Saturday, 27 April 2024

Security gurus react to CEP's survey on Risk Mitigation through Cyber Insurance

Study - Risk Mitigation through Cyber Insurance

Inbox

x

Lucy Harvey

 

Attachments9 Feb (1 day ago)

 

to

 

Security gurus react to CEP's survey on Risk Mitigation through Cyber Insurance

 

 

 

The Corporate Executive Programme (CEP) has carried out the study which examines the current business behaviour among behind large (billion dollar revenue ) and mid sized (1milllion to 1billion) enterprises in the US and UK towards cyber insurance.

 

 

 

CEP is a not-for-profit independent organisation which exists to identify new threats and trends in relation to information security and to help organisations deal with them.

 

 

 

The study sheds light on the extent to which specific factors are impacting on individual business approach to dedicated cyber insurance; for example, business size, sector and the ways companies have organised themselves to manage, and purchase for, risk and security.

 

 

 

A copy of the report is attached, however key findings include:

 

 

 

§ The US had higher levels of dedicated cyber insurance cover than the UK (40% versus 13%)

 

§ 25% of respondents said their organisation had suffered a business impacting cyber incident within the last year; 30% of these had dedicated cyber insurance.

 

§ Companies that had experienced an incident and had insurance cover had had this cover before the incident.

 

§ The retail sector had most organisations purchasing cyber cover (37% of those with dedicated cyber insurance in this survey), followed by the finance sector (25%). Self-insurance was mostly done by the manufacturing and finance sectors

 

§ Every company in the survey had third party and/or outsourcing deals in place. Of the companies with cyber cover, only 50% did thorough checks to confirm continued insurance cover through the supply chain. 70% of those with no cyber cover reported doing checks to see that their third parties had cyber cover.

 

§ The most popular route for businesses in the billion pound revenue range was self-insurance (33%) while the most popular for those in the million pound revenue range was cover through existing business policies (32%). Similar proportions of the two groups had dedicated cyber insurance or no relevant insurance (19% of the £bn companies and 21% of the £m companies in both cases).

 

§ Most heads of information security interviewed did not have knowledge of the types of dedicated cyber insurance products available.

 

 

 

I addition to this I have also pasted the below quotes from security experts around the findings on the study.

 

 

 

Gary Steele, CEO of Proofpoint, said:

 

 

 

"The study reinforces the crucial and direct impact of security on shareholder value. It has been demonstrated repeatedly worldwide that breaches are hugely costly and can jeopardize a company's reputation, brand equity and ultimately their bottom line. Given the stakes, it's surprising that there hasn't been significantly more investment in risk mitigation or direct investment in new security technology."

 

 

 

Amichai Shulman, CTO of Imperva, said:

 

 

 

“The statistics around the fact that 25% of respondents said their organisation had suffered a business impacting cyber incident within the last year; 30% of these had dedicated cyber insurance. It basically shows that within the set of organizations impacted by an incident the proportion of those who had dedicated cyber insurance is larger than in the general population. It means that insurance companies are not managing their risk properly – they either implicitly encourage organizations to be less diligent or they do not check the posture of organizations who sign up for cyber insurance properly.

 

 

 

Cyber insurance is one piece in the puzzle of managing information security risks within an organization. Most of the pieces are handled by the CISO (or head of information security). If the CISO is not taking part in the discussion or the decision about cyber insurance then the organization is bound to over-spend and under-spend on the other pieces of the puzzle providing an overall ineffective risk coverage for the organization. For example, if the cyber insurance policy covers certain aspects of the risk, given the existing posture of existing systems – the CISO is better off spending additional funds in the security of new systems (not covered by the policy) rather than existing ones. Another example, if the costs of investigating a breach are covered by the policy than CISO should limit the funding of projects aimed at making this task more cost effective.”

 

 

 

From Benny Czarny, CEO and President at OPSWAT, said

 

 

 

“Organizations may be slow to institute cyber insurance because of the difficulty in calculating the risks and balancing those against the cost of the premium. In order to calculate the risk of data breach, companies must evaluate the effectiveness of their implemented security products and processes, which can be extremely difficult. The effectiveness of cyber security products are continuously shifting due to changes in the threat landscape and the ability of cyber security providers to adapt to those changes. In addition, at any given time there are varying assessments of the effectiveness of security products from various third party testing labs (such as NSS Labs, AV-comparatives, ICSA labs, etc.), newly discovered CVEs for those security products, and varying results on detection of outbreaks and new threats. CISOs may find it hard to justify budget for cyber insurance and choose to take more preventive and protective measures such as setting policies for required security products, investing in solutions to monitor and enforce the use of those security products, using a multi-layered security approach, and continuously evaluating the effectiveness of existing and new security products.”

 

 

 

Simon Crosby, co-founder and CTO at Bromium, said:

 

 

 

“Even if your organization has breach insurance, when a breach occurs, it's typically a career-ending move. Nobody wins a promotion because the firm was saved financially when the tabloid front pages crow about a breach. Customer loyalty depends on defending the enterprise - and simply purchasing insurance and hoping for the best is not a viable path. Instead, organizations need to get serious about cyber-defence, and though it is tempting to throw up one's hands and say there's no solution, it is easy to massively increase the cost to an attacker. Bromium uses hardware virtualization features of the CPU to defend each endpoint by design - allowing each endpoint to protect itself from attacks from the web, files and attachments and to automatically report and then discard malware attacks. The endpoints in an organization collaborate to identify and report attacks, and defend themselves - even on unprotected networks.”

