Cyber Liability Insurance: Moving from Insurance to Assurance
Enterprises need to identify holes and implement proper plugs prior to investing in cyber liability insurance.
It’s no shock to any following the news over the past several years that there has been an explosion in the interest for cyber liability insurance, particularly in the United States. A recent study by Insureon found that nearly 90 percent of policies are being purchased by American businesses. These policies are designed to financially assist businesses with the consequences of a breach, handling tasks like notifying impacted parties, offering credit monitoring services, negotiating with cyber extortionists and fixing a business’s security infrastructure following an attack.
A 2014 IBM sponsored study that surveyed 314 companies found that the average cost for a data breach is $5.85 million, and it identified the U.S. as the most expensive nation in which to have a breach occur. With a price tag of that size looming over small and enterprise business alike, it is no wonder that cyber liability insurance has piqued interest. As these breaches grow more common, and more costly, the need for some form of protection from the fallout will only become more of a national imperative.
The fact of the matter is, however, that only 25 percent of those U.S. companies that generate $1 billion or more in revenue have some form of cyber liability insurance, and as few as three percent of small businesses have a policy. These small businesses are at the greatest risk of a breach occurring, however, due to the fact that many do not have the funds for – or knowledge of – the best preventative security infrastructure, making them easy targets.
When evaluating traditional measures most businesses have in place to protect themselves, one would find the usual suspects – firewalls, password authentication and anti-virus protection. However, a look at the most recent major hacks, OPM, Target, JP Morgan Chase and the like, and it is apparent that the perpetrators utilized methods that either outsmarted these basic security measures or circumvented them entirely. The reason being, no one attacks the tip of the spear; hackers are going to find where you are the weakest and strike hard. Many of the aforementioned businesses were properly insured, but that point is moot if the company didn’t have the proper preventative measures in place.
Simply put, it does no good to insure a boat with holes in it. The boat will sink and it is unlikely that any competent insurer is going to pay out on a policy in which the owner was being negligent. For this reason, businesses need to identify these holes, and implement proper plugs prior to investing in cyber liability insurance.
To truly undermine a business’s security prowess, an intelligent hacker is going to look at all the elements of the business as a whole. That means physical infrastructure (server farms, office building, power supply), the human elements (employees, staff, outside consultants and service providers) as well as other areas of the company that may not be as well protected. For example, what is to stop a hacker or malicious entity from waiting outside a business of interest until the employee with bald tires leaves for the day. This employee could potentially be persuaded to assist this malicious outsider in exchange for compensation.
Another example comes to us courtesy of Target. While the retailer was using a standard and relatively secure method of protecting customer data at the point of sale, they left themselves completely open by failing to segment their systems and allowing an outside individual to have access to secured networks. No degree of or firewall protection can defend against a physical ingress in the real world.
These examples make it clear that security needs to be handled as if protecting a castle, with concentric rings of defense. The solution is a marriage of onsite physical security (guards, cameras, controlled access to buildings and other infrastructure), as well as utilizing up-to-date firewalls, password protection and the like. This is the only means of truly being able to say a business has complete control of who accesses their networks and systems, and from where. Authorization is the key, no pun intended.
A Positive Outlook for the Future
In order for insurance to truly become a valuable asset to a business’s data security strategy, there needs to be a more comprehensive review of a company’s overall security posture prior to the safety net of insurance being put in place. Too few insurers at the moment are actively getting involved in bringing policyholders up to speed (and keeping them updated) with the latest preventative security practices.
This trend (a lack of sufficient security auditing) has led to interesting instances in which businesses take out a cyber liability insurance policy, a breach occurs because substandard security measures are in place, and then the insurance company denies coverage due to negligence. If that weren’t a big enough bombshell, in the case of Target, banks and credit unions were also able to file lawsuits against the retailer for administrative costs, lost interest, transaction fees and lost customers.
Hope is not a strategy; today’s enterprise is greater than any one approach. With hybrid cloud offerings that span networks, enterprise security executives must insist upon standards based approaches to building and maintaining cyber, physical and human defense in depth strategies. More so than ever before, it is becoming an imperative that enterprises insist on good cyber-hygiene for employees at work, on the mobile move and at home.
As with most problems, the solution is a combination of efforts and not a single silver bullet. It will take the combined work of insurers funding research and businesses utilizing background checks, controlled access both cyber and physical, monitoring techniques and more. These tactics, combined with the traditional security measures put in place in enterprise, are the only way to prevent the breaches of the future.