[s2If !current_user_can(access_s2member_level1)]
A number of businesses have taken cyber liability insurance to counter the risk and potential losses arising from cyber crime or cyber fraud. Apart from providing some financial protection for potential losses, the IT disciplines required to ensure that the policy terms are complied with are fairly demanding.
Is cyber insurance then worthwhile or not?
To assess this you need to have a very clear understanding of what all is covered in terms of the policy, the types and extent of losses you could possibly suffer and what is likely to be required from you in order to comply with the terms of the insurance policy so as to ensure that any claim is not repudiated. The level of the excess/self insured portion, any sub limits along with the monthly premiums need to be evaluated against the potential financial loss arising out of any claim. i.e. what it would cost the business in the event that a policy was not purchased? The potential areas of possible cyber loss in each business need assessment. These can range from data theft, loss of data, reputational damage and remedial action, web-site hacking or hi-jacking, ransom/extortion threats, theft of monies, systems rendered unavailable and the inability to deliver services (deliberate denial of services – DDOS attacks). It also needs to be borne in mind that over 90% of all cybercrime emanates from e-mails.
Let us look at a simple example of the theft of confidential customer data from a small tax and accounting practice whose annual billings are $100k. The theft is then followed by a ransom request for $ 10000 dollars. The monthly premium is $1200 with a claim limit of $1 million dollars.
We assume that the cover includes extortion. In isolation, this incident doesn’t warrant the cover or the annual insurance cost, however it can’t be assumed that the business will not suffer further cyber losses with higher financial implications. The example also does not factor in the time or cost of implementing the required IT disciplines and controls on a small organisation to ensure compliance with the policy requirements, or its ability to remain compliant with these.
In most cases the minimum requirements for cyber insurance cover that are going to have to be met, implemented and maintained are:
To access the full checklists or tools become a member now.
[/s2If]
[s2If current_user_can(access_s2member_level1)]
A number of businesses have taken cyber liability insurance to counter the risk and potential losses arising from cyber crime or cyber fraud. Apart from providing some financial protection for potential losses, the IT disciplines required to ensure that the policy terms are complied with are fairly demanding.
Is cyber insurance then worthwhile or not?
To assess this you need to have a very clear understanding of what all is covered in terms of the policy, the types and extent of losses you could possibly suffer and what is likely to be required from you in order to comply with the terms of the insurance policy so as to ensure that any claim is not repudiated. The level of the excess/self insured portion, any sub limits along with the monthly premiums need to be evaluated against the potential financial loss arising out of any claim. i.e. what it would cost the business in the event that a policy was not purchased? The potential areas of possible cyber loss in each business need assessment. These can range from data theft, loss of data, reputational damage and remedial action, web-site hacking or hi-jacking, ransom/extortion threats, theft of monies, systems rendered unavailable and the inability to deliver services (deliberate denial of services – DDOS attacks). It also needs to be borne in mind that over 90% of all cybercrime emanates from e-mails.
Let us look at a simple example of the theft of confidential customer data from a small tax and accounting practice whose annual billings are $100k. The theft is then followed by a ransom request for $ 10000 dollars. The monthly premium is $1200 with a claim limit of $1 million dollars.
We assume that the cover includes extortion. In isolation, this incident doesn’t warrant the cover or the annual insurance cost, however it can’t be assumed that the business will not suffer further cyber losses with higher financial implications. The example also does not factor in the time or cost of implementing the required IT disciplines and controls on a small organisation to ensure compliance with the policy requirements, or its ability to remain compliant with these.
In most cases the minimum requirements for cyber insurance cover that are going to have to be met, implemented and maintained are:
- The presence of a “designated” security officer
- Written and documented IT policies and procedures
- The presence of firewalls to restrict access to digitally stored sensitive information.
- The use of anti-virus and/or anti-malware software on all desktops, laptops, tablets and sensitive systems
- The application of the latest security related patches and updates to all devices and sensitive systems.
- The application of “strong” passwords on all sensitive systems
- The presence of regular data back-up procedures
- A documented disaster recovery and business continuity plan
Conclusion
For many organisations or businesses many of these disciplines should in any event be part and parcel of good IT governance. Cyber liability insurance is an obvious mitigant to cyber risk. Whether a business or organisation holds the required level and extent of cyber liability insurance cover should be secondary to the instilling of a culture that endorses security and cyber awareness. Potential losses from cybercrime can be significant and in some situations potentially unquantifiable. Each business or organization has to assess its ability to be able to comply with policy conditions. You need to also assess the likelihood, impact and the size of potential cyber losses you could suffer as well as the likely level of ransom demands should these manifest themselves. These then needed to be weighed up against the overall cost of cover, the excesses that may apply and a decision made accordingly.
Click here To access the full checklists or tools
[/s2If]