Have we got cyber risks covered?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.globalreinsurance.com/have-we-got-cyber-risks-covered/1407506.article

In the current soft pricing environment, and with increasing numbers of new
markets entering the data breach insurance arena, brokers are very much in
the driving seat. They can, and do, demand broad coverage for a combination
of both first and third party risks.

Over the past decade cyber insurance has evolved considerably. Larger
brokers and risk managed clients are increasingly well-versed in the risks
posed by data breaches, and the coverage options available. Specialist
insurance now covers regulation issues, as well as new risks such as cyber
extortion, network and system issues, merchant monthly payment liabilities
and policies can be tailored to suit the client.

Education is still required

However, there is clearly still a lot of work to do in educating mid-size
and smaller clients about the risks posed, and the cover available, as many
are not purchasing this form of insurance. But hackers are indiscriminate
in whom they target, and often go for smaller companies as their systems
are less well protected. This fact was backed up in a recent report by PwC
and the UK government, which stated that 87% of small businesses reported a
data breach in 2012, a 50% increase on the previous year.

Part of the problem is that there appears to be confusion about the level
of cover provided under more traditional commercial covers, but in reality
this is very limited, and over the next few years it seems likely that
these elements may be withdrawn.

There is also a need for clients to be convinced that this form of
insurance is cost-effective.  It is essential they understand that a
service-led data breach insurance policy not only provides financial
assistance, but also a valuable service in their moment of need should a
data breach occur.

A timely reminder

Although exceptional in its size, the malicious attack on US retail giant
Target over Christmas is a timely reminder of the scale of the risk faced
by a business which holds sensitive, personally identifiable customer
information.  The points of particular note in the Target's case are that
the hackers used a new and unknown virus to get into the company's IT
system, and the malware went undetected for over 20 days.  As a result,
Target estimates that between 70m to 110m customers could be affected, and
it has offered credit monitoring services to each of them.

In addition to the client notification and credit monitoring costs, there
is the IT forensic work that has been undertaken to identify and rid
Target's system of the virus; the impact on its share price; not to mention
potential regulatory fines, class action lawsuits from affected
individuals; and the massive impact that it has had on the company's brand
reputation.

Times are changing

It is always hard to persuade buyers to purchase a new form of insurance,
but times are changing and the impetus to buy is increasing.  This will be
exacerbated further when the proposed new EU-wide data privacy regulations
become law in the next year or so.  These changes are potentially a market
game-changer and the insurance industry - both brokers and insurers need to
be ready.

What is certain is that hackers are getting increasingly sophisticated and
daring, their activities know no territorial boundaries and data is a
valuable commodity.  The insurance market has been proactive to date,
developing a range of first and third party covers, and various approaches
to help clients. The result is a highly competitive market vying for
business.

We all need to play our part in educating insureds as to the options
available and the value of these policies.  Insureds need to understand
their exposures and put in place robust risk management procedures  to
protect their data and be prepared for a data breach As we always tell our
clients,it is not a case of 'if' but 'when'.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!