CyberRisk ManagementShort-term

Cyber risk management, insuring residual risk

The threat landscape presented by cybercrime should not be underestimated. Organisations are facing a vast array of internal and external threats. As per NetDiligence’s 2014 Cyber Claims Study hackers were the most frequent cause of loss at 30%, however there was insider involvement in 32% of submitted claims. From corporate espionage to staff falling victim to social engineering ploys, the insider threat, whether malicious or not, should not be underestimated. Third parties with access to your systems and data also require special consideration, just ask large US retailer Target. NetDiligence found that third parties caused the compromise in 20% of claims.

There are a number of measures organisations can implement to better manage their cyber risk. It’s that one server that hasn’t been patched or one account with a default password that’s likely to result in a breach, and it is for this reason that policies and procedures should be entrenched.

CyGeist recommends considering the following quick wins:

  • Conduct regular staff awareness and training. Reputable service providers can assist with controlled tests such as phishing emails and leaving USB sticks around the office – these can generate awareness and are much more memorable than a generic mailshot. The U.S. Department of Homeland Security ran a test by leaving USB sticks around the office and 60% off staff plugged in the USB stick. The number increased to 90% when the USB stick had a logo on it.

  • Encrypt hard drives, portable storage and mobile devices. Most operating systems and devices provide built in functionality for encryption.

  • Secure mobile devices – enforce passwords, auto lock and remote wipe capabilities. A staggering number of cell phones and tablets with access to both personal and corporate information are lost daily.

  • Enforce complex passwords. Often people use the same simple passwords for work and personal use, or IT helpdesks reset forgotten passwords to a default, not forcing users to change their password at next logon. Most simple passwords can be compromised in seconds.

  • Ensure third parties with access to your systems and data have security controls at least in accordance with your own.

  • Perform employee background checks. Corporate espionage and syndicates planting or corrupting staff within organisations with the intention of stealing data is real and on the rise.

  • Generate and keep logs from sensitive servers and applications. Without such information it may be impossible to investigate the cause, nature and extent of a breach.

While robust and mature security controls can reduce your cyber risk, they can’t eradicate it. Cyber insurance can assist by addressing the residual risks. Cover varies, but generally includes:

  • Third party claims arising from compromised data/systems;

  • Costs to restore data/systems;

  • Loss of business income as a result of systems downtime;

  • Crisis management expenses i.e. PR campaign;

  • Costs to notify regulatory bodies as well as affected third parties of a breach; and

  • Expenses of security specialists, attorneys, forensic investigators and loss adjusters to contain, manage and remediate an incident.

There is a common misconception that traditional insurance provides cover for the above costs. While some traditional policies might have cybercrime extensions, the cover provided by cyber insurance is significantly broader and has been tailored to assist organisations in responding to a breach.

As opposed to just covering the insured for direct financial losses, cyber insurance policies cover the resultant expenses of a breach. Furthermore, cover is provided for breaches resulting from cybercrimes committed by external parties, as well as breaches resulting from malicious or negligent acts committed by employees.

Often cyber insurance is structured to provide risk management benefits over and above the risk transfer element, and in that sense is more proactive than traditional insurance policies. When purchasing cyber insurance, one should ask the insurers about the value-added services they offer and make use of these to manage one’s risk.

Ryan van de Coolwijk, director at CyGeist

Related posts

Load Shedding: A surge of impact on SA’s Agri sector


Five tips for saving money on premiums during this period of high inflation

Risk Management

Managing business risks: easy steps any SME can take today

Research and SurveysRisk Management

Lloyd’s and Aon report reveals the highly interrelated risks of Ukraine conflict reshaping business models and global economy