By Piers Wilson, Head of product management, Huntsman Security
In recent years we’ve seen a huge financial fallout for organisations that have suffered large-scale cyber attacks; from the £500,000 slapped on British Airways for the 380,000 compromised card payments of customers, to the possible $915m fine that Marriott may face following the enormous data breach last year. These repercussions are only likely to worsen as the volume and severity of attacks increases. For instance, the General Data Protection Regulation (GDPR)’s arrival last year means that companies now face fines of up to 4 percent of global revenues or €20 million, whichever is greater.
In light of these risks, cyber-insurance is emerging as a safety net offering businesses protection if the worst happens. Far from being a luxury, there is every possibility that cyber-insurance will soon become a necessity for any organisation storing personal data. In the same way that drivers are required by law to have motor insurance, businesses may be obliged to have measures in place to guarantee compensation for customers left at risk by any data breach.
Eligibility: Proof is Paramount
Unfortunately, as with motor insurance, even if cyber insurance becomes an obligation, getting insured may be difficult or expensive. Insurance companies will only provide policies to organisations that are insurable; either through low risk, or because they are prepared to pay significant premiums. To lower their premiums, organisations will have to prove they are a low risk by taking sufficient steps to protect their sensitive data. Just as home and contents insurers require policy holders to have locks on all the doors and windows, businesses must be able to demonstrate that they have the appropriate systems and processes in place to protect their data.
However, anyone who has taken out home insurance will testify that there’s a big difference in premium between having a simple lock on a door, and having multi-point locks and a burglar alarm. In an age of organised cybercrime, state-sponsored cyber-attacks and advanced cyber-threats, merely having anti-virus software and firewalls is unlikely to be enough. Organisations should therefore consider reinforcing their current defences and adopting a more progressive approach to cybersecurity; in turn encouraging insurers to offer more affordable policies.
Shaping your premium
As when taking out any insurance policy, the first thing organisations will need to do is establish the exact risk they face in order to determine their premium. This is critical for two reasons. First, a more accurate assessment will allow a more accurate, and ideally better-priced, premium. Second, by auditing their defences in this way, organisations will face less risk that their claims will be refused if the worst eventually happens. Much like a driver who states their car is always parked in a locked garage will have a hard time claiming if it’s stolen from the street outside their house, organisations that are found to have over-stated their security capabilities could be in for a nasty shock.
At its most basic, any risk assessment needs to consider the kind of data that is being stored, and what level of security it is defended by. Identifying where the most valuable data resides will help predict where attackers are most likely to strike, and to thereby assess whether current security measures are strong enough. As part of this, organisations should also consider whether appropriate access controls are in place. For example, there’s no need for a receptionist to have access to sensitive financial data, so their privileges should not extend to that information.
Organisations will also need to demonstrate their preparedness in the event of an attack. The faster an organisation can react, and the more it can minimise any potential damage, the lower its premiums will be. For instance, businesses must have the ability to monitor their systems for any suspicious behaviour that indicates data is being accessed or used in ways that it shouldn’t; whether that is by an employee or by an unknown party. This capability can prove particularly useful in identifying potential threats before real damage has been done, safeguarding company data and helping to bring down cyber-insurance premiums by reducing impacts. With attacks showing no signs of slowing down, these processes should be automated as much as possible, otherwise the potential savings will be offset by the fact that security teams are dealing with a blizzard of alarms, both false and all too real.
Given that cyber-risk is increasing continually, those that choose not to insure against it risk leaving themselves, and thereby their customers, vulnerable to potentially catastrophic consequences. Organisations must recognise that an ounce of prevention is always better than a pound of cure, and while an insurance policy provides an indispensable safety net, they must focus on doing all they can to avoid becoming a casualty in the first place.