Companies concerned about their exposure to cyber-security intrusions need to look beyond conventional insurance policies to ensure they are protected against the additional threats of online business, a new report from the Centre for Internet Safety (CIS) has warned.
Noting growing community concern over the privacy risks posed by increasingly online business services, the University of Canberra-based thinktank warned in the report that many organisations are unprepared to manage risk from a variety of factors beyond simple cyber-attacks– negligence and human factors accounted for 35 per cent of data breaches in one recent Ponemon Institute-Symantec study, while 29 per cent were due to system glitches and the remainder due to the stereotypical malicious attack.
Although the extent of the financial risk from such attacks varies depending on the type of organisation and nature of the attack, the study warned that the preponderance of attacks on small businesses – the 2012 Data Breach Investigations Report found 570 of 855 recorded attacks were targeted at businesses with 11 to 100 employees – was indicative of a culture in which the companies least likely to have specific cyber-insurance were at most risk of needing it.
"Traditional business insurance policies have tended to only cover 'tangible' assets such as PCs, laptops and other mobile devices," the report warns.
"Developing exposures have highlighted that electronic data is not always considered to fall under the definition of tangible assets and is just one area where cyber insurance is designed to fill a gap. Some organisations have discovered gaps in what is and isn't covered after an attack. Unfortunately for them, by then it is too late."
The report identified five key issues organisations needed to consider in assessing their cyber risk, including identifying the organisation's tangible assets; evaluating its ability to survive without them; establishing whether it is principally a business-to-business or business-to-consumer operation; evaluating the burden of managing fully automated IT systems; and assessing the privacy and data breach laws for the markets where it operates.
Given the growing tendency towards reporting of data breaches – legislation to this effect is currently being considered in Australia and other jurisdictions –companies need to make sure that their insurance regimes also cover the ancillary effects of such a breach and its aftermath.
These include cover for business interruption; the cost of notifying customers; and the cost of regulatory investigations or actions in the event of a breach, "without the requirement for physical damage that is a standard trigger under property policies."
Other expenses that should be included in cyber-insurance policies include crisis management; hiring a public relations firm to manage a data breach incident; forensic analysis; repairing and restoring computer systems; and the loss of business income resulting from the incident.
"An effective cyber insurance policy will include explicit wording which covers first party and third party claims," the report advises, warning that the nature and scope of cyber-insurance policies must be managed at the business level and not just by the IT organisation.
"Too often the subject of cyber risk management and insurance is seen as a matter for the IT department to manage," the report warns. "However, for an organisation to for a comprehensive cyber risk strategy and to have a strong chance of it succeeding, it is imperative that an organisation's key stakeholders are all involved."
"Organisations need to make informed decisions, while understanding what their assets are and how the organisation would survive without them."