Business Continuity/Disaster Recovery
Policies Offer Incentives for Good Information Security Practices
Apple and Cisco say they’ve partnered with insurers Aon and Allianz to offer cyber insurance policies for organizations that meet best security practices and use products from the technology companies.
See Also: How to Scale Your Vendor Risk Management Program
The “enhanced” policies may feature lower or no deductible as an incentive. The policies may cover data breach response, a potentially expensive undertaking that can involve forensic investigators, public outreach, managing inquiries from regulators and lawsuits.
“Those create hard costs,” says Emy Donavan, head of cyber at Allianz, in a video on Cisco’s website. “Most companies don’t have the balance sheet ability to respond to these hard costs that are incurred when companies have cyber incidents.”
Cyber insurance has been around since the late 1990s, but only recently became a billion-dollar product for insurers. Aon estimates that cyber insurance policies accounted for $1.7 billion in annual gross written premiums in 2015. For the four years prior, cyber insurance premiums grew at a rate of 30 percent a year.
Online Cyber Evaluations
As data breaches have become more prevalent, there’s increasing pressure on companies and organizations to ensure their data is secure. Countries around the world continue to create or strengthen data breach notification laws, which can carry fines.
The European Union’s General Data Protection Regulation will be enforced starting May 25. Fines for noncompliance can reach a maximum $24 million or four percent of annual global sales revenue, whichever is greater (see Six Months to Go: Getting Ready for GDPR).
While the United States does not have a federal data breach notification requirement, 48 states have laws on the books as well as District of Columbia, Guam, Puerto Rico and the Virgin Islands, according to the National Conference of State Legislators.
As with other types of insurance, insurers want to reduce the risk of their clients as much as possible. So insurers offering cyber policies are often working with clients to ensure their infrastructure is as secure as possible as a prerequisite for a policy.
Still, there are many risks. It’s nearly impossible to predict when, say, a zero-day vulnerability will become public. As software vendors scramble to engineer a patch, organizations are vulnerable.
Prior to coverage, organizations will undertake a cyber resilience evaluation, which is described by Aon’s Chief Security Officer Anthony Belfiore as an online, quick-hit portal that gauges cybersecurity posture. That report is passed to Apple and Cisco, which can then recommend steps to reduce risk.
The “enhanced” cybersecurity policies offered following the evaluation could then have either a lowered or waived deductible, cover damaged hardware or allow clients to claim the cost of IT products against the deductible when making a claim. The policies may also cover business income loss, Donavan says.
The policies will also provide assistance post-incident.
“You also have one of the best incident response teams – or multiple of the best incident response teams in the business – coming in to help you mop up and fix everything,” Donavan says.
The risks to organizations comes from so many angles: ransomware, cyber extortion and data thieves. Reported data breaches in the U.S. reached at all-time high in 2017, according to the Identity Theft Resource Center, a non-profit that aids ID theft victims (see US Data Breaches Hit All-Time High).
Recovering from ransomware has demonstrably proven to be expensive. In June 2017, a ransomware nicknamed NotPetya first infected government agencies and businesses and Ukraine. Then it spread to 60 other countries (see Latest Ransomware Wave Never Intended to Make Money).
NotPetya turned out to be somewhat of a ruse. While it did encrypt files on a computer, whomever created it didn’t put much effort into making money from it because the payment mechanism and decryption process was flawed. Experts contend it was more designed to simply wreck computers.
And that it did. The world’s biggest shipping company, Maersk, estimated that repairing the damage from NotPetya would cost as much as $300 million. TNT, a subsidiary of FedEx, said the same ransomware would cost at least $300 million (see Maersk Previews NotPetya Impact: Up to $300 Million).
FireEye has said organizations have paid six-figure ransoms when faced with blackmail. Attackers have been known to steal sensitive company data and then threaten to release it unless a ransom is paid.
Some cyber insurance polices will cover extortion attempts. Although law enforcement advises against paying extortionists or ransoms, some businesses have viewed it as the easiest avenue to either avoid an embarrassing situation or recover more quickly.