Companies Should Protect Themselves With Cyberinsurance, Experts Say
Fear of bad publicity and financial loss is driving more companies to buy cyberinsurance, experts said during a Core Security Technologies webcast Tuesday. “It’s not feasible to manage 100% of cyber risk,” said Tom Kellerman, Core Security Technologies vice president, security awareness. But a combination of self-testing, smart contracting and cyberinsurance can save companies millions, he said.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
Organized crime dominates a booming online trade in consumers’ personal data, said Kellerman. These “criminal cyberpersonalities,” prefer to pilfer data for profit rather than just knock systems offline for fun and recognition, he said. Bots (zombie PCs) can be bought online for 3 cents, credit card information for $3 and consumers’ full bank account information for about $15, he said. Only about 1 in 5 cybercrime cases are pursued, he said. The Secret Service, FBI and others are “overwhelmed with cases, particularly with child porn, and so a lot of cases under $100,000 are overlooked,” he said.
Companies have to fend off not only organized external attacks but also internal threats, said Kellerman. Employees themselves purposely or inadvertently open Web doors to attackers, Kellerman said. Companies should “understand that there may be spies within the walls,” he said. And increased outsourcing of data and file hosting also puts companies at risk, since contractors’ security policies are not always carefully reviewed, he said. “Get the legal department involved in creating service agreements and make sure you conduct a penetration test” -- a controlled self-hack -- “before signing a contract,” he said.
Even with publicity surrounding prominent threats and breaches, “the cybercrime industry is still relatively new” - - and so is insurance to recoup losses from such attacks, said Jeff Cassidy, Core Security Technologies Vice President, Business Development. Homebuilders buy fire-retardant materials and yet “still know that [they] should buy fire insurance because there’s still some chance,” he said. “That intuitive turning toward insurance hasn’t really reached cyber yet,” he said. George Allport, senior vice president of Chubb & Sons Alternative Risk Group, agreed that “people are turning towards insurance more and more often but there’s been a certain reluctance… There’s been a reliance on system protection.” But over the past two years, his company has seen an “increasing interest” in buying insurance against cyber-related offenses, he said. Media attention is driving companies to assess and cover their risk, he said.
As companies use a variety of contractors and new media devices to hold and share data, “It’s very important that any [insurance] policy respond to loss from a wide array of sources,” said Allport. Perpetrators can gain access through devices including laptops, USB drives and PDAs, and all must be explicitly covered by a cyberinsurance policy, he said. When selecting a policy, companies must factor in post-breach or post-hack public relations costs, advertising expenses and the funding of credit monitoring services for affected customers, he said.