The repercussions of cyber attacks are only likely to worsen as the volume and severity of attacks increases.
For instance, the General Data Protection Regulation (GDPR)’s arrival in 2018 means companies will face fines of up to 4% of global revenues or €20 million, whichever is greater.
In light of these risks, cyber insurance is emerging as a real risk management option for businesses if the worst should happen.
Far from being a luxury, there is every possibility that cyber insurance will soon become a necessity for any organisation storing personal data. In the same way that drivers are required by law to have motor insurance, businesses may be obliged to have measures in place which guarantee compensation for customers left at risk by any data breach.
The eligibility question
Unfortunately, as with motor insurance, even if cyber insurance becomes an obligation, getting insured won’t necessarily be simple or low-cost.
Insurance companies will only provide policies to organisations that are insurable; either through low risk, or because they are prepared to pay significant premiums.
>See also: The Trojan horse: 2017 cyber security trends
To lower their premiums, organisations will have to prove they are a low risk; show good governance in the protection of their sensitive information; or reduce their expectations around levels of cover.
Just as home and contents insurers require policy holders to have locks on all the doors and windows, businesses should be able to show they have the relevant systems and processes in place to protect their data.
However, anyone who has taken out home insurance will testify that there’s a big difference in premium between having a simple lock on a door, and having multi-point locks and a burglar alarm.
In an age of organised cyber crime, state-sponsored cyber attacks and advanced cyber threats, anti-virus and a firewall is unlikely to be enough.
Organisations might therefore want to consider improving their current defences and adopting a more proactive approach to next-generation cyber security; in turn encouraging insurers to offer more affordable policies.
Obtaining the perfect premium
As when taking out any insurance policy, the first thing organisations will need to do is establish the nature of the risk they face, in order to determine their premium.
This is critical for two reasons. First, a more accurate assessment will allow a more accurate, and appropriately priced, premium. Second, by auditing their defences in this way, organisations will face less risk that claims will be refused if the worst eventually happens.
Much as a driver who states their car is always parked in a locked garage will have a hard time claiming if it’s stolen from the street outside their house, organisations that are found to have over-stated their security preparedness could be in for a nasty shock if they claim for a breach resulting from a control weakness they didn’t previously disclose.
At its most basic, any risk assessment needs to consider the kind of data being stored, and what level of security it has to protect it.
Identifying where the most valuable data resides will help predict where attackers are most likely to strike, and so assess whether current security measures and access controls are adequate.
For example, there’s no need for a receptionist to have access to sensitive financial data, so their privileges should not extend to that information.
Organisations will also need to demonstrate their preparedness in the event of an attack. The faster an organisation can react, and the more it can minimise any potential damage, the lower its premiums will be.
For instance, businesses must have the ability to monitor their systems for any suspicious behaviour that indicates data is being accessed or used in ways that it shouldn’t; whether that is by an employee or an unknown, external party.
This capability can prove particularly useful in identifying potential threats before damage has been done, safeguarding company data and helping to manage cyber insurance premiums.
From the insurer’s perspective, it also helps with the containment and clean-up costs they are paying out for – so could become mandatory under some policies.
With attacks showing no signs of slowing down, security processes should be automated as much as possible. Otherwise the potential of lower premiums will be drowned out by the fact that security teams will have to deal with a blizzard of alarms, both false and all too real.
Equally, the systematic and repeatable operation of a system is an easier thing to audit, demonstrate and rely on than the operational risk and randomness than can result from some SOC operations.
The old adage that an ounce of prevention is still better than a pound of cure is true here. While an insurance policy provides an indispensable safety net, businesses should still focus on ensuring they avoid becoming a casualty in the first place.
Sourced by Piers Wilson, head of product management, Huntsman Security