Who will pay for your cyber liabilities?

Can you ever be fully insulated from cyber-attacks even though you have -

• Well developed information security program that takes best practices from reputed management standards
• Evolved security architecture with a perfect balance of *Red and *Blue teaming
• Complied with all legal and regulatory requirements
• Beaten the industry in security standards benchmarks
• Cybersecurity aware workforce?

The truth is that no one is immune! The pace at which technology reinvents itself makes it a bit harder for security to catch up at the same pace. Besides, failure to upgrade technology and *residual risks act as a ticking time bomb.

While technical vulnerabilities are the biggest contributor to cyberattacks, off-late attacks are moving towards the exploitation of human vulnerabilities. And why not? Penetrating technology demands skills, time, and money whereas the exploitation of humans is a relatively cheaper endeavor as our curiosity, helpfulness, biases, and greed make us an easier target than technology. Consequently *phishing emails alone cause multi-million-dollar losses with lesser efforts.

So what is the way out?

I believe transferring some of those risks with an adequate cyber insurance policy is the answer to the question. Remember cyber insurance is not a frequency-based product that you want to use for smaller issues. It is a crisis product that should be designed and used when the usual measures don't work out.

So how does it work?

The first step in the cyber insurance scheme of things is to conduct the risk assessment to identify what is valuable and arrive objectively at the limit of liability and scope of cover.

Typically, a good policy should have at least the following terms but you can further tweak it to suit your risk exposure:

Once you've brainstormed over the scope, work on arriving at the limit of liabilities (the dollar value you want the insurer to cover you with). In some cases, you want full coverage such as in Forensic investigations while in others you can limit it to a certain percentage of overall liability, for example, fund transfer fraud 80% of the total liability.

Now that you’ve worked on essential pieces of Insurance cover, you now need to find the best Insurer who is viable and can pay as promised on the paper. Please keep in mind that the cyber insurance market is niche and only a few good players are offering comprehensive cover within reasonable cost. So, it is important for you to better understand the Insurer’s capability. Here are a few things that you might want to check before signing with them:

So the businesses that require processing/storing/sharing customer data or any organization that can't withstand the liabilities of cyber-attacks/data breaches should evaluate?Cyber Insurance as an instrument?to offset costs resulting from hefty fines, expenses, and claims.

Reference:

********************************************************************************

Re-Insurance:?In simple words, it is insurance for the insurers

Phishing: Type of social engineering attack that tricks the users into divulging confidential information

Residual Risk: It is a risk that remains after you have applied controls to the applicable threats

Red & Blue Teaming: Red teaming is a process to detect/penetrate system vulnerabilities by adopting an attacker like approach and Blue teaming is to defend them from exploitation