 

 

 

Martin Lee, cyber crime manager, Alert Logic

 

 

 

“Cyber security breaches can be costly high profile incidents. Organisations suffering a breach may hit by financial penalties and claims for costs from customers, partners, supplies, regulatory authorities as well as incurring significant expense in resolving the incident. As such, it makes perfect sense to mitigate consequences by taking cyber insurance.

 

 

 

However cyber insurance should not be seen as a replacement for the implementation of an effective cyber security strategy. In the same way that fire insurance is no replacement for a fire alarm and fire extinguishers, companies considering taking cyber security should ensure that they have necessary cyber protections in place first.

 

 

 

Companies invest in smoke detectors, flame detectors, automatic sprinkler systems and conduct regular fire drills so that if a fire occurs, the event is quickly identified, appropriately addressed, with staff knowing exactly what to do. The priority is to provide detection and remediation to minimise the consequences of the most common types of fires in business premises. When it comes to cyber security breaches, far too often organisations are blasé or ignorant about the consequences of an attack until it is too late. By not reviewing cyber risk exposure and implementing industry best practices, companies may be doing the cyber equivalent of allowing smoking in the fuel store.

 

 

 

Intrusion detection systems are the fire alarms of the cyber world. However, unlike fire detectors they often require expert analysis to interpret alerts to determine if a signal is a minor incident that can be easily resolved or evidence of a major attack requiring a major response. Investing in the rapid detection and swift remediation of cyber incidents should be the first priority of any business. Organisations that are unable to deploy the necessary resources themselves can easily partner with a managed service provider who can provide the required skills.

 

 

 

Cyber insurance has its place, but it is as an adjunct to best practices. Would you rather stay in a building with good fire insurance or a fire sprinkler system? Equally, would you rather do business with an organisation possessing good cyber insurance or with a good cyber security implementation?”

 

 

 

Alex Fidgen, Director at MWR InfoSecurity, said:

 

 

 

§ The insurance industry does not have the skills to accurately assess cyber risk without partnering with specialist organisations. This is because the issues that need assessing are deeply technical in nature

 

§ The increasing number of compromised organisations experiencing high profile incidents demonstrates how misaligned current defensive postures are, versus the attackers advantage. It is going to be hard for an insurance company to assess effectively without a good understanding of motivations of attackers, versus the defensive maturity of the target

 

§ It is currently very hard for some sectors to defend themselves against the advanced threats, as the advantage is consistently with the attacking group

 

§ In certain instances and sectors, the effect of a cyber breach is not truly understood until years afterwards, when competitive advantage starts to decline. Insuring against this would be nearly impossible as it would be hard to prove the link conclusively

 

§ The industry as a whole needs to take an asset based approach to cyber defence, rather than a blanket approach, which would allow organisations to concentrate their defensive spending better… however, insurance companies would still struggle to assess the effectiveness of these defences without specialist services

 

§ One answer would be for the insurance companies to formally link with industry bodies such as CREST, to define a basic approach that could start to be used to assess risk, and then apply suitable premiums

 

§ A company who could show that it had achieved a better level of defence could then argue for its premium to be lowered, in line with the industry standard

 

 

 

Tim Erlin, Director of security and risk at Tripwire, said:

 

 

 

“The 60% of respondents that didn't provide a definite yes or no on cyber cover demonstrate a clear need, coupled with a market underserved by existing product. One of the most effective ways that Information Security can get more involved in the business is to understand how cyber insurance works, what it covers and why it's a difficult problem to solve. Risk transfer, rather than mitigation with tools, is fundamentally a business problem. It's not surprising that retail, an industry hard hit by cyber attacks, has the highest rate of cyber cover, but 37% is still a small number overall. There's a clear connection between predictable, measureable impact of a data breach and adoption of cyber insurance. When insurance providers can estimate impacts accurately, they can build profitable policies that meet market demand. Organizations should be sure to read the fine print on what risks they are effectively transferring with these policies.”

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Many thanks

 

Lucy

 

 

 

Lucy Harvey

 

Account Manager

 

Eskenzi PR Ltd.

 

Tel: +44 20 71 832 840

 

Fax +44 870 7062 809

 

email: This email address is being protected from spambots. You need JavaScript enabled to view it.

 

www.eskenzipr.com

 

 

 

Eskenzi PR has been named by PR Week as the number 2 most ranked tech agency in the UK as voted by journalists – click HERE to find out more.

 

 

 

2012_MostRated_agency

 

Eskenzi PR Ltd. Registered in England and Wales No. 04472557.

 

Registered Office: 10 London Mews, London, W2 1HY, United Kingdom.

 

 

 

If you do not want to receive further emails from us please reply with the word REMOVE in the subject line

 

 

Attachments area

Preview attachment Cyber Insurance Study.pdf

[PDF]

 

Click here to Reply or Forward

0.41 GB (2%) of 15 GB used

Manage

©2015 Google - Terms of Service - Privacy - Programme Policies

Powered by

Last account activity: 1 hour ago

Details

 

 

Lucy Harvey

 

Case Studies
Posted On



Be a Beacon of Hope in the World

 



Scorpion News Corp

Nigeria Watch International

To expose official corruption in Nigeria, re-orientate the psyche of Nigerians and usher in the Nigerian renaissance

SIA Logo

Got news for Vigilance?

Have you got news/articles for us? We welcome news stories and articles from security experts, intelligence analysts, industry players, security correspondents in the main stream media and our numerous readers across the globe.

 

About Vigilance

Vigilance is the brain child of a group of veteran journalists and international scholars who have worked in the mainstream media and distinguished themselves nationally and internationally before veering into security practice.

Who's Online

We have 410 guests and no members online

Search