and corporate or private
networks.

How You Can Protect Your Organization

Most insurers don’t underwrite for losses associated with cyber-attacks on
infrastructure. Insurers have decades of data they can use to quantify
losses from natural disasters, but it is more challenging to put a number
on physical losses from malware intrusion, since this is an emerging threat.

Moreover, policyholders face two types of physical damage risk from
cyber-security breaches—the risk of hardware failure and its associated
costs, and the risk of data loss. This is especially true if the hardware
is destroyed to a point where policyholders cannot recover the electronic
information or evidence needed to show that the valuable proprietary
information is no longer on the network.

In addition to these losses, policyholders may also face fines from the
Office for Civil Rights and, if it is a publicly traded corporation, the
U.S. Securities and Exchange Commission. Right now, most cyber-security
policies do not offer protection against these financial losses.

Experts have said that it’s not a matter of whether you will be breached,
but when. So policyholders must have open lines of communication with
agents and brokers to ensure that their businesses are fully covered if
they sustain physical damage from malware attacks on IT systems.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160517/1a1c5226/attachment.html>


More information about the BreachExchange mailing list