• First Reference
  • About us
  • Contact us
  • Blog Signup 📨

First Reference Talks

Discussions on Human Resources, Employment Law, Payroll and Internal Controls

  • Home
  • About
  • Archives
  • Resources
  • Buy Policies
You are here: Home / Business / Do you have or need cyber risks insurance in case of a cyber attack?

By Ron Richard | 4 Minutes Read October 1, 2012

Do you have or need cyber risks insurance in case of a cyber attack?

Image: www.mytechteam.net

A growing number of companies are investing in cyber risks insurance, which offers a degree of protection against the consequences of cyberattacks such as hacking, business disruptions and digital data breaches. Organizations are increasingly buying insurance to protect against losses from computer breaches.
What is a cyber attack?
Techopedia defines a cyberattack to mean a deliberate exploitation of computer systems, technology-dependent enterprises and networks. Cyberattacks use malicious code to alter computer code, logic or data, resulting in disruptive consequences that can compromise data and lead to cybercrimes, such as information and identity theft. Cyberattack is also known as a computer network attack (CNA).
Cyberattacks may include the following consequences:

  • Identity theft, fraud, extortion
  • Malware, pharming, phishing, spamming, spoofing, spyware, Trojans and viruses
  • Stolen hardware, such as laptops or mobile devices
  • Denial-of-service and distributed denial-of-service attacks
  • Breach of access
  • Password sniffing
  • System infiltration
  • Website defacement
  • Private and public Web browser exploits
  • Instant messaging abuse
  • Intellectual property (IP) theft or unauthorized access

What is cyber risks insurance?
According to Strategy+Business online,

Cyber policies offer a variety of protections and services — for example, business interruption insurance covers companies’ direct losses from being hacked, and post-breach responses include the hiring of computer forensic experts and the use of credit-monitoring services. Nonetheless, companies taking out such policies can remain exposed to liability, due to a combination of legal gray areas, a still-developing insurance market, and the ever-changing nature of cyber threats.

If having cyber risks insurance still exposes an organization to liability should they have one? and, do organizations need it?
Well, it is important to understand the issues at hand first, before answering the questions.
Scott J. Shackelford in his article, Should Your Firm Invest in Cyber Risk Insurance? (Business Horizons, vol. 55, no. 4, July–August 2012) explains,

One of the challenges to putting in place the right protections is that cyber-crime takes many forms. Identity theft costs consumers more than $5 billion a year, the author reports, and costs firms another $48 billion. Fraud is also a major problem, accounting for more than 600,000 complaints and $1.8 billion in claims from businesses in 2008. And as the persistent Operation Aurora attacks on Google and other multinational companies in 2009–10 proved, high-tech criminals are employing a series of sophisticated assaults to capture firms’ intellectual property.”

Looking back on this SANS institute Read Room 2004 paper on Cyber Risk Insurance, which provides a discussion and insight to the implications of insurance and cyber crime coverage and raises awareness of the uncertain ties within cyber insurance,

Today, the risks of cyber fraud are ever increasing. They can include stealthy espionage challenges to drive-by attacks that include denial-of-service and web defacements. Insurer’s have realized that the General Liability policies of past do not meet the requirements of today’s standards.”

Thus, the need for more event specific insurance coverage like cyber risks policies which include: Information property protection, network security & privacy coverage, among others.
But even if an insurance policy could play catch-up to the standards and increasing threats, there is still a need to further evolve the laws around the world related to privacy and data protection. There is an even greater need for organizations to implement the minimum standards established by the insurance industry and privacy and existing data protection laws.
According to IT experts, the technology used to create data breaches is changing and developing very quickly. They say that when privacy and security laws were first established, it was to cover computer hacking as a nuisance activity carried out by bored teenagers looking to deface a website or, at worst, disable an e-commerce portal. Today, many of the hackers are sophisticated criminals bent on stealing money or financial and personal information.
For example, the federal Privacy Commissioner have guidelines requiring organizations to notify affected customers following a breach in which personal information is stolen, but there’s no rule about broader public disclosure. Presumably, securities rules around disclosure of material events would cover major network break-ins but such events are rarely, if ever, mentioned in financial reports or press releases of Canadian companies.
Legislation is moving towards increase privacy and security standards; towards private and public companies of all kinds to disclose details of all network breaches resulting in material losses, including the actual costs to the company as well as the nature of the attack.
While this is happening, organizations are trying to figure out their exposure and the potential losses they could face. This requires among other things, a cyber risk insurance self-assessment. When you assess your risk you have to both look outside the organization and within. You also have to take a close look at your employees to ensure incidents don’t occur.

