Symantec : What Every CISO Needs to Know About Cyber Insurance by Samir_Kapuria
Decades ago, a group of merchants created a concept of general average—which is when all parties in a maritime venture share in losses resulting from a sacrifice of cargo in an emergency. What this group fashioned in 1890 was a method for merchants to insure their shipped goods. Upon landing, merchants whose cargo landed safely were expected to contribute a portion to merchants whose goods had been lost at sea. With this, an early form of insurance was born.
If we look at cybersecurity today, our information could be lost in a digital ocean we call the worldwide web. From a threat lens, the volume of attacks continues to rise as adversaries become more determined, persistent, and hostile with cyber attacks. Attackers will continue to:
- Move faster and more efficiently,
- Breach organizations with targeted campaigns,
- Focus on consumers across social media, mobile, and connected platforms, and
- Aim to take advantage of the emerging Internet of Things.
The impact of a cyber attack to an organization's brand, reputation, and business operations can be catastrophic. Therefore, organizations need to plan proactively but prepare for the reactive, which includes insurance for goods, intellectual property (IP), and commerce—the assets sailing across the digital landscape. Welcome cyber insurance.
What’s driving the need for cyber insurance?
Data breaches cause reputational harm and business interruptions, but most of all—they’re expensive. The average cost of a U.S. data breach is $5.85 million, according to a 2014 Ponemon Institute report. Relying on IT defenses alone can create a false sense of security; however, no organization is immune from risk. Many are now turning to cyber insurance as another layer of protection.
When we look at the rapid adoption of cyber insurance, there are two key factors to attribute to this growth: new regulations which obligate companies to respond to information breaches; and the increase of cyber criminals using stolen information for payment fraud, identity theft, and other crimes.
What does cyber insurance cover?
Cyber insurance is evolving as fast as technology. What is considered core coverage today was not available as little as three years ago, and enhancements to coverage are being negotiated in the marketplace every day. The main coverage components to familiarize yourself with are:
- Liability - Defense and indemnity for alleged liability due a cyber or privacy incident
- Event Response - Coverage for investigating and mitigating a cyber or privacy incident
- Business Interruption - Coverage for business interruption due to a cyber incident
- Cyber Extortion - Coverage for the response to threats to harm a network or release confidential information
Although liability is the most popular cyber insurance coverage, the majority of purchasers also buy coverage for investigating an incident and for extortion demands.
How much coverage is appropriate?
While there’s no simple answer to the amount of cyber insurance a company should consider, there are some factors to review as key inputs to this decision:
- Size of the insured organization
- Amount of sensitive data stored
- Degree of potential reputational risk
- Organizational resiliency
- Threat vectors
Today’s reality is that data breaches will happen. Cyber insurance offers organizations protection to limit their risk, but companies should consider all coverage options carefully. It’s not about checking off a box; it’s about finding a policy that protects the organization’s brand, reputation, and operations if they are faced with a breach. The business relevance of cyber is here to stay, and Symantec is here to help you lessen that risk for yourself and your organization.
Download the white paper “What Every CISO Needs to Know About Cyber Insurance”, a collection of essays from industry experts in the cyber insurance space.