Cyber Insurance – Balance Sheet Protection
“It will never happen to us” – this is typically the response from many IT security managers, when the subject of Cyber Insurance is raised. However, we are seeing on a regular basis companies suffer from both data privacy breaches and system failures, which result in tarnished reputations and unexpected costs that are hitting the corporate balance sheet.
When high profile system breaches or system failures occur, it is not just the organisation’s reputation in question. For IT departments that often walk a tightrope between managing business expectations and supporting the day-to- day operations within budget, a system failure or breach can cost dearly.
The Costs of Incidents
Data privacy alone has gained the attention at the highest level among worldwide regulators, industry associations and the boards of global organisations. The 2008 UK Information Security Breaches Survey stated that for a large company (defined as greater than 500 employees) the average cost for the most serious incidents were between $1.5m and $3m. Costs that can have a substantial impact on a company’s IT budget and balance sheet, unless proper protection is in place.
Benefits and Scope of Cyber Insurance
Even the most robust IT/DR security is never failsafe. That’s why many security vendors have gone on record stating that companies should not rely on technology products alone. Coupled with the threats of operational error and administrative mistakes, Cyber Insurance can be the ideal vehicle to transfer residual risk.
Cyber Insurance generally covers incidents including and not limited to;
· Malicious employees;
· Hacking;
· Malicious code;
· Cyber extortion;
· Denial of service;
· Operational errors;
· Cyber terrorism;
· E-fraud.
The key benefits of Cyber Insurance include coverage for costs ranging from the IT department’s internal investigation of an incident and steps to rectify the situation to lost income and wage roll. Cyber Insurance policies also typically include coverage for reputation rehabilitation expenses, such as compensation to customers affected by the incident as well as payment for specialist crisis management consultants to assist in re-establishing the company’s brand.
Customer notification and credit monitoring costs may also be included whereby credit monitoring agencies are engaged to write to the customer and provide them with 12 months of credit monitoring surveillance.
To obtain coverage speak with your insurance broker, they should be able to advise you on the types of policy cover available and bespoke coverage to your concerns. The cyber insurance market has opened up over the past few year’s, premium’s have reduced as more insurer’s have built up a loss history.
Conclusion
The world’s economy relies heavily on networked computer systems for commerce, communications, energy and transportation distribution and a host of other critical activities.
System failures or beaches, no matter what the cause, are part and parcel of business life. IT/security managers should seek out advice on Cyber Insurance not only to help protect against reputational risk, but also to protect the IT budget from these unforeseen incidents. Managers should not dismiss the prospect of buying Cyber Insurance as a failure in their own abilities to defend their network. Companies take similar precautions in other areas, such as installing smoke detectors and sprinklers within their buildings and making sure they buy property coverage on an annual basis.
Cyber attacks will continue, but with proven risk management and risk transfer mechanisms, there is less and less reason why these incidents should jeopardize corporate IT management and the bottom line.
The author
Shaun Cooper is a member of the British Computer Society’s Security Forum.