Some two years ago, Salesforce Vice President, Peter Coffee, discussed the possibility of the world’s insurance businesses providing insurance policies against failures in operational continuity and security services for a growing number of cloud services, and Salesforce in particular, because of the ever-increasing capabilities of both disaster recovery and security technology.
Now AIG has begun offering a new form of insurance to protect against damage to property caused by cybercrime, which is at least a step along the path suggested by Coffee. But this has raised obvious questions, which the Institute of Risk Management has now addressed in a new guide on the subject, Cyber Risk Resource for Practitioners. The IRM finds that while insurance offers some level of protection against cyber-attack, it should be not be used at the expense of sound risk management planning.
The guide has been published at a time when concerns about the level of malicious attacks are rising. At the recent Infosecurity Europe conference in London, Troels Oerting, head of the European Cybercrime Centre and Assistant Director at law enforcement agency Europol, issued a stark warning saying that some current cyber activity is state-sponsored and often looks `warlike’.
"What we are looking at is state-sponsored activity and it is no secret that we have state-sponsored activities…aimed at starting warlike activity," he said.
During a recent talk highlighting global criminal trends, David Thomas, Deputy Assistant Director, FBI Cyberdivision, told the BCS-sponsored World Wide Web Conference in Edinburgh that cybercrime had become so endemic that head of the FBI, Robert Mueller, regarded the Cyberdivision as next only to terrorism and foreign intelligence operations in importance.
Though the breaking news of the Heartbleed vulnerability is now over a month old, this doesn’t mean that this `bug’ has been eradicated. The Huffington Post reports there still remain about 318,000 servers that are vulnerable to this OpenSSL bug, according to security researchers, though this figure is about half of what it was a month ago. Fraudsters can use this bug to attack those 318,000 systems which leaves private data like credit card numbers and passwords prone to being stolen.
AIGannounced last month that it is offering a new type of insurance policy to compensate companies for cyber-attacks that damage property and even harm people in response to rapidly evolving cyber security threats.
The new policy is the first of its kind from a major insurer and marks an expansion of the nascent cyber insurance market beyond corporate losses arising from data breaches. Property loss caused by cyber-attack has not always been covered by traditional property related insurance policies.
The new policy coincides with warnings about the vulnerability to cyber-attacks of new types of products. The rise of the Internet of Things means that a host of devices connected to the internetare now exposed to new types of risk.
As the IRM guide points out, many of the risks of a security breach can be covered by insurance and this will form an important part of any cyber risk control programme. They can, for example, cover forensics investigations to determine the severity and scope of a breach, notifying individuals that they have been affected by a breach, operating a specialist call centre to deal with enquiries from those affected, providing free credit and identity monitoring to reassure those affected, hiring a PR firm to provide specialist advice, and legal defence costs, settlements and indemnity payments.
Technical Director at the IRM, Carolyn Williams, says that while insurance is important, it doesn’t cover everything.
“When a cyber-attack happens, organisations incur significant losses to core business areas such as reputational damage, loss of customers, stock devaluation and the cost of corrective measures. None of this will be covered by insurance.
“Cyber insurance should never be mistaken for a coherent risk management strategy, it is just one part of comprehensive risk planning. When putting cyber protection controls in place, in many cases it is cultural and behavioural issues within an organisation that need to be understood, addressed and invested in, in addition to technical security measures. A coherent and business wide risk-assessment programme to understand and minimise the risks before a breach occurs is required to address the iceberg impact of a cyber-loss.”
Specialist Member of the IRM and lead author of the guide, Alastair Allison, Chief Risk Officer at Zurich Insurance Group, says the insurance market is aware of the risks surrounding cybercrime and that the maturity of insurance products will continue to evolve.
“Developing a generic cyber insurance product is very difficult because each and every company will have different cyber coverage needs but it remains an essential part of the risk mitigation strategy,” he said. “I have no doubt we will continue to see developments in cyber insurance services and products on offer but as with all insurances, companies need to assess the risk to help determine coverage requirements.
“Companies and risk managers wanting to beef up their protection against cyber threats should look at the various cyber risk scenarios that could affect them and start discussing insurance coverage based on their needs. Damage liability resulting from viruses should be part of that discussion. It’s worth keeping in mind that there are practical and simple measures to take which reduce threats and thereby reduce the potential of making a claim on any policy.”