By Tony Campbell, Editor, ChiefIT.me Magazine
One of the latest trends in the information security marketplace is cyber insurance. Numerous companies are now offering policies and cover for a variety of different kinds of cyber incident, especially about managing the fallout from data breaches and any legal costs or fines they may need to pay once the breach goes public. But the reality of what cyber insurance can do for us is somewhat limited by what the insurance company knows about the risk, which is why it’s only possible to get cover for tangible costs rather than intangibles.
What’s Important to your Business?
Customer data and credit card data breaches are in the headlines every week, so the layman should be forgiven if they forgot that cybercrime was so much more multifaceted. In the middle of December, German steel conglomerate, ThyssenKrupp AG, provided a stark reminder that so much more is at stake than PII and CVVs and the clean-up after a cyber incident.
ThyssenKrupp, worth around $14 billion (USD), disclosed that they had, ‘become the target of a massive cyber attack,” in April 2016. When their internal computer emergency response team (CERT) discovered intruders on their network, evidence suggested the unknown threat actors had been pilfering intellectual property (IP) from their systems for at least two months. ThyssenKrupp’s announcement suggested the attackers originated from somewhere in southeast Asia and that the stolen IP belonged to several of its global businesses.
Identifying and Managing Cyber Risk.
It pays to remember that cybersecurity teams must have the people, processes and technology to tackle cybercrime from all aspects of the risk profile. Each of the top-level risk categories need to be assessed, considered and managed to make sure that you’ve tried to protect what’s most important to your organisation. Risks fall into several of these top-level categories, such as the loss of trade secrets (IP), financial loss, loss of reputation or credibility and the loss of life. Clearly, we’ll see individual risks on each of these categories, depending on the means of the attackers, coupled with their motivation and intent.
When you develop your risk treatment plan, you’ll pick the best options to mitigate those risks, hopefully reducing them to an acceptable level where the board is happy that enough has been done. Options in your risk treatment plan are typically categorised as follows: accept the risk; reduce it using countermeasures that affect its likelihood or consequence; avoid it altogether; or transfer it to a third party, such as a partner or cyber insurance company. To reduce risk, you’ll consider technical controls, such as firewalls, IPSs, endpoint security systems and protective monitoring, so that your security operations centre can investigate suspicious behaviour. Furthermore, when looking at other risk related to the threat of malicious insiders, you might introduce procedural countermeasures, such as two-person rule for accessing sensitive systems or facilities and mandatory leave for sensitive roles, such as highly privileged systems administration staff.
Where Does Cyber Insurance Fit into the Puzzle?
Is cyber insurance a legitimate option for transferring risk that we should be recommending to our executives? If it’s used wisely and not purchased to avoid doing the complex tasks related to managing an information security programme, then it certainly has a part to play. In context, the global cyber insurance market is forecast to reach $14 billion (USD) by 2022, according to Allied Market Research, so, it’s clearly getting legs on the international stage. Pay-outs from cyber insurance companies will help pay for clean-up costs after a breach, which can cover the costs of investigations, legal costs and even help rebuild your reputation, maybe by paying for a PR company’s time or paying for privacy protection services for your customers. Nevertheless, in ThyssenKrupp’s case, the impact of loss of IP and trade secrets isn’t something that is easily quantified, so it’s very hard to insure against this kind of attack. Cyber insurance will help them offset the costs involved with the breach investigation and help them recoup network and system downtime costs, or those relating to interruption of normal business. However, cyber insurance is a nascent product that underwriters still haven’t quite figured out how to quantify. There isn’t a lot of historical data that can be used to profile threats and likely scenarios of attack, especially given most companies don’t report cybercrime and even those that do don’t tend to report the full impact of the breach.
Even with all the right security controls in place, once you’re a target, all bets are off. ThyssenKrupp has highlighted that the scale of modern hacking is way off the charts and that no matter how big and well-funded your security team is, you’re fighting an unwinnable battle that, at some point in the not-too-distant future, you’ll be hacked. And potentially, the only thing standing between the end of your company and you surviving the attack is an insurance policy.