With more countries embarking on Smart Nation projects, the number of connected devices and volume of data will only increase. This means that cybercriminals now have an almost infinite number of (often poorly protected) channels to launch their attacks. Underscoring the severity of issue, the Monetary Authority of Singapore (MAS) has urged companies to boost their cybersecurity initiatives, as well as adopt cyber insurance. As such, the market for cyber insurance is expected to reach $7.5 billion in premiums by 2020, with apparent demand by the finance industry, along with a forecast of new investments from the healthcare industry.
While it is good news that companies are taking increased measures by moving toward cyber insurance to underwrite potential losses generated from cyberattacks, such as lawsuits, investigations, and business ramifications from exposed trade secrets, it is important to note that while cyber insurance can help to manage losses, it needs to go hand-in-hand with a robust cybersecurity infrastructure in order to add real value to your business.
Insuring the intangible
Cyber insurance can be likened to fire insurance; most businesses insure and deploy significant detection, prevention and response measures such fire suppression systems, fire resistant materials and fire drills, resulting in maximum risk coverage. In the same vein, companies should prioritize the deployment of a strong cybersecurity infrastructure consisting of robust detection, prevention and incident response measures, which results in an overall effective and efficient risk management plan that lowers your insurance premium too.
The industry is already making great progress to support the distribution of cyber insurance. For example, credit rating services such as FICO Enterprise Security Score allows cyber insurance providers to access cyber infrastructure and measure risk exposure, as well as forecast the likelihood of cybersecurity incidents in order to tailor policies and premiums for companies with different needs.
The next step is for the government to support the cyber insurance ecosystem through the enforcement of mandatory and regulatory laws on cyber security. Such legislation can benefit the industry as a whole as it ensures a minimum standard for any given company’s cyber infrastructure, which enables cyber insurance companies to lower their premiums.
Process, People and Technology
As cyber insurance can be a reasonably large investment for organisations, it is essential for companies to enforce strong cyber security fundamentals and best practises to maximize their dollars. For example, the financial industry is governed by mandatory laws that require banks to retain sensitive customer and transaction information, resulting in higher premiums. However, for businesses that do not revolve around transactions, holding customers’ payment information is counterproductive. Instead, these companies should consider outsourcing payment methods to third party providers, which will take a big amount of risk away.
A strong cybersecurity infrastructure mandates the deployment of more than just anti-virus software and firewalls. Cybercriminals have long advanced their methods of attacks beyond these traditional line of defences and companies need to up the ante when it comes to their cybersecurity technology too. Today, both public and private sectors should look to the next generation of anti-virus (NGAV) and end-point security (NGES), which gives them full visibility from the perimeters to drive their detection and response strategies.
Finally, just like how companies conduct regular fire drills to ensure that employees know how to respond appropriately to a fire incident to minimize damage, the same theory can be applied to a cybersecurity incident response plan. Employees at the IT frontline should be trained to minimize and contain the initial signs of a cyber intrusion, preventing it from escalating to a major breach.
Only with these preventive and risk minimization measures in place, then can cyber insurance truly bring value to your overall cybersecurity management plan.