With more and more of their likes being targeted by sustained cyber-attacks and phishing campaigns, businesses in the UK are rushing to buy cyber insurance policies to protect themselves from financial ruin.
In their haste to purchase cyber insurance policies, businesses are probably not looking at the best ways to protect enterprise and customer data but merely complying with minimal requirements.
This revelation was made by Char van der Walt of security firm SecureData who told the BBC that businesses are at present in a 'mad panic' to purchase cyber insurance policies.
'Unfortunately this will mean that businesses of all sizes will seek out the minimum cyber-security investment laid out by insurers, government, and regulators, rather than going above and beyond to protect their own, and their customers' data,' he lamented.
Current cyber threats being faced by businesses include large-scale DDoS attacks that render servers inoperable for long periods, nibbling attacks by low profile hackers who continuously test IT systems to exploit vulnerabilities, sophisticated phishing campaigns designed to fool employees and customers into revealing sensitive data or transferring funds, and malware attacks.
Such threats, coupled with the upcoming Data Protection Law which will impose heavy fines on enterprises that fail to prevent loss of customer data in the event of cyber attacks or fail to inform relevant authorities within 72 hours of finding out about such incidents, are forcing businesses to do something urgently to ensure that they stay relevant in the aftermath of devastating cyber attacks.
However, if not planned in advance and not tailor-made as per business requirements, cyber insurance policies could do little, in the long run, to shield businesses from enterprising hackers.
'What’s challenging operationally for the entire ecosystem is that the primary buyer of business insurance is the CFO and the risk department that doesn’t know enough about cybersecurity. And it’s being sold to them by an insurance broker who certainly doesn’t know cyber insurance,' said Jeremiah Grossman, chief of security strategy at endpoint security software developer SentinelOne to SearchSecurity.
'Every policy that you’ll read – and I’ve read probably a hundred of them now -- is different. There are no standards. It’s a Wild West out there. In many cases, it looks like they took a property or fire insurance policy and substituted fire with computer, and it doesn’t really map that way.
'When it’s a large policy – let’s say it’s over $100 million – there will be a survey that gets funnelled down to the CISO that says: ‘Tell me about your IT environment,’ which will not move the premium one way or the other. And that’s the last time a CISO ever touches a cyber insurance policy, predominantly,' he added.
The ill-effects of a poorly drafted cyber insurance policy, as such, will be faced by businesses during the aftermath of a cyber-attack. But rather than facing that possibility, businesses can act now and prepare for the DPL with plenty of time to spare. Here's what businesses can do if they want their cyber insurance policies to be truly effective in the long run:
1. Allow the CISO, who can effectively map out an organisation's digital infrastructure, to identify high-risk areas and to choose a cyber insurance policy that is sufficient to cover the organisation's losses following a cyber incident.
2. Review their insurers track record of reimbursing or helping other organisations that are in the same line of business and have suffered cyber incidents in the past.
3. Check insurers' understanding of their specific needs and compare insurance products offered by different brokers to avoid spending too much on policies.