policyholders have the resources they
need to start reacting to a cyberattack.
Cyberinsurance providers typically
require potential policyholders to
sign affidavits attesting to the proper
deployment of information security
software equipment and practices
including the use of antivirus, firewalls,
back-ups, etc. Many companies will
send their own inspectors to perform an
information technology risk assessment
using NIST or other industry standards
risk assessment frameworks. Policies
can cost anywhere from US$1,000 to
US$8,000 per year for US$1 million in
coverage depending on your company’s
industry and revenue stream.
Do I need cyberinsurance?
When evaluating whether your company
needs cyberinsurance, you must first
evaluate what virtual assets are most
important to your company’s livelihood.
If your company performs any of the
following activities, you might want to
consider getting a cyberinsurance policy:
• Accepts or processes digital payment
• Uses computers and mobile devices
and Wi-Fi
• Stores personally identifiable
information or other confidential
customer information
• Stores medical or financial data
www.intelligentciso.com
|
Issue 07
The core tenet of
cyberinsurance
deals with covering
the cost of dealing
with a cyberattack.
• Stores highly valued
intellectual property
Other less ‘tangible’ advantages to
carrying cyberinsurance include:
• Policies may be very cost effective
if the premium plus deductible cost
is less than the cost of incident
response, credit monitoring and
legal services
• The piece of mind gained by
knowing that the financial burden
that a cyberattack can put on your
company is significantly reduced
• Publicising the fact your company
caries cyberinsurance can provide
customers with piece of mind and
may even differentiate you in
your market
The addition of cyberinsurance does not
mean you have the freedom to be lax
on implementing cybersecurity, incident
response and recovery measures.
Remember, by the time you make a
claim against your cyberinsurance
policy you’ve already lost system
access, intellectual property or personal
information. Cyberinsurance is merely
part of a comprehensive plan to mitigate
risk and defend against cyberattacks.
The industry in confusion
Big Data has made the greater insurance
industry very precise in how they price
and plan coverage. Thousands of risk
factors are fed into a data model that
has been trained on decades worth
of data to determine the price of your
policy and what that policy covers.
That volume of data is just not available
for cyberintrusions. For example, Verizon
only started releasing their Data Breach
Investigations Report in 2009.
Even liberally, there’s likely 15 years’
worth of cyberintrusion data to work
with. In the end, this sector of the
insurance industry is still young and
susceptible to fluctuations based on
cyberincident activity changes.
Also, IoT is drastically affecting the
cyberinsurance scene in a few different
ways. First, most inexpensive Internet-
connected devices tend to be lax on
security. This is because cybersecurity
85