Story image

Cyber insurance: Is it enough? Manage risk, review current platforms & Ensure Availability

07 Dec 17

In today's world where high profile cyber attacks and security breaches are regular news, would it surprise you to know that cyber insurance and what is in place around managing such risks, isn't very good?

A few months back, I spoke on Availability and the risk managed approach. Businesses were putting this approach in place around business interruption insurance to minimise the impact of natural disasters and their revenue impact due to downtime.

Natural disasters are often uncontrollable events and it’s all about mitigating risk against their impact. When it comes to security breaches, 55% of all breaches resulting in an impact are from ransomware.

Ransomware makes up 55% of the total attack vector costing organisations between $100,001 and $500,000 per incident*. So, how can organisations insure themselves against this sort of impact and loss? "...Please enter the room, cyber insurance...”!

At Veeam, I am seeing the same logic being applied across our entire customer base when it comes to managing availability of system and service risk due to security breaches.

Cyber insurance can be a ‘hit and miss’ proposition, hoping your business is covered because of the complexities and pathways involved in security incidents and how an insurer might assess fault.

Fearing coverage is too full of traps for the unwary, a lot of companies have put the issue in the too-hard basket. By this time last year, less than a third of American businesses had cyber insurance at all according to the Council of Insurance Agents and Brokers.

We don't need reminding that cybercrime and security incidents are real, impactful and expensive, thus providing the insurance industry an incentive to transfer a lot of the risk away and help protect their customers against cyber disasters to cover their own financial risk around loss claims and their likelihood.

Partnership between insurers and customers are needed, to further educate on the risk, likelihood, consequence and impact of cyber crime. Such partnerships are likely to only strengthen when there is joint financial stake.

The addressable market globally for cyber insurance is there with 80 percent of US insurers seeing it as a growth area. According to PWC, it's is going to be worth US$7.5bn by 2020.

Minimising cost, risk and impact: Finding our feet

So why the stalling from both directions? Part of the problem is that cyber insurance is a new and fairly untested business tool. The kind of property and assets insurance you already have doesn't necessarily address cybercrime or revenue loss from system failure or compromise.

We might find ourselves mired in a period of messy legal wrangling before things settle down, the insurance industry deflecting cyber claims while their customers contend they should have been covered for them.

Another reason is that many people in other departments and the C-suite consider this whole area to be IT's problem. Hammering out the best coverage (and what you're actually covered for) should be a multidisciplinary approach with IT, operations, legal and the insurer all taking part.

Also critical once you have the right cover in place is to test it, just like you would your servers and backups. During regular DR or breach exercises, make your insurer part of the formal process – doing so will reveal just how effective your cover is under real world conditions.

And as I've mentioned more than once, it's about more than just ransomware attacks. It is about all top attack vectors that have the ability to interrupt availability of your systems and services.

What about if a data restore fails after a breach or you suffer a data loss from a system failure? Are you insured for the financial fallout? Under some circumstances, local regulations might even compel you to backup offsite or in the cloud and insurance cover might start to reflect that as the industry matures.

A good insurer will bring their own experience to the table, so use it to draw up, install and formalise the best data availability protection plan. Not only will it let you sleep at night, a rock solid and quantitative data availability plan will reduce your premium!

Malware, natural disasters and simple human error aren't going anywhere, and it's going to become more important to insure against them in the future – historical Business/Service continuity and Disaster Recovery plans will not cut it in a more software defined data centre and/or set of hybrid cloud services.  Your competitors will be ahead of you, and your customers will want to know why before they ultimately switch their consumption of products and services business.

The only requirement here is to review your current tools, technologies and platforms that are currently underpinning your applications, services, workloads and data. Are they capable in providing simple, consistent and elastic management across a hybrid cloud environment? Are they software defined? Do they provide both flexibility and integration across an interconnected ecosystem?

My recommendation is to go to the market and seek to understand who is leading, driving and delivering the most innovative and differentiating Availability Platforms for Hybrid Cloud environments.

Discover who more than 75% of the fortune 500 use as part of their key components to deliver Hybrid Cloud Availability of their virtualised applications, services, data and resources.

Understand those who are working and delivering exceptional customer experience across ALL market segments to implement data availability plans that will not only demystify cyber insurance but also manage your availability risk during impactful incidents and help you usher in a new security age where you’re more protected against threats than ever.

* SANS Institute InfoSec Reading Room: “From the Trenches: SANS 2016 Survey on Security and Risk in the Financial Sector”

Article by Nathan Steiner, head of Systems Engineering, ANZ at Veeam Software.

How blockchain will impact NZ’s economy
Distributed ledgers and blockchain are anticipated to provide a positive uplift to New Zealand’s economy.
25% of malicious emails still make it through to recipients
Popular email security programmes may fail to detect as much as 25% of all emails with malicious or dangerous attachments, a study from Mimecast says.
Human value must be put back in marketing - report
“Digital is now so widely adopted that its novelty has worn off. In their attempt to declutter, people are being more selective about which products and services they incorporate into their daily lives."
Wine firm uses AR to tell its story right on the bottle
A Central Otago wine company is using augmented reality (AR) and a ‘digital first’ strategy to change the way it builds its brand and engages with customers.
DigiCert conquers Google's distrust of Symantec certs
“This could have been an extremely disruptive event to online commerce," comments DigiCert CEO John Merrill. 
Protecting organisations against internal fraud
Most companies tend to take a basic approach that focuses on numbers and compliance, without much room for grey areas or negotiation.
Telesmart to deliver Cloud Calling for Microsoft Teams
The integration will allow Telesmart’s Cloud Calling for Microsoft Teams to natively enable external voice connectivity from within Teams collaborative workflow environment.
Jade Software & Ambit take chatbots to next level of AI
“Conversation Agents present a huge opportunity to increase customer and employee engagement in a cost-effective manner."