•   
  •   
  •   

Technology What is cyber insurance? Everything you need to know about what it covers and how it works

19:57  02 march  2021
19:57  02 march  2021 Source:   zdnet.com

The Cybersecurity 202: U.S. government ability to protect itself from Russian hackers has gotten worse, experts say

  The Cybersecurity 202: U.S. government ability to protect itself from Russian hackers has gotten worse, experts say The Network, our panel of more than 100 cybersecurity experts, weighed in on the SolarWinds breach. That assessment of 63 percent of The Network, a panel of more than 100 cybersecurity experts who participate in our ongoing informal survey, came in the wake of the most significant breach of federal agencies in years. (You can see the full list of cybersecurity experts here.

Cyberattacks of all types are an increasingly large problem for all organisations, and as a result many are turning to cyber insurance as a means of protection against some of the effects of an incident. But what is cyber insurance, how does it work and what are some of the things that your business needs to be considering when deciding on a cyber insurance policy?

text, whiteboard: Business woman showing insurance document over white desk at office © Getty Images/iStockphoto

Business woman showing insurance document over white desk at office

ZDNet Recommends

a circuit board: The best cyber insurance © Provided by ZDNet The best cyber insurance

The best cyber insurance

The cyber insurance industry is likely to go mainstream and is a simple cost of doing business. Here are a few options to consider.

The Cybersecurity 202: Watchdog report criticizes State Department cybersecurity bureau established by Trump administration

  The Cybersecurity 202: Watchdog report criticizes State Department cybersecurity bureau established by Trump administration Biden Secretary of State Antony Blinken expressed his support for the Bureau of Cyberspace Security and Emerging Technologies. A government watchdog released a report criticizing a State Department cybersecurity bureau set up in the last days of the Trump administration.

Read More

What is cyber insurance?

Cyber insurance – also known as cyber-liability insurance – is an insurance policy that helps protect organisations from the fallout from cyberattacks and hacking threats. Having a cyber insurance policy can help minimise business disruption during a cyber incident and its aftermath, as well as potentially covering the financial cost of some elements of dealing with the attack and recovering from it.

"The formal definition of cyber insurance is essentially a contract between an insurer and a company to protect against losses that are related to computer- or network-based incidents," explains Juergen Weiss, head of global financial services research and advisory at tech analyst Gartner.

Langevin hopeful new Armed Services panel will shine new spotlight on cybersecurity

  Langevin hopeful new Armed Services panel will shine new spotlight on cybersecurity Rep. Jim Langevin (D-R.I.), the newly minted chairman of the House Armed Services Committee's new cybersecurity subcommittee, is looking to bring a new spotlight to the nation's defensive cyber capabilities and international cyber diplomacy. Langevin, a long-time House leader on cybersecurity issues, told The Hill during a phone interview that his aim is to support a 21st century defense posture, and expressed confidence that after the biggest cyber espionage event in U.S. history, the level of focus on cybersecurity from both sides of the aisle would remain high.

SEE: Network security policy (TechRepublic Premium)

However, there are things that cyber insurance can't protect against and an organisation will need to make sure it understands what is covered and perhaps more importantly what isn't covered when they sign up to a coverage plan. While having some form of cyber insurance in place can help a business in the event of an attack, a business is also responsible for its own cybersecurity – the responsibility isn't something that is just shifted to the insurer.

"Cyber insurance will not instantly solve all of your cybersecurity issues, and it will not prevent a cyber breach/attack," says the National Cyber Security Centre in its guidance.

Who needs cyber insurance?

Any business with an online component or one that sends or stores electronic data might benefit from cyber insurance, as may any organisation that relies on technology to conduct its operations, which is pretty much every business.

Biden challenged by early cyber threats

  Biden challenged by early cyber threats The Biden administration is grappling with two major cyber incidents in its first 50 days in office, underscoring the challenge the new White House faces from foreign actors.Russia and China are suspected in the two incidents, which may have compromised thousands of federal, state, and private groups for long periods of time before discovery. The effect has been to move cybersecurity up the list of the administration's priorities."If they hadRussia and China are suspected in the two incidents, which may have compromised thousands of federal, state, and private groups for long periods of time before discovery. The effect has been to move cybersecurity up the list of the administration's priorities.

Private personal data such as contact details of customers or staff, intellectual property, or sensitive financial data are all potentially very lucrative to cyber criminals who could could attempt to break into the network and steal it.

There's also the potential for hackers to cripple a network with ransomware. A cyber insurance policy that covers ransomware could go a long way to helping organisations that fall victim to attacks like this find a way out of the predicament.

SEE: Google Cloud, Allianz, Munich Re team up on cyber insurance program

What sort of attacks result in cyber insurance claims?

Cyber insurance claims can be triggered by many sorts of incidents, but right now the most common are ransomware, fund-transfer fraud attacks, and business email compromise scams.

How much does cyber insurance cost?

