Intelligent CISO Issue 07 | Page 85

policyholders have the resources they need to start reacting to a cyberattack. Cyberinsurance providers typically require potential policyholders to sign affidavits attesting to the proper deployment of information security software equipment and practices including the use of antivirus, firewalls, back-ups, etc. Many companies will send their own inspectors to perform an information technology risk assessment using NIST or other industry standards risk assessment frameworks. Policies can cost anywhere from US$1,000 to US$8,000 per year for US$1 million in coverage depending on your company’s industry and revenue stream. Do I need cyberinsurance? When evaluating whether your company needs cyberinsurance, you must first evaluate what virtual assets are most important to your company’s livelihood. If your company performs any of the following activities, you might want to consider getting a cyberinsurance policy: • Accepts or processes digital payment • Uses computers and mobile devices and Wi-Fi • Stores personally identifiable information or other confidential customer information • Stores medical or financial data www.intelligentciso.com | Issue 07 The core tenet of cyberinsurance deals with covering the cost of dealing with a cyberattack. • Stores highly valued intellectual property Other less ‘tangible’ advantages to carrying cyberinsurance include: • Policies may be very cost effective if the premium plus deductible cost is less than the cost of incident response, credit monitoring and legal services • The piece of mind gained by knowing that the financial burden that a cyberattack can put on your company is significantly reduced • Publicising the fact your company caries cyberinsurance can provide customers with piece of mind and may even differentiate you in your market The addition of cyberinsurance does not mean you have the freedom to be lax on implementing cybersecurity, incident response and recovery measures. Remember, by the time you make a claim against your cyberinsurance policy you’ve already lost system access, intellectual property or personal information. Cyberinsurance is merely part of a comprehensive plan to mitigate risk and defend against cyberattacks. The industry in confusion Big Data has made the greater insurance industry very precise in how they price and plan coverage. Thousands of risk factors are fed into a data model that has been trained on decades worth of data to determine the price of your policy and what that policy covers. That volume of data is just not available for cyberintrusions. For example, Verizon only started releasing their Data Breach Investigations Report in 2009. Even liberally, there’s likely 15 years’ worth of cyberintrusion data to work with. In the end, this sector of the insurance industry is still young and susceptible to fluctuations based on cyberincident activity changes. Also, IoT is drastically affecting the cyberinsurance scene in a few different ways. First, most inexpensive Internet- connected devices tend to be lax on security. This is because cybersecurity 85