On Feb. 26, 2015, James Clapper, the director of U.S. national intelligence, testifying on Capitol Hill said, “cyber threat is more severe than we had previously assessed,” as he delivered the annual assessment by intelligence agencies of the top dangers facing the country. As they have in recent years, U.S. intelligence agencies once again listed cyber attacks as the top danger to U.S. national security, ahead of terrorism. Saboteurs, spies and thieves are expanding their computer attacks against a vulnerable American internet infrastructure, chipping away at U.S. wealth and security over time, Clapper said.
If the United States of America feels vulnerable to cyber risks, can the individual business feel invincible?
The story goes on and on; “it won’t happen to us… this is all about big companies… who would possibly want to deal with us? …besides, we have taken every measure we can think of to stop the bad guys! …pay more money to buy insurance? who needs it ?”.
It makes sense, right ?
The bad guys rob Banks for centuries; across the globe Banks take pride in the state-of-the-art security built into their system; Bank robberies are still in the news. Yet, the average computer heist is orders of magnitude greater than the average bank robbery.
The weakest link of the security chain is the human factor. The sloppy IT technician, the not-so-careful associate, the arrogant CEO (rules don’t apply to those who make the rules, remember ?). Lately even Hillary Clinton has come under scrutiny after having used her personal email account to conduct government business as secretary of state. If the strict environment in the US government couldn’t persuade her to use the encrypted and secured official communication channels, who is to say that your company’s employees will abide by the rules ?
The popular image of the “hacker” as a lonely insecure kid that spends all his time in his mother’s basement over a PC making scrappy computer programs in trying to penetrate computer systems security, has faded into the past.
In today’s news, we read not only about cyber criminals having strong, fully automated systems as their tools of the trade, but also about “increasing in frequency, scale, sophistication, and severity of impact, nation-state cyber threats”. Also places like China actually have hacker camps and bases where they are “training North Korean cyber warriors now numbering – according to uncorroborated reports – around 5900”(*). And if China is thousands of miles away from you, you are only a click away from China.
Recently we have also seen the rise of a new kind of hacker – the hacktivist. Rather than trying to make a profit, this hacker is looking to make a point and he’s using your company to do so. Hacker groups like ‘Lulzsec’ and ‘Anonymous’ have attacked numerous corporations in protest of their actions.
But if you still feel like you are “too small to fall” by those atrocious top-of-the-line attackers, it isn’t just those well-funded bad guys outside the business that you should worry about, either.
There are numerous threats much closer to home – literally inside your business. The risks posed by employees and trusted partners can run from out-and-out fraud to malicious actions to simple malware contamination if you accept BYOD (Bring Your Own Device).
In fact, companies that adhere to an “it won’t happen to us” attitude about data breaches, are leaving themselves vulnerable. Without taking the appropriate measures beforehand, dealing with it when they find out, could mean dealing with a much bigger problem.
As it is when insurance costs fall prey to suicidal cost cuttings.
Now, it does make sense, right ?
As it seems, your only options are to manage your cyber risks and to transfer them through cyber security insurance designed to mitigate losses from a variety of cyber incidents, including data breaches, business interruption, and network damage.
Cyber Liability Insurance Cover (CLIC)
The term “cyber liability insurance cover” is often used to describe a range of covers – in very much the same way that the word cyber is used to describe a broad range of information security related tools, processes and services.
At the moment, cyber liability insurance cover can include;
Data breach/privacy crisis management cover. For example, expenses related to the management of an incident, the investigation, the remediation, data subject notification, call management, credit checking for data subjects, legal costs, court attendance and regulatory fines.
Multimedia/Media liability cover. Third-party damages covered can include specific defacement of website and intellectual property rights infringement.
Extortion liability cover. Typically, losses due to a threat of extortion, professional fees related to dealing with the extortion.
Network security liability. Third-party damages as a result of denial of access, costs related to data on third-party suppliers and costs related to the theft of data on third-party systems.
Some of the elements of a cyber liability cover may be interconnected or overlap with cover from existing insurance products, including those for business continuity, third-party supply chain issues and professional indemnity. Even if this overlap does exist, a decent cyber liability policy will ensure cyber risks are fully catered for.
For many insurers and brokers, the technicalities of information security and the details of how to deal with a data breach are still a mystery. The market for cyber liability products is also in its infancy so be prepared to work with your provider to ensure that you get what you actually require.
How To Buy Cyber Liability Insurance Cover
Start with the basics
For many insurers and even for brokers, the technicalities of information security and the details of how to deal with a data breach are still a mystery. The market for cyber liability products is also in its infancy, so be prepared to work with your provider to ensure that you get what you actually require.
The Broker
No two businesses are the same when it comes to cyber risks, therefore it is key to understand the cyber risks your business faces and to ensure your cyber policy is tailored to mirror those risks.
Getting the right broker is important. A good specialist broker will save you time in determining what is right for your business, remembering that this may not be the broker you are currently using for your non-cyber risks.
Choosing the right insurer can be the difference between paying little, for cover that you will never be able to utilize in the event of an incident, or having cost-effective cover where the insurer understands the implications of a breach and the costs associated with it. And it is the broker’s responsibility to guide you through in order to make sure that you get the right cover at the most affordable cost.
The Policy
Selecting the right policy for your business, business model, industry, size, exposures and so forth is a very complex exercise, which is why a specialist broker is important, as they are the most qualified to know the best products to suit your needs.
It is important to understand the support you receive as part of the cover. Remember that your organization may not have the people or experience to manage a data breach incident. So third-party suppliers can often be a better route to take.
All policies have a set of exclusions, terms and definitions. Understanding these is important.
For small and medium-sized enterprises there are very simple policies available, but sometimes these raise more questions than they answer, as they do not always provide a long list of exclusions or terms and definitions, only to be brought to your attention if and when you file a claim.
Some Final Words
At EXL during our decades long career in risk management we had the unfortunate experience of working with companies suffering a disruptive cyber attack without the proper insurance cover. It’s shocking beyond words how a management move to cut expenses by putting back insurance buying decision can drive an otherwise financially sound company to the brink of bankruptcy in no time.
Perhaps we didn’t push hard enough, or the “it won’t happen to us” attitude, or the relentless cost cutting, are in certain organizations so deeply embedded just as a ticking bomb in the basement.
In our endeavour, individually and collectively, we have learned the importance of listening.
We need to take a long, hard look at your IT business in order to negotiate on your behalf the best coverage for your needs at the most affordable cost in the international market.
We will stick to a mutually agreeable service plan and should you become eligible for a claim our experience and industry expertise ensures that you will be properly represented, and your interests fully protected.
Mind you, we work for you, not for the insurance company.
We offer a wide range of risk consulting and insurance services in order to assist you planning, managing, and mitigating exposures relating to cyber risks, either across the office or across the globe.
Cyber risks protection is a ‘cops and robbers’ game, a never-ending struggle. Unfortunately, robbers are in the lead – some say, they are the same people who produce computer security software.
We say, cyber insurance completes your protection and most likely you shouldn’t be without, but we would like to hear from you.
Insurance is not a luxury nice-to-have for the good times. It’s a must-have life saver for the bad times, at a cost of an easily affordable premium.
(*)http://thediplomat.com/2015/01/us-sony-hack-response-a-message-to-china/