The cost of a cyber insurance policy will depend on a number of different factors including the size of the business and the annual revenue. Other factors can include the industry the business operates in, the type of data that the business typically deals with, as well as the overall security of the network.

Australia's Nine TV network hit by cyber attack

  Australia's Nine TV network hit by cyber attack The broadcaster says it is investigating whether the hack was "the work of a foreign nation".The broadcaster said it was unable to air several shows on Sunday, including Weekend Today.

An organisation that is deemed to have poor cybersecurity or has previous history of falling victim to hackers or a data breach would likely get charged more for a cyber insurance policy than one that has a good reputation for keeping itself secure.

Sectors such as health and finance are likely to find that cyber insurance policies cost more due to the sensitive nature of the fields they operate in.

What does cyber insurance cover?

Different policy providers might offer coverage of different things, but generally cyber insurance coverage will be likely to cover the immediate costs associated with falling victim to a cyberattack.

"Cyber insurance policies are designed to cover the costs of security failures, including data recovery, system forensics, as well as the costs of legal defence and making reparations to customers," says Mark Bagley, VP at cybersecurity company AttackIQ.

Underwriting data recovery and system forensics, for example, would help cover some of the cost of investigating and re-mediating a cyberattack by employing forensic cybersecurity professionals to aid in finding out what happened – and fix the issue.

This is the sort of standard procedure that follows in the aftermath of a ransomware attack, one of the most damaging and disrupting kinds of incident an organisation can face right now.

Jason Momoa Lights Up the Green Screen in Toronto, Plus Rumer Willis, Lucy Boynton and More

  Jason Momoa Lights Up the Green Screen in Toronto, Plus Rumer Willis, Lucy Boynton and More Jason Momoa Lights Up the Green Screen in Toronto, Plus Rumer Willis, Lucy Boynton and More

It is also the case that some cyber insurance companies cover the cost of actually giving in and paying a ransom – even though that's something that law enforcement and the information security industry doesn't recommend, as it just encourages cyber criminals to commit more attacks.

"The insurance company looks at what the potential incident response and forensic bill might be and that's going to be bigger in many cases as organisations aren't prepared, so they'd actually rather pay. It's very frustrating," says Theresa Payton, former White House CIO for the George W. Bush administration and founder and CEO of cybersecurity company Fortalice Solutions.

SEE: VPN: Picking a provider and troubleshooting tips (free PDF) (TechRepublic)

Business email compromise (BEC) phishing scams are another form of cyberattack that can cost a business a large, sometimes six-figure sum of money. These attacks see criminals posing as CEO, supplier, or other trusted contact and duping people into transferring payments.

As the UK's NCSC points out, some insurance policies will cover money lost in BEC fraud – but it's often part of a specific policy that's directly related to BEC. It therefore may not be covered by standard cybersecurity insurance – and your organisation could be left without any aid if that's the case.

Organisations should, therefore, make sure they know exactly what they're signing up for when choosing a cybersecurity insurance policy – and that it covers the potential damage of the most likely cyberattacks including ransomware, phishing and DDoS attacks.

Biden to nominate former NSA deputy director to serve as cyber czar

  Biden to nominate former NSA deputy director to serve as cyber czar President Biden on Monday will roll out a slate of key leaders to head his administration's approach to cybersecurity, including nominating Chris Inglis, the former deputy director of the National Security Agency (NSA), as the national cyber director at the White House.Inglis will be nominated to serve in the newly created cyber czar position on the same day Biden will nominate Jen Easterly, another former NSA official, to serve as the director of the Cybersecurity and Infrastructure Security Agency (CISA), the nation's lead agency involved in protecting critical infrastructure from attacks.

The NCSC also notes that it's worth checking if your organisation already has cyber insurance in place as part of existing policies, such as business interruption or property insurance. This might provide some level of coverage – or may specifically exclude cyber-related incidents.

What isn't covered by cyber insurance?

There are some things that could be important to organisations that don't tend to be covered by cyber insurance and it's vital to understand what isn't covered, so protecting these assets can be properly managed.

"Cyber insurance is still kind of limited compared to the true amount of risk. So don't think that all forms of cyber risk are covered by insurance," says Jon Bateman, fellow in the Cyber Policy Initiative of the Technology and International Affairs Program at the Carnegie Endowment for International Peace.

The financial damage caused by loss of intellectual property isn't covered by cyber insurance and neither is the reputational costs that can be incurred following a cyberattack.

For example, cyber insurance could pay out for the costs associated with dealing with the direct aftermath of a cyberattack, but in the longer run the company might lose business due to public perception of having poor cybersecurity. A cyber insurance policy won't cover the cost of losing customers due to the bad reputation it picks up as a result of a cyberattack.

Does cyber insurance cover major cybersecurity events?

The summer of 2017 saw two major cyberattacks spread around the world in quick succession with Wannacry ransomware attack taking down networks in May, only to be followed by the much more damaging NotPetya attack just weeks later. NotPetya knocked major organisations around the world offline, and is estimated to have cost billions in lost revenue and restoration costs as in many cases, organisations had to rebuild their networks from scratch.

