Addressing the Cyber Security Insurance dilemma
Mainly due to the increase of ransomware attacks around the world during the last years, companies providing Cybersecurity Insurance or Cyber Risk Insurances are witnessing an increase in their products demand.
Cisco defines Cybersecurity Insurance as: “Cyber insurance is an insurance product designed to help businesses hedge against the potentially devastating effects of cybercrimes such as malware, ransomware, distributed denial-of-service (DDoS) attacks, or any other method used to compromise a network and sensitive data. Also referred to as cyber risk insurance or cybersecurity insurance, these products are personalized to help a company mitigate specific risks.” [1]
Those organizations that are able to afford the cost of a specific Cybersecurity Insurance Policy need to understand that the Cybersecurity Insurance does not represent a holistic solution for any Cybersecurity attack they could be become victims of.
In general terms, Cybersecurity Insurances should be a part of a well-structured Incident Response plan that organizes IT and non-IT departments across an organization including their respective senior or C-level management and aligned with a wider Business Continuity Program (BCP). While the complexity of the Incident Response Process is undeniably high, independently of the organization size, efforts should be made to have them in place and ready to go in the case of a severe attack against the organization’s IT infrastructure. Cybersecurity Insurances are the last resource in the established and practiced Incident Response Plan since it is designed to alleviate the cost of a successful attack and prevent the impacted organization to bankrupt [2]. In this regards, usual costs covered by the Cybersecurity Insurance are: investigation, crisis communication, legal services, and refund to customers [2].
Growing demand on Cybersecurity Insurances
Reportedly, ransomware attacks increased dramatically during 2021 and are still in the raise during 2022. Organizations impacted due to this type of attack are paying the ransom in order to reduce the time to obtain back their business related information, which triggers a different problem where organizations that decided to pay the ransom become again targets of a ransomware attack [3].
Moreover, the only problem is not only ransomware but the increased threat landscape due to the adoption of remote work due to the Covid 19 pandemic. Therefore, Security organizations around the world have witnessed an increase of complexity when it comes to their security strategies and the cost associated to those.
Main function of the Cybersecurity Insurance
The main function of the Cybersecurity Insurance is to protect the organization of the cost associated with an attack that could have a considerable impact in the organizations operations. CSO indicates that “A Cyber insurance policy coverage usually includes costs related to the remediation process, such as paying for the investigation, crisis communication, legal services, and refunds to customers.” [2].
Having a Cyber Security Insurance could make me a target?
While there is no evidence that proves that malicious actors are able to obtain firsthand information of which organizations have acquired Cyber Security Insurances, there are some unscientific evidence that shows that malicious actors are more than ager to find ways to know which organizations have hired a Cyber Security Insurances and the Premium amounts of those.
Therefore, while hiring a Cyber Security Insurance could give C level executives some peace of mind, it should be accompanied by a solid security strategy and awareness.
Since Cyber Security Insurances could bring some level of last resources of protection to all size companies, it should not be understood as to have that in your Security Strategy as the only measure available against a Cyber Security attack.
Before even considering hiring Cyber Security insurance, organizations must create/review/improve their Incident Response Plans as mentioned in the beginning. Practicing that process in yearly internal drills is a good strategy to create muscle memory and be prepared when a real Security incident occurs. In addition of that, increases awareness and allow organizations to have their contact list updated. We will have more entries about Incident Response in the near future [8].
Conclusion
Cyber Security Insurances represent, if your organization is able to afford them, an additional layer where the organization could prevent bankruptcy as a consequence of a Cyber Security attack, but it should not be considered as the only available resource to handle a Cyber Security Incident.
Careful assessment is required in order to hire a Cyber Security Insurance, which might have some requirements in terms of Vulnerability Management, Security Controls, Security Operations, etc., in order to calculate the Premium.
References
[1] https://www.cisco.com/c/en/us/solutions/security/cyber-insurance/what-is-cyber-insurance.html
[2] https://www.csoonline.com/article/3654216/is-cyber-insurance-an-invitation-to-cybercriminals.html#tk.rss_all
[3] https://www.techtarget.com/searchsecurity/news/252502519/Repeat-ransomware-attacks-hit-80-of-victims-who-paid-ransoms
[4] https://redcanary.com/blog/cyber-insurance/
[5] https://hbr.org/2021/01/cybersecurity-insurance-has-a-big-problem
[6] https://www.csoonline.com/article/3643054/cyber-insurance-explained.html#tk.rss_all
[7] https://www.darkreading.com/attacks-breaches/cyber-insurance-and-war-exclusions
[8] https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf
.jpg)
.jpg)
.jpg)
.jpg)