Performing a self-assessment allows and organization to systematically identify and consider computer security issues. There is great importance that must be given to the process of self-assessment discovery as it becomes the vehicle that will divulge how the business functions and what is needed to ensure that it continues to function after a disruption of services. (SANS institute Read Room 2004 paper)

It is appropriate you get in contact with an expert in this area and schedule one soon and periodically thereafter.
At this juncture the current state may be getting fairly serious, and if you have not done yet, getting a cyberpolicy is a smart move, but it shouldn’t be seen as a replacement for robust online security measures or risk mitigation strategies, experts say.
“But buying a policy should not give companies a false sense of security; strong internal countermeasures are still required” writes Scott J. Shackelford. Strategy+Business online.
In coming years cyber warfare could very well take on even greater complexity and frequency than has been made public in recent years.
If you are not already exploring this topic, now may be a good time to do so (e.g., read The Betterley Report posts, etc., such as this bit of news shared Sept 18, 2012).
Organizations should determine how much peace of mind cyber risks insurance is worth to them.
Ron Richard
Quality Management Specialist

  • About
  • Latest Posts
Ron Richard
Ron Richard, Quality, Information Technology and Enterprise Risk Management specialist, has earned professional designations from multiple countries, held positions at most any level, and acquired more than 30 years of relevant experience including related work done at the College of the North Atlantic. Ron is author of Inherent Quality Simplicity and the Inside Internal Control newsletter Modern Quality Management series.
Latest posts by Ron Richard (see all)
  • Change, exponential power, enterprise architecture, governance and stakeholder engagement - March 4, 2013
  • Take testing activities up a level - February 4, 2013
  • Your service-oriented architecture expert opinion - February 4, 2013

Article by Ron Richard / Business, Finance and Accounting, Not for Profit, Privacy / business disruptions, computer breaches, Cyber policies, Cyber Risk Insurance, cyber risk insurance self-assessment, Cyber threats, cyberattack insurance, cyberrisk insurance, data breaches, digital data breaches, hacking, information technology, Internet technology, liability, privacy laws

Share with a friend or colleague

Get the Latest Posts in your Inbox for Free!

Electronic monitoring

About Ron Richard

Ron Richard, Quality, Information Technology and Enterprise Risk Management specialist, has earned professional designations from multiple countries, held positions at most any level, and acquired more than 30 years of relevant experience including related work done at the College of the North Atlantic. Ron is author of Inherent Quality Simplicity and the Inside Internal Control newsletter Modern Quality Management series.

Footer

About us

Established in 1995, First Reference is the leading publisher of up to date, practical and authoritative HR compliance and policy databases that are essential to ensure organizations meet their due diligence and duty of care requirements.

First Reference Talks

  • Home
  • About
  • Archives
  • Resources
  • Buy Policies

Main Menu

  • About First Reference
  • Resources
  • Contact us
  • 1 800 750 8175

Stay Connected

  • Facebook
  • LinkedIn
  • Twitter
  • YouTube

We welcome your comments on our blog articles. However, we do not respond to specific legal questions in this space.
We do not provide any form of legal advice or legal opinion. Please consult a lawyer in your jurisdiction or try one of our products.


Copyright © 2009 - 2023 · First Reference Inc. · All Rights Reserved
Legal and Copyright Notices · Publisher's Disclaimer · Privacy Policy · Accessibility Policy