Conventional insurance may not cover cyber security breaches: Centre for Internet Safety

Companies concerned about their exposure to cyber-security intrusions need to look beyond conventional insurance policies to ensure they are protected against the additional threats of online business, a new report from the Centre for Internet Safety (CIS) has warned.

Noting growing community concern over the privacy risks posed by increasingly online business services, the University of Canberra-based thinktank warned in the report that many organisations are unprepared to manage risk from a variety of factors beyond simple cyber-attacks– negligence and human factors accounted for 35 per cent of data breaches in one recent Ponemon Institute-Symantec study, while 29 per cent were due to system glitches and the remainder due to the stereotypical malicious attack.

Although the extent of the financial risk from such attacks varies depending on the type of organisation and nature of the attack, the study warned that the preponderance of attacks on small businesses – the 2012 Data Breach Investigations Report found 570 of 855 recorded attacks were targeted at businesses with 11 to 100 employees – was indicative of a culture in which the companies least likely to have specific cyber-insurance were at most risk of needing it.

"Traditional business insurance policies have tended to only cover 'tangible' assets such as PCs, laptops and other mobile devices," the report warns.

"Developing exposures have highlighted that electronic data is not always considered to fall under the definition of tangible assets and is just one area where cyber insurance is designed to fill a gap. Some organisations have discovered gaps in what is and isn't covered after an attack. Unfortunately for them, by then it is too late."

The report identified five key issues organisations needed to consider in assessing their cyber risk, including identifying the organisation's tangible assets; evaluating its ability to survive without them; establishing whether it is principally a business-to-business or business-to-consumer operation; evaluating the burden of managing fully automated IT systems; and assessing the privacy and data breach laws for the markets where it operates.

Given the growing tendency towards reporting of data breaches – legislation to this effect is currently being considered in Australia and other jurisdictions –companies need to make sure that their insurance regimes also cover the ancillary effects of such a breach and its aftermath.

These include cover for business interruption; the cost of notifying customers; and the cost of regulatory investigations or actions in the event of a breach, "without the requirement for physical damage that is a standard trigger under property policies."

Other expenses that should be included in cyber-insurance policies include crisis management; hiring a public relations firm to manage a data breach incident; forensic analysis; repairing and restoring computer systems; and the loss of business income resulting from the incident.

"An effective cyber insurance policy will include explicit wording which covers first party and third party claims," the report advises, warning that the nature and scope of cyber-insurance policies must be managed at the business level and not just by the IT organisation.

"Too often the subject of cyber risk management and insurance is seen as a matter for the IT department to manage," the report warns. "However, for an organisation to for a comprehensive cyber risk strategy and to have a strong chance of it succeeding, it is imperative that an organisation's key stakeholders are all involved."

"Organisations need to make informed decisions, while understanding what their assets are and how the organisation would survive without them."

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

Tags Centre for Internet Safety

More about CSOSymantecUniversity of CanberraUniversity of Canberra

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place