There’s a Big Gap in Our Cyber Defenses. Here’s How to Close It.

  There’s a Big Gap in Our Cyber Defenses. Here’s How to Close It. Foreign adversaries who use U.S. servers are hiding in plain sight, but we can unveil them without violating the Constitution.Using a server in the United States is not just an attempt to look routine. As made clear in last week’s hearings before the Congress’s intelligence oversight committees, it’s a calculated strategy that takes full advantage of a gap in the U.S. cyber surveillance system. No government agency – even our powerful spy agencies – currently has a sufficiently agile legal authority to catch foreign cyber malefactors in the act of co-opting U.S. computer networks.

It sounds like the sort of incident that would result in an insurance company paying out a cyber insurance claim because an organisation was disrupted by an incident that wasn't their fault – especially as NotPetya was so prolific and indiscriminate in its targeting.

However, some insurance providers argued they didn't have to pay out because NotPetya, a malware attack linked to the Russian military, classed as an "act of war" that nullified the claim. Other insurance providers did pay out claims for damage caused by NotPetya.

SEE: Ransomware victims aren't reporting attacks to police. That's causing a big problem

It's likely that this is going to continue to be an issue moving forward, especially as the cyber and physical realms become ever more indistinguishable from one another and insurers and their clients might not see eye to eye on what should and shouldn't be covered.

"A major challenge for this market is how to deal with the most extreme forms of risk – major state-sponsored attacks, major catastrophic incidents across a large number of clients. Cyber-physical events that begin in cyberspace but still go out into the world with societal consequences. They're very difficult to model and price. If a major incident was to happen it would overwhelm the capacity of cyber insurance markets," says Bateman.

ZDNet Recommends

  • Best VPN services
  • Best security keys
  • Best antivirus software
  • The fastest VPNs

What do I need to apply for a cyber insurance policy?

Cyber insurance isn't a silver bullet for solving your cybersecurity problems – far from it. In fact, in order to get a good deal for coverage, your business will likely need to prove that it's responsible with cybersecurity in the first place. Insurers won't want to take on a client that looks almost certain to be the victim of a data breach.

Insurers will want to know what cybersecurity your company has in place when applying for a policy and you'll be expected to maintain accurate details about your cybersecurity as time moves forward – as, in many cases, policies are reassessed every 12 months, so even after acquiring cyber insurance, organisations still need to ensure they maintain proper cybersecurity procedures or risk losing the insurance down the line.

It's also important to understand which are the systems and data that are essential to your organisation, and to understand whether the level of cover you have is adequate. That means deciding on a cyber insurance policy is a question that goes beyond IT and is a question for broader executive management, too.

"Unlike incidents such as a fire or theft, cyber incidents are often not restricted to a single location. Understanding how your organisation operates and the interdependencies between different parts is vital to determining the extent of an incident, which may have global implications," says NCSC.

An organisation can't just decide it doesn't want to invest in cybersecurity any longer because it now has a cyber insurance policy.

What is the future of cyber insurance?

As the frequency of cyberattacks continues to increase and cyber criminals get more brazen with campaigns, the way cyber insurance operates is going to evolve. As previously noted, cyber insurance providers are unlikely to want to offer policies to organisations that pay little attention to their cybersecurity.

Paying out an insurance claim is a purely reactive activity and is costly for the insurance provider. That's why some are starting to take a more proactive approach to cybersecurity, not only there to offer a payout if things go wrong, but actively aiding clients to take a better approach to cybersecurity.

"The whole insurance industry is moving away from being a lender of last resort and payouts, to more like a risk advisor and a partner for your business operations. Insurers are now putting black boxes in your car to track driving behaviour – they want to price more accurately and ideally change your behaviour," says Weiss.

"And the same is happening in the cyber insurance space. The want to make sure that you as a corporate adapt to the risk. It's a mix of audit, protection and prevented loss," he adds.

Security

  • Google: Bad bots are on the attack, and your defence plan is probably wrong
  • Cyber security 101: Protect your privacy from hackers, spies, and the government
  • The best antivirus software and apps
  • The best VPNs for business and home use
  • The best security keys for two-factor authentication
  • How a hacker attempted to poison a city's water supply (ZDNet YouTube)

There’s a Big Gap in Our Cyber Defenses. Here’s How to Close It. .
Foreign adversaries who use U.S. servers are hiding in plain sight, but we can unveil them without violating the Constitution.Using a server in the United States is not just an attempt to look routine. As made clear in last week’s hearings before the Congress’s intelligence oversight committees, it’s a calculated strategy that takes full advantage of a gap in the U.S. cyber surveillance system. No government agency – even our powerful spy agencies – currently has a sufficiently agile legal authority to catch foreign cyber malefactors in the act of co-opting U.S. computer networks.

usr: 2
This is interesting!