Gone are the days when you would get a poorly drafted email of a helpless widow asking for a favor in return of all her property or millions of dollars in exchange. Email phishing has become way more sophisticated and attackers know their craft today, resulting in the evolution of the landscape for cyber attacks.
Does the Marriott chain data breach ring a bell?
hotel chain suffered a loss of $350 million for the 50 million users’ whose data was breached. Thankfully the chain had cyber insurance, but the true cost of the losses incurred cannot always be counted in dollars and cents.
What’s the gravity of this kind of a breach?
Malcolm Harkins, Chief Security and Trust Officer at Cylance explains that such breaches impact the company’s reputation and their ability to stay in business. “In reality, the risk is of those customers’ social security numbers, or their PII data being out there, and the ramifications of that on the external world.”
A recent poll on Pulse showed that 26% of the IT Executives find cybersecurity to be the most important investment in 2019, outdoing even AI/ ML, cloud, and a focus on enterprise applications.
While phishing in 2019 is still considered to be the top perpetrator of cyber attacks, 62% of Pulse users believe that “Exploit of API Vulnerabilities” is the biggest threat in the coming five years.
Considering the risk appetite, the question now arises about mitigating these risks.
Is there value in cyber insurance or not?
When threat reactors get through your system, it’s not a pretty picture at all. If you have any personal or sensitive customer information, your first instinct would be to get it insured, despite minimal coverage. All you’re doing is mitigating the financial risk, not the risk of losing the data. Therefore, one needs to take measures alongside buying insurance.
Clifton Persaud, Assistant Director of IT Audits at U.S. House of Representatives recounts the measures and propagates the need for cyber insurance. “Cyber insurance is a good thing to have but could be very expensive. The network should be properly segregated when designed. Some protections to take are educating your users with security awareness training and not opening emails from people they don’t know. This is hard to do, depending on your business. But, most importantly, do not click on the links in emails they don’t know. A process should be in place to keep systems current, like security updates and patches. Monitor users and service accounts. You can also hash the system’s files and you can detect any changes with proper monitoring tools. Security today costs a lot of money, but you have to get the appropriate skills on the job.”
On the other hand, we must consider that cybersecurity is a relatively new field. Threat reactors are evolving and insurance companies do not have enough data to back or even make suitable models for companies susceptible to cyber attacks. If multiple companies are to be hit simultaneously, insurance companies would be flagged.
When asked about his thoughts on cyber insurance and if people should get it, Malcolm Harkins of Cylance says, “The cyber insurance marketplace is like the wild, wild west. I don’t know of anybody who’s ever gotten a payout from their cyber insurance policies. We try and equate it to homeowner’s insurance, or earthquake, or business interruption, or something like that, where it’s really black or white. “Did the building collapse?” “Yes.” “Okay, great. We’ll cover 75% of the reconstruction of a new one.” But, you can’t equate them to cyber. In the cyberspace, apply a cyber policy to auto insurance. They would go, “Well, your tire pressure wasn’t exactly at 32 psi, well, that’s one check off the box. You actually had a little bit of fray on the timing belt, that’s another check off of the box. You had your radio on, which is distracting driving, so that’s a check off of the box.” And then they whittle away, and basically say, “You’re completely at fault. We’re not covering anything, because, guess what? We wrote the policy such that if any one of these things, or the combination of them, you were not on top of every aspect of it, it’s not our fault.”
While financial losses to companies can be significant during a breach, the reputational costs are much larger. So even if one buys cyber insurance for the financial security or for a sense of peace that your company is secured, if attacked tomorrow, cyber insurance is still the number 1 choice of the top IT Executives in the industry.