It’s time for cyber-insurance – even if you’re a small business owner!
By Lum Ka Kay August 2, 2016
- Cyber-insurance not just for the big boys any longer
- Traditional insurers not well-placed to meet demand
AS cybercriminals continue employing increasingly sophisticated methods, security is no longer about if but about when a company will be hit by a data breach, according to Symantec Malaysia.
Its systems engineering director David Rajoo (pic above) pointed out that cybercriminals target the same victims repeatedly, hence there is indeed a need for chief information security officers (CISOs) to reconsider their approach to cybersecurity.
“Based on Symantec’s Internet Security Threat Report (ISTR) Volume 21, large businesses that experience a cyber-attack saw an average of 3.6 successful attacks.
“Once an organisation is targeted for attack, it is most likely to be targeted for three more attacks.
“Smaller businesses are also becoming increasingly vulnerable to targeted attacks, with 43% of such attacks in 2015 targeted at them,” he told Digital News Asia (DNA) via email, adding that “CISOs need to increase their level of awareness and boost the security systems they have in place.”
With most companies having to face the likelihood they will be hit sooner or later, they need to invest in cyber-insurance to help them recover more quickly from data breaches and to mitigate risks.
“Cyber-insurance is one of the fastest growing insurance lines to emerge in decades and is slated to fundamentally change how cybersecurity is purchased in the next five years,” said Rajoo.
“Originally, cyber-insurance was meant for major enterprises – however, we are now seeing the emergence of policies to cover costs for owner-operator businesses with only a few employees.
“It covers the following: Event and incident response; public relations (PR); notifications; liability (legal defence and settlements); and business interruption (lost revenue),” he added.
A real need
Whether it is an insider attack or criminal fraud that is focused on websites and point-of-sale devices, data breaches are on the rise and the impact of a cyber-attack on an organisation’s brand, reputation, and business operations can be catastrophic, Rajoo argued.
Citing the ISTR, he highlighted the fact that 72.4% of spear phishing attacks were targeted at the services industry, making it the most vulnerable industry in Malaysia.
“Based on our estimates, 60% of small businesses will close within six months of a material cybersecurity breach, which means there is a real need for insurance against cyberthreats,” he declared.
Cyber-insurance has become a key element for organisations looking at the full spectrum of cybersecurity preparedness.
“While cyber-insurance itself is not a defence, it can effectively be an additional layer of security and mitigate risks by complementing [existing] IT security efforts and other information security-oriented functions,” Rajoo said.
Symantec itself is partnering with the global cyber-insurance industry to help address the cyber-risks faced by businesses.
“The first way we are addressing these problems is by using our data, intelligence and expertise to create new risk analytic products for insurers, including actuaries, underwriters and catastrophe modellers,” said Rajoo.
“Another way is by forming joint go-to-market partnerships with insurers where we serve their clients with our mutual products and services,” he added.
However, Rajoo admitted that one of the biggest challenges in growing the cyber-insurance sector is that insurers are not well-placed to meet demand in this nascent industry.
There are “no robust actuarial models and only limited underwriting tools,” he said.
“Also, insurers are regularly on the hook for large payouts (US$100,000 and above per client) in the event of a data breach, despite their limited understanding of the risk.
“The impact of cyber-aggregation events is also a particular concern, given the lack of catastrophe-modelling and the potential impact on an insurer’s solvency,” he added.
Symantec Malaysia has given several pointers on cyber-insurance that business leaders ought to know:
Cyber-insurance is not a static programme
- Just like how technology is evolving at a rapid rate, cyber-insurance is also becoming increasingly complex over the years. What is considered core coverage today was not available as little as three years ago.
- To keep up with business needs and sophisticated cyberattacks, enhancements to coverage are negotiated in the marketplace every day. Companies need to carefully consider the differences in insurance products offered across the market and find a cyber-policy with coverage that best suit their needs.
Insurance brokers are more than just sales contacts
- Choosing to transfer risk from the balance sheet by way of insurance is a daunting task and many companies struggle to understand the size and type of investment needed to be made in risk mitigation.
- Unlike other classes of the insurance industry, a broker represents the interests of companies and effectively assess cyber-risks unique to the buyer. When investing in cyber-insurance, work with an insurance broker to understand the assets at risk and how best to address them either under the existing insurance programme or through a new dedicated product.
Incident responses can minimise potential damage
- Incident response is a major part of every cyber-insurance claim and should be set well in place, in case of a major breach.
- A well-built and regularly tested incident response programme is an important component of a comprehensive risk management plan, and can mean the difference between a minor incident and a major breach. The incident response programme ensures an organised, live response and minimises potential data and monetary loss.
Crisis communications in a data breach event
- When a data breach occurs, companies have many different audiences and stakeholders they must reach in their communication ladder. What many companies tend to overlook is that cybersecurity and breach response is fraught with legal and regulatory landmines that, if not careful, may result in lawsuits.
- Engage the help of a crisis management professional to create a crisis communication plan. Being well prepared in advance will help avoid panic in times of crisis.
- By investing in cyber-insurance, organisations can protect themselves from privacy liabilities, theft resulting from cyber-attacks, damaged physical assets, and class action lawsuits. While it is important for organisations to ensure that comprehensive security systems are in place to prevent attacks, it is equally important that they have a contingency plan in the event of a security breach. In today’s business landscape, it is the new normal that organisations must plan proactively but prepare for the reactive.
Most APAC organisations breached, the rest don’t know they’ve been hit!
When it comes to security, screw the ROI and just do it!
Cybercriminals more patient, eyeing bigger targets: Symantec
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.