[BreachExchange] Is poor IT security putting cyber Insurance efforts at risk?

[Audrey McNeil]

https://www.scmagazineuk.com/is-poor-it-security-putting-
cyber-insurance-efforts-at-risk/article/698998/

As threats grow, cyber-insurance is becoming an increasingly popular way
for firms to mitigate the potential financial fallout of a serious service
outage or data breach. Insurance in the sector grew 50 percent in the UK
between 2015 and 2016, according to a leading underwriter. Yet as the
industry rapidly matures, organisations must be careful not to view
policies as a “get out of jail free card”. In fact, if companies can't
first demonstrate a baseline of cyber-security best practice, they may find
it extremely difficult to negotiate an acceptable contract, and even
trickier to claim in the event of an incident.

The bottom line is that cyber-insurance should always be viewed as
complementary to but not a replacement for an effective risk-based security
strategy.

Firms under fire

Just one look at the threat landscape will confirm why insurance is
becoming so popular. One cyber-security vendor alone blocked a staggering
38.5 billion threats globally in the first half of 2017. These included
over 82 million ransomware threats and 3,000 Business Email Compromise
(BEC) attempts. The latter has become a multi-billion-dollar business for
cyber-criminals over the past few years, according to the FBI.

Companies are absolutely right to worry about the impact of a data breach –
both in terms of short-term financial losses and long-term brand and
reputational damage. Our 2017 Risk:Value report reveals that a business
would have to spend £1million (US$1.3 million) on average to recover from a
breach.

No company, regardless of its size, sector or focus, can afford to ignore
the consequences of what are increasingly sophisticated and targeted
security attacks, like the widespread and damaging ransomware attack we
recently witnessed.

Lighting up key areas of risk

In this context, it's not surprising that cyber-insurance is growing in
popularity. The same report reveals that 40 percent of global firms have
taken policies out this year while 35 percent are considering it.

Yet insurers' business models are predicated on effectively quantifying
risk, which means that most will be unwilling to offer coverage to an
organisation which can't first demonstrate that it has a well-thought out
cyber-security strategy in place. Fail to address this and your
organisation may struggle to get cyber insurance, or find that premiums are
prohibitively high. As with any insurance policy, you have a duty to take
basic steps to mitigate the risk or you will face increasing costs in
policy cover.

Our report revealed some key areas of risk that might limit the chances of
securing a cyber-insurance contract, or a pay-out.

Nearly half (45 percent) of respondents said they thought poor system
patching could invalidate their insurance. This isn't surprising, given the
fall-out from the WannaCry ransomware campaign which hit organisations that
had failed to patch a critical Windows flaw released months earlier.
Automated patch management systems are a must given current threat levels
and the multiplicity of systems modern organisations need to manage. Ageing
IT systems were also pegged as a major risk to insurance contracts, once
again highlighted by WannaCry, which primarily exploited unpatched Windows
7 systems close to or past their end of life.

Incident response is also a basic requirement of best practice security and
will become even more important as the General Data Protection Regulation
(GDPR) mandates 72-hour notifications following a breach. In fact, general
non-compliance problems were also flagged by respondents as possible
barriers to insurance. These challenges are only going to increase with
forthcoming European legislation set to come into force in May 2018. The
GDPR and NIS Directive both require organisations in one way or another to
follow best practices in cyber-security, threatening massive new fines of
up to £17 million or  four percent of global annual turnover for
non-compliance.

Employee negligence was the final major risk to cyber-insurance raised by
the report's respondents. Nearly half of all breaches reported to the ICO
during the period 2013-2016 came as a result of human error by staff, so
it's not hard to see why well communicated policies and comprehensive
training and education programmes are vital to attaining that baseline of
good cybersecurity.

Security as insurance

You wouldn't expect a house insurance provider to pay out if you were
burgled because the doors and windows were left unlocked. So don't expect a
payout – or even an insurance policy – if you haven't taken suitable
precautions to stop preventable cyber-incidents. BEC scams are particularly
contentious, with cases in the US this year and last of companies suing
their insurer for failing to pay out following major losses. With the bar
rising all the time as to what constitutes security best practice, both
firms may be left disappointed and out of pocket.

Insurance is a smart way to mitigate cyber-related risk. But even if you
secure a payout, it will only cover financial loss. The impact of a breach
on brand and reputation, including things like customer attrition, can be
much larger and long-lasting. That's why industry best practice
cyber-security in a way is its own insurance. It's certainly not fool-proof
but, if followed correctly, will make serious outages and breaches a rarity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171027/99ede440/attachment.html>