Current magazine

Cyber insurance: a sound approach to residual risk


No cyber security protection is 100% secure. Cyber insurance can protect your exposure and limit your risks.

By Rishi Kant, senior manager, cyber security consultant, EC-Council Global Services

Nearly every organisation that goes online, be it marketing, services, products, shopping, networking, knowledge-sharing, is exposed to cyber threats. The threat level has increased over the last few years and the threat landscape evolves much faster than security measures can catch up. Cyber threats are evolving daily.

Unknown threats, called zero-day-exploits or zero-day-threats, require proactive thinking. There is no such thing as 100% security assurance. Despite all the effort and investments in place, there is no absolute guarantee against security breaches. Companies must have the resilience to handle the risk and absorb losses arising
from a security breach.

Breaches can impact a company’s growth, risk appetite, brand value, reputation, and turnover. Sometimes, it can also impact the company’s mission, objectives and goals. Large companies already understand the risk of cyber threats to their business. They evaluate the risk factor for all their valuable assets – threat x vulnerability x asset value – and may spend millions of dollars to avoid, address, and mitigate security incidents to the best of their ability.

One of the major solutions for coping with the risk of cyber threats is to transfer the risk and ensure the company has sufficient funds to withstand a cyber incident. Thus, cyber insurance is considered a part of risk management best practices. It needs to be embedded into the risk management strategy to tackle unnecessary disruptions to
the business and its assets.

Risk management programs should regularly determine what risks to avoid, accept, control, or transfer. Transferring the risk to second parties (cyber insurance providers) provides cover for losses resulting from
data breaches or loss of confidential information.

Cyber insurance, also known as cyber-risk insurance or cyber-liability insurance coverage (CLIC), is an insurance service to protect companies from cyber threat risks and, more generally, from IT-related risks on their assets.

What is Cyber insurance?

It is purchased by the insured (first party) from an insurer (second party) for protection against the claims of another (third party). It typically covers expenses as follows:

  • Investigation
    A cyber forensic investigation is necessary to determine the exact reasons and causes of a
    cyber security incident. This is critical not only to understand the root causes but also to assess
    current vulnerabilities that may lead to exploits and compromises by internal or external entities.
    An investigation provides the full data of actual assets lost, misplaced or changed, as well as their monetary value. The report will also define how to repair damages and what types of preventive controls are needed for risk avoidance. Investigations may also involve engaging external security firms as an
    independent organisation to coordinate with law enforcement and define chain custody.
  • Business losses
    A cyber insurance policy may include terms similar to those in an errors and omissions policy
    (for errors due to negligence and other reasons); monetary losses experienced for not meeting
    RTO/RPO (recovery time objective/recovery point objective); business interruption; brand damage; loss of client or customer; data recovery; and, costs involved in managing a crisis, which may involve repairing damaged reputation.
  • Privacy and notification
    This includes sending notifications of data breaches to customers and other affected parties, as mandated by law in many jurisdictions, and credit monitoring for customers whose information was or may have been breached.
  • Lawsuits and extortion
    This includes legal expenses associated with the release of confidential information and intellectual property, legal settlements, and regulatory fines. It may also include the costs of cyber extortion such as in ransomware attacks.

Proactive vs. reactive measures

ECcouncil Apr 2017_01Cyber insurance is a risk transfer strategy to counter potential data breaches and network security failures. Organisations are willing to spend money on security initiatives after a breach. However, these are reactive
or corrective measures. Proactive security measures (see box) may help reduce not
 only the overall risk landscape but also lower cyber insurance premiums.

A proactive information security program is not just about installing basic cyber security measures and the organisation may need to keep its basic cyber security measures up to date to prevent voiding the coverage.

When a functional and operational information security program – with a clear definition of the organisation’s risk threshold – becomes a priority, the company can minimise its potential risk and should be able to absorb losses in the event of a breach.

Choosing the right cyber insurance provider

The best insurance provider is one that employs in-house cyber security experts or partners with cyber security service providers. Such collaborations help them create solid offerings that address assurance and
insurance together.

  • Security audit
    An insurance provider that partners with security providers is better able to audit and assess current IT security risks accurately. A comprehensive security posture assessment (CSPA) will not only determine the cost of the insurance package but also provide a solid overview of the insured’s current state at no
    extra charge. A CSPA helps the insurer charge according to actual figures instead of rough estimates (which may lead to overcharging) and give the insured a clear picture of where they stand.
    A pre-insurance audit benefits all parties. Insurers can minimise the risk of signing up companies with severe hidden vulnerabilities while the insured can address the vulnerabilities identified before they are exploited.
  • Faster response time
    Insurance providers with their own cyber security professionals can also combat security challenges immediately after an attack. Without them, the client has to find a solution internally or search for security vendors to help with the breach. This will delay actions that must be taken following an attack. The longer the response time taken, the harder it is to deal with the impact of a breach.
  • Cost savings
    Insurance providers that partner with security vendors enjoy lower services fees as they work together on multiple cases. Other organisations that seek help on an ad hoc basis will be charged market rates and hence the bill will differ significantly.

It is better for insurers to work closely with vendors because it is cheaper compared to paying for their clients’ claims later. Furthermore, the insured is assured of having full treatment and an immediate incident response.


About Author

Leave A Reply