Starting the Cyberinsurance Conversation
Nov 2, 2013 5:00 AM PT
"In this world nothing can be said to be certain, except death and taxes," wrote Benjamin Franklin in a letter to Jean-Baptiste Leroy in 1789.
You have to wonder if Old Ben wouldn't add cyberattacks to that list were he alive today. We live in a world in which hundreds of thousands of new threats are created every day. Nary a day goes by without a new piece of malware or other threat finding its way into a network. These threats are increasing not only in number, but also in complexity and seriousness.
Make no mistake: A cyberattack against your company is going to happen, if it hasn't already. It's really not a question of if, but when -- and of how prepared you are for it.
While there are plenty of sophisticated -- and good -- security solutions in the market to identify, analyze and remediate threats, there are additional means of protection to consider. For one, insurance companies have developed whole portfolios of policies to help protect a company from what could be a crippling financial loss related to a data breach, malware infection or other sophisticated cyberattack. This coverage can be effective protection to offset any fines, lawsuits or other damage, including lost revenue, that a significant breach or threat might inflict upon the business.
While the concept of cyberinsurance is a relatively new one, it is a burgeoning market due to the increasing level of threats against enterprises. Cyberinsurance is estimated to be a US$1 billion market now.
It's also a very fluid market. In some cases, insurance companies might need an organization to do no more than meet certain minimum federal or industry compliance standards in order to qualify for a policy. In other cases, insurance providers might want a detailed analysis of a company's cyberinfrastructure to assess its cyber-risk and level of preparedness.
Regardless of how the policy is structured, the key to any strong security practice always comes back to risk management. An enterprise should possess the ability to identify and deal with risk in its environment, whether it's cybersecurity, physical security or a security risk completely unrelated to cyberthreats.
Businesses rely on investors, suppliers, partners, customers and employees, and they in turn count on the companies they're associated with staying fully protected.
Still, malware creators work 24x7 to find weak points in organizations' systems. If they can't find a hole in a network, they'll try to find a back door. Even if a company is bulletproof, there's a good chance one of its suppliers, partners, employees or customers is not. That's what the bad guys look for and they won't stop until they find it.
A company's security is only as strong as the security of the companies and subcontractors that connect electronically with it. As difficult as it may be to prevent intruders from getting in, it's even harder to get them out.
What's a CISO to Do?
Long gone are the days when threats were limited mostly to small groups of cyberpunks looking to break in and say, "Haha, look what we did." Now it's about real crime and significant damages. Today's cyberattackers are syndicates, cartels and groups sponsored by state governments looking to exploit whole industries or take down a specific company's cyberinfrastructure.
Cyberattacks can't be swept under the rug. Congress is putting more pressure on organizations, especially public companies, to be more forthcoming regarding data breaches. If you have a breach now, you have to make it public, and the resulting fallout can inflict serious damage to your reputation resulting in lost business.
Many boards of directors view the chief information security officer as solely responsible for ensuring that the business is protected against attacks. As a result, too many CISOs work in their own silos and are reluctant to seek help from other parts of the business. They don't include them in planning and executing a comprehensive cyberdefense strategy that encompasses everything from technology, human resources, cyberinsurance, policies and practices, risk management -- and more -- to align with and enable broader business objectives, according to research firm Gartner.
That's a problem. CISOs need to be proactive in communicating and developing cybersecurity strategies with all department and company heads. After all, a data breach isn't just a security problem -- it's a business problem.
With that in mind, consider cyberinsurance as a means of starting big-picture conversations about security across the enterprise. Any insurance discussion likely requires input from legal, finance and other departments, providing the opportunity to educate company leaders on the importance of a well-protected infrastructure for all parts of the business.
These conversations can serve as an opportunity for the CISO to become more strategic in operations. Cybersecurity shouldn't be another issue to comply with or another check to write. It's a business issue that must be addressed, and it requires the expertise that only a good CISO can bring to the table.
A complete cybersecurity protection plan should be a multipronged approach that includes the software and tools necessary to identify and analyze suspicious samples, along with well-trained resources to help remediate threats.
Advanced malware analysis tools and a well-trained incident response team provide you the ability to know how to prepare for a cyberattack: which steps are necessary, which decisions need to be made, and who needs to make them. Add a cyberinsurance policy, and you'll be ensuring that your company can withstand the most dangerous threats.
Now if only we could do something about death and taxes.