Your company is likely insured to cover a variety of business risks. Some of the most common business coverages include general liability insurance, product liability insurance, professional liability insurance, commercial property insurance and perhaps specialty coverages depending on your business needs. Most business managers assume that they are well protected. However, it is time for an insurance review that includes a relatively new, yet potentially devastating risk: cybercrime.
Most insurance companies exclude electronic data under the definition of ‘covered property’. General liability coverages are designed for bodily injury or property damage, and these are narrowly defined in the policy, leaving no room to cover electronic data.
Insurance companies and have kept abreast with the blazing advancement in cyber technology. While technology continues to advance at a rapid pace, the insurance industry is struggling to keep up. There are, however, some companies that are developing and marketing cyber insurance policies to cover the potentially devastating impact of a cyberattack. AIG, for example, has introduced a standalone policy called ‘CyberEdge’ that offers coverage against many cyber risks.
Specific risk policies
Many large companies are working with their insurers to write specific risk policies that provide coverage for business interruption, liability, remediation costs and other damages inflicted by cyberattacks. The cyber insurance industry is estimated to be a £3 billion per year business and growing fast. The following examples tell why more companies are adopting cyber insurance:
• Bupa – A data breach lost them the personal details of 108,000 customers’ that they provided with international health plans
• TalkTalk – Fined £100,000 when they violated data protection laws and put the data of 21,000 telecommunications customers at risk.
A Ponemon Institute report found that the average cost of data breach for the 383 participating companies in 12 countries was about £3 million. Two of the ‘megatrends’ discussed in the report are:
1) Regulated industries such as the healthcare and financial industries experience the most costly breaches because a higher than average rate of lost business and customers, and hefty fines
2) Investments in certain data loss prevention controls and activities, such as encryption and endpoint security solutions, are important for preventing data breaches.
Insurance companies are working on developing risk assessment practices to better manage the cyber vulnerability score of insurance applicants. Of course, the higher the risk score, the more the applicant will pay for coverage if a policy is underwritten. Many insurance companies are using Payment Card Industry (PCI) data security standards as a base line for providing coverage. These standards demand the implementation security practices such as firewall protection, and other intrusion, encryption and data loss protections. An organisation that is not in compliance with PCI standards will find it difficult to obtain coverage.
Strong network protection starts with a Next Generation Firewall (NGFW) that integrates intrusion protection with traditional firewall protection. Additional appliances such as Data Loss Protection (DLP) provide an additional layer of protection, helping to prevent the download of protected information by unauthorised devices. Other critical appliances that identify traffic anomalies, block suspicious traffic, and help weed out malware, are coming to market each day.
New technology
When it comes to malware protection innovation, there is both good and bad news. The good news is that there is a constant flow of new technology coming to market, with each new appliance covering a previously under-protected vulnerability. The bad news is that deploying numerous specialised appliances on every link of a complex network is very costly and can impact the reliability and availability of networks to legitimate users. Fortunately, there is more good news where that came from.
Security appliances can be connected directly to links or can be ‘brokered’ through intelligent visibility appliances that are designed to connect numerous appliances. These intelligent TAPS and Packet Brokers can map network traffic through connected appliances and bypass problem units. The port mapping and power-fail protections keep networks ‘alive’ even when certain appliances are ‘dead’.
To summarise, cyberattacks are increasing in sophistication and frequency. A well written and rated cyber insurance policy can protect businesses from costly breeches and their associated liabilities. In order to get the best coverage at a reasonable rate, review your security profile prior to applying for coverage. The cost of strong security infrastructure can be offset by lower insurance rates and by the advantage of defeating attacks before the damage is done.
Alastair Hartrup is Global CEO of Network Critical.