Short answer, probably. In a guest blog on Virus Bulletin, Sorin Mustaca takes a look at this issue, and unfortunately does not develop a real conclusion to his opening question. Nevertheless, his article is a great read if you are beginning to think about this issue, because it goes into detail about how cyber risks might be assessed by an insurer, and steps the insured business entity can take to mitigate risk, or that the insurer may require to qualify for insurance coverage.
So let’s take a look at what sort of losses your business might incur from a cyber breach.
- Financial losses – threats such as the banking Trojans Zeus or Neverquest can result in the unexpected transfer and loss of cash balances in banking and other accounts.
- Intellectual property – proprietary processes and product designs are among the items that stolen in certain cyber- attacks.
- Customer information – not just credit card data, user names and passwords, but names, addresses, social security numbers, medical insurance numbers, and other PII or personally identifying information may be stolen from online or internal database servers.
- Regulatory fines – certain governmental regulations carry sever penalties and fines. If your business is regulated by PCI-DSS (credit card information), HIPAA, or Sarbanes-Oxley, a breach can result in substantial governmental fines. In the instance of a credit card breach there are governmental fines per lost credit card record up to a maximum of $2.5 million dollars, which can be doubled for willful negligence. The Payment Card Industry also may levy fines of $500,000 per incident on a business that sustains a breach.
- Reputation – a company that sustains a breach will suffer damage to their reputation, even if they report quickly and provide free resources to customers whose information had been lost. Take a look at the total cost of the recent loss at Target, which is north of $100 million dollars at this point, only some of which was covered by insurance. So I guess Target carries cyber insurance, what does that tell you?
The list of step you should take are quite worthwhile to any organization. If you are looking into a serious commitment to improving your cybersecurity, this list is a great beginning point. If you think you are “fine” or “too small to be a target” (pun intended) this list should be your wakeup call. Here is the minimum standards you should be employing, according to the article:
- Hardening systems, including software patching and updating
- Installation and running of security systems on all devices (client and servers, including gateways)
- Having security policies in place (certain password strength, password expiration, blocked USB ports, etc.)
- Constant use of a vulnerability scanner
- Network and/or host intrusion prevention systems
- Backup and contingency plans in place
- Existence of a product and/or computer incident response team, depending on the company being insured
- Continuous monitoring of exposed services against suspicious usage (possibly with an application firewall)
To answer the question again, cyber-insurance is just as important to most businesses as the typical types of liability insurance that you carry for other losses. This is a conversation you should have with your current insurance carrier, and if they can’t help, maybe it is time to look for another. This is also a good time to find and start a working relationship with a cybersecurity professional who can assist you, and your current IT staff or outsource company, to improve the security on your company’s computer network.Share
About the Author:I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com