[BreachExchange] Is cyber insurance worth the paper it’s written on?

Audrey McNeil audrey at riskbasedsecurity.com
Mon Jul 24 20:31:26 EDT 2017


https://www.helpnetsecurity.com/2017/07/24/cyber-insurance-worth/

Weighing up whether you think insurance is worth it, in any situation,
depends to some extent on personal experience. You can see the value of
protection far more clearly if you’ve been on the losing side a few times.

And that’s easy when, say, your office is broken into and a load of PCs are
taken. Or when a visitor trips on your loose front step and sues you for
their broken wrist.

But those are ‘real’ things. What about cybercrime? Is the threat as
virtual as its environment? Is there any point spending good money on cyber
insurance when you could put that money into robust protection instead?

Pros and cons

Every day we hear more sorry tales of businesses large and small all over
the world getting hacked, breached, or having to deal with the consequences
of a ransomware-riddled system. Some businesses will be more prepared than
others, and some will put greater emphasis on prevention rather than cure.

What’s clear is the probability of a cyber attack on your business is
increasing steadily from ‘pretty likely’ to ‘pretty much inevitable’. If
the likes of Maersk, WPP and Mondelez can throw lots of time, money and
professional expertise at fighting cybercrime – and still lose – what hope
is there for anyone else?

You’d be forgiven for thinking however much of that robust frontline
protection you have, it’s never going to be enough.

Line of most resistance

In a recent study, UK businesses estimated they’d have to spend an
eye-watering £1.1m and 80 days recovering from a cyber security incident.

Granted, these are only estimates but there aren’t many businesses,
anywhere, that could cope with that level of financial and day-to-day
disruption and just carry on regardless.

Combine the implications of these numbers, the increasing likelihood of an
attack in the first place and the fact that only 48% of companies globally
have an incident response plan and you’re looking at a perfect storm of
business-crippling 21st century problems.

But are things really so bleak? Surely there must be something you can do.
There is. This is where that bit of paper with ‘cyber insurance’ written on
it comes in.

Paper works

So how much value is there in that bit of paper, exactly?

Well, that depends to some extent on what’s happened. Oddly enough, the
more extensive the attack, the more help clearing up the mess the insurance
is.

That’s an important point to remember, by the way. Cyber insurance deals
with the consequences of what’s happened, not with preventing an attack in
the first place. It’s designed to get your business back on its feet as
soon as possible, with minimum fuss and expense to you. It’s the cure, not
the prevention.

Specifically, it helps by:

Paying for the investigation – after a breach, knowing what’s happened,
where you stand and what happens next are essential first steps to
recovery. An IT specialist can help you but they cost money. Your cyber
insurance pays the bill.

Paying to deal with the bad guys – having your business hamstrung by
ransomware is no trivial matter, and cyber security experts more or less
agree that paying up isn’t wise. Your cyber insurance arranges for a
consultant to manage the situation and, if there’s really no other option,
covers the ransom too.

Paying for the repairs – once you know what’s gone wrong, you’ll need to
spend time and money putting it right. Cyber insurance pays to repair,
restore or replace systems, data and websites damaged by a hack.

Paying your legal costs – reporting a breach to the relevant government
data protection department, and fending off the inevitable confidentiality
claims against you, needs a lawyer’s help. And we all know how cheap they
are. Thankfully, your policy covers the cost of this essential expertise.

Paying to keep you running – can you function without your website? Your
CRM software? Your company files? Your email? The longer you can’t do
business, the more money it’ll cost you. If you’re out of action, cyber
insurance helps avoid a financial meltdown by covering the gap between what
you should’ve earned and what you actually did.

Paying to protect your reputation – bad news travels fast and dealing with
the fallout of a cyber-attack needs a considered approach. So it’s a good
job your cyber insurance pays for a PR specialist to placate irate
customers and keep your good name out the headlines.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170724/131e64a9/attachment.html>


More information about the BreachExchange mailing list