SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Cyber insurance: Is it enough? Manage risk, review current platforms & Ensure Availability
Thu, 7th Dec 2017
FYI, this story is more than a year old

In today's world where high profile cyber attacks and security breaches are regular news, would it surprise you to know that cyber insurance and what is in place around managing such risks, isn't very good?

A few months back, I spoke on Availability and the risk managed approach. Businesses were putting this approach in place around business interruption insurance to minimise the impact of natural disasters and their revenue impact due to downtime.

Natural disasters are often uncontrollable events and it's all about mitigating risk against their impact. When it comes to security breaches, 55% of all breaches resulting in an impact are from ransomware.

Ransomware makes up 55% of the total attack vector costing organisations between $100,001 and $500,000 per incident*. So, how can organisations insure themselves against this sort of impact and loss? "...Please enter the room, cyber insurance...”!

At Veeam, I am seeing the same logic being applied across our entire customer base when it comes to managing availability of system and service risk due to security breaches.

Cyber insurance can be a ‘hit and miss' proposition, hoping your business is covered because of the complexities and pathways involved in security incidents and how an insurer might assess fault.

Fearing coverage is too full of traps for the unwary, a lot of companies have put the issue in the too-hard basket. By this time last year, less than a third of American businesses had cyber insurance at all according to the Council of Insurance Agents and Brokers.

We don't need reminding that cybercrime and security incidents are real, impactful and expensive, thus providing the insurance industry an incentive to transfer a lot of the risk away and help protect their customers against cyber disasters to cover their own financial risk around loss claims and their likelihood.

Partnership between insurers and customers are needed, to further educate on the risk, likelihood, consequence and impact of cyber crime. Such partnerships are likely to only strengthen when there is joint financial stake.

The addressable market globally for cyber insurance is there with 80 percent of US insurers seeing it as a growth area. According to PWC, it's is going to be worth US$7.5bn by 2020.

Minimising cost, risk and impact: Finding our feet

So why the stalling from both directions? Part of the problem is that cyber insurance is a new and fairly untested business tool. The kind of property and assets insurance you already have doesn't necessarily address cybercrime or revenue loss from system failure or compromise.

We might find ourselves mired in a period of messy legal wrangling before things settle down, the insurance industry deflecting cyber claims while their customers contend they should have been covered for them.

Another reason is that many people in other departments and the C-suite consider this whole area to be IT's problem. Hammering out the best coverage (and what you're actually covered for) should be a multidisciplinary approach with IT, operations, legal and the insurer all taking part.

Also critical once you have the right cover in place is to test it, just like you would your servers and backups. During regular DR or breach exercises, make your insurer part of the formal process – doing so will reveal just how effective your cover is under real world conditions.

And as I've mentioned more than once, it's about more than just ransomware attacks. It is about all top attack vectors that have the ability to interrupt availability of your systems and services.

What about if a data restore fails after a breach or you suffer a data loss from a system failure? Are you insured for the financial fallout? Under some circumstances, local regulations might even compel you to backup offsite or in the cloud and insurance cover might start to reflect that as the industry matures.

A good insurer will bring their own experience to the table, so use it to draw up, install and formalise the best data availability protection plan. Not only will it let you sleep at night, a rock solid and quantitative data availability plan will reduce your premium!

Malware, natural disasters and simple human error aren't going anywhere, and it's going to become more important to insure against them in the future – historical Business/Service continuity and Disaster Recovery plans will not cut it in a more software defined data center and/or set of hybrid cloud services.  Your competitors will be ahead of you, and your customers will want to know why before they ultimately switch their consumption of products and services business.

The only requirement here is to review your current tools, technologies and platforms that are currently underpinning your applications, services, workloads and data. Are they capable in providing simple, consistent and elastic management across a hybrid cloud environment? Are they software defined? Do they provide both flexibility and integration across an interconnected ecosystem?

My recommendation is to go to the market and seek to understand who is leading, driving and delivering the most innovative and differentiating Availability Platforms for Hybrid Cloud environments.

Discover who more than 75% of the fortune 500 use as part of their key components to deliver Hybrid Cloud Availability of their virtualised applications, services, data and resources.

Understand those who are working and delivering exceptional customer experience across ALL market segments to implement data availability plans that will not only demystify cyber insurance but also manage your availability risk during impactful incidents and help you usher in a new security age where you're more protected against threats than ever.

* SANS Institute InfoSec Reading Room: “From the Trenches: SANS 2016 Survey on Security and Risk in the Financial Sector

Article by Nathan Steiner, head of Systems Engineering, ANZ at Veeam Software.