Current Filter: Security>>>>>>

   

Each year at the RSA conference, there is a trend. It usually reflects the collective efforts of IT security firms in addressing specific new threats. This year, however, the trend was a bleak one, with many companies acknowledging that they have lost the fight to protect their boundaries and are now looking for different ways to keep their businesses safe. Many companies view cyber security as the greatest risk to their business and with greater exposure to the threats comes a desire to mitigate the aftermath of a breach.

One different way to address the overwhelming security threat is to invest in a cyber-risk insurance policy. These are growing in popularity with the business community, which is understandably keen to reduce the exposure of any breach. But cyber insurance is no different to any other form of insurance and there are pros and cons that business owners should consider carefully before investing.

From our personal experience, we believe that owning an insurance policy results in crimes becoming victimless. Our property is stolen, we make a claim, we receive compensation, we move on. So can cyber insurance make corporate breaches victimless?

Insurance will cover financial loss, but it won't help address the overall impact on a business. The cost of remediation, negative company reputation, reduced consumer confidence and loss of competitive advantage are impossible to insure against.

Like any contract, the devil is in the detail. If someone breaks in to our home, it is easy to identify. But what if your corporate network is attacked by a 'trusted user'? Most policies do not cover what they define as deliberate or reckless acts. But aren't most attacks deliberate or reckless in nature?

The real concern with cyber-insurance comes when it leads to a culture of complacency, with regards to protecting our organisations from risk.

The experience of buying personal insurance teaches us that, as long as we meet a minimum standard, we will receive a pay-out in the event of a loss; but defining and maintaining minimum standards in corporate cyber-space is not that easy.

RULES OF ENGAGEMENT
My advice is to first engage with the insurer to understand how they determine their minimum standards and how often they assess the security threat landscape. If new threats occur that impact cover, will they provide recommendations to you as a client? If a new threat is identified, will they expect you to procure a solution to address it immediately?

Secondly, like all insurance policies, be sure to look out for uninsurable risks and exclusions to the policy. Finally, I would always recommend that you engage somone who is a qualified IT security provider, in order to assist in the analysis of the insurance policy.

Moreover, a trusted adviser should also be able to ensure you exceed the security standards, rather than simply complying. Cyber insurance certainly has a part to play in mitigating the financial burden of a breach, but we must ensure that it does not lead to an attitude of complacency. There is no substitute for a robust security policy, staff awareness and sufficient security technology to protect from risk. We should not be so quick to give up on our network security, because we can all mitigate security risks.