Matt Middleton-Leal weighs up the risk-reduction possibilities offered up by enterprise cyber-insurance
Is cyber-insurance the answer to reducing cyber-risk? At a macro level, the answer is, of course, yes. Any business that can reduce risk through insurance is taking proactive steps towards protecting shareholder value. However, for years the small print in insurance policies has been the butt of many jokes. Having a policy in place is one thing; having a policy that pays out appropriately for the breach you experience may be somewhat more challenging.
I have personally spoken with two insurance business leaders in the last few months who both agree the cyber-insurance space is poised for significant growth. In fact, with the right premium, they are prepared to insure against most risks.
The example they gave was the creation of insurance against terrorism; if organizations are willing to shoulder the cost of the premium, insurers will cover the risks, however difficult to identify. So if an organization is insured against the risk of a terror attack, does it stop putting in place guards, gates and guns to reduce the risk?
Two questions organizations may be asking themselves when looking at these new cyber offerings from insurance companies are: do we no longer need to invest millions on internal security controls? And how can I reduce my premium?
For the former, investments in internal security controls absolutely need to stay. As mentioned earlier, if organizations do not take a solid and responsible approach to security their insurance company is unlikely to pay out in the event of an attack. If we look at the UK’s Data Protection Act as an example, Principle 7 states:
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
You should expect a similar line item to appear in your policy.
For the latter question, premiums may initially be based on an ‘if you pay enough we will cover you’ strategy. However, over time, competition will drive down the price, which will force insurance companies to look for ways to mitigate the risk of their products.
Insurers may well insist that organizations are ISO27002-compliant, for example. Or they may insist on specific security audits prior to issuing an insurance policy. This of course could have the effect of creating a whole new industry for cyber-insurance auditors.
If you are thinking about cyber-insurance, there are some basic concepts you need to address with your insurer – including if the policy will only cover your organization or if customers and partners will also be protected. Additional components to investigate coverage for include:
- Data loss
- Asset damage, such as websites
- Regulatory fines
- Remediation costs
One issue that may arise is who within an organization is responsible for answering the questions above. Is it the CEO, COO, CIO, CISO, or a combination of all of the board members?
While business-level insurance would not typically be controlled by the IT department, for cyber-insurance, they may understand the risk best. Both the business and IT functions need to feel secure that the risk has been mitigated. In terms of the board, there is no doubt that those who have IT directors who have business backgrounds will be well positioned to deal with these questions.
Cyber-insurance is an excellent risk management tool that organizations should consider. However, it should not be purchased at the expense of solid security policies, controls and education programs for your staff.
Cyber-attacks – whether from hacktivists, state sponsored groups or espionage activity – do not appear to be going away anytime soon, which means that we need to deploy multiple layers of defense. Insurance is a good one, but by no means the only one.
About the Author
Matt Middleton-Leal is UK and Ireland director at CyberArk. He is responsible for overseeing sales and partnerships, as well as growing the business. With more than 15 years’ experience in the security industry, Matt has worked for many organizations on security projects, specialising in areas such as privileged account security, identity and access management, and application, network and database security. Prior to CyberArk, Matt was the business unit executive at IBM Security Systems.