[BreachExchange] Cyber Insurance – a way for risk mitigation

Audrey McNeil audrey at riskbasedsecurity.com
Thu May 24 20:03:39 EDT 2018


The recent spike in occurrence of cyber crime across the globe has made it
obvious that it is no more a question of “whether” but a question of
“when”. The average cost to the organisation of these breaches is estimated
to be close to US$ 5 million. Multiple analyst reports place the average
cost per breached record between US$ 78 and US$ 277. This cost is
attributed to investigation and remediation activities, notifications to be
sent to customers and other stakeholders, change in credit worthiness,
reputation management, legal fees and settlements and any regulatory fines
arising from the breach. Add to this, the intangible loss to the brand
value and the change in customer behaviour in response to the breaches.

Organisations no more have the luxury of imagining that they will not be
targeted by malicious hackers. Remember that the hacks need not just target
the data an organisation holds – the compromised systems can also be used
to launch an attack on third parties it interacts with. In such a scenario,
the organisation may be held liable for the damage caused to the third
parties. While a commitment to security is must, it is impossible to make
any system 100 per cent foolproof. As such, it has become inevitable for
organisations across industries and sizes to develop a good cyber risk
management approach.

A sound cyber risk management plan will include increased cyber resilience
through response and recovery, contingency planning, and as a last resort
mitigation and transfer of financial risk through cyber insurance. The
cyber insurance market is still nascent, and even in the markets where
take-up for commercial property and liability insurance approaches 100 per
cent, cyber insurance is purchased by anywhere between 20 per cent to 35
per cent of businesses based on the industry and size of the organisation.
The variation based on size and line of business indicates that the low
adoption rate is because of a lack of awareness in the market.

An analysis of cyber-attacks over the last three years makes it clear that
an organisation’s defense is only as strong as the weakest vendor they
interact with. Hackers have launched attacks on Fortune 500 companies using
credentials they got off vendors like air conditioning and food delivery
companies. The substantial difference in procedures and protocols followed
at large and small organisations forces the larger player to fall back on
cyber insurance as a way to transfer the risk arising from the weak links
they have little control over. It is no surprise that while the take-up
rates have increased in both small and large organisations, the gap between
the two segments has actually increased over the last three years.

The very act of applying for a cyber-insurance incentives behavioural
change in an organisation. Simple desire to get the coverage at as low a
premium as possible drives the organisation to conduct gap analysis. The
very first ask from underwriters is that all significant activities are
logged against individual users and therefore login to the system are
secure. Additionally, they require organisations to have disciplined
procedures for patching software and put in place an incident response
plan. They would also want to know if vendor networks are monitored
regularly. Organisations would want to measure upto industry benchmarks
like NIST framework and ISO 27001 as that would result in lower cost of

Further, once a policy is purchased, the insurer is invested in keeping the
damage from any cyber-attacks at the minimum. This results in an additional
layer of security through monitoring and rapid response services provided
by the insurer to their policyholders.

While correlated risks arising from software vulnerabilities (like the
“Heart bleed” discovered in 2014) and scalability of sophisticated attacks
used by hackers makes risk assessment especially difficult, insurers have
developed complex statistical models to facilitate evaluation of potential
consequences arising from different damage scenarios. This allows the
insured to work out the best contingency plans and ensure that the critical
services are up-and-running at the earliest possible in case of a breach,
keeping the consumer backlash at minimum possible.

While cyber insurance cannot protect an organisation against reputation
risk or replace strong security controls and information security programs,
it does act as a last line of defense and mitigates most of the financial
risks arising from a breach. Further, it also incentivises cyber security
discipline across the organisation.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180524/f3549908/attachment.html>

More information about the BreachExchange mailing list