The second annual Cost of Cyber Crime study from a private research organization reported that the median cost of a cyber attack is US $5.9 million. That figure includes regulatory fines, lawsuit costs, brand damage, and repair, recovery, and protection for hardware and software. Although insurance companies are starting to offer more policies that cover such attacks, the premiums are extremely high. I would also like to add, the inconvenience to your customers and the obligatory training you will need to roll out to your staff post-breach, will result in substantially higher costs.

Many executives believe, erroneously, that cyber attacks on their organizations are covered by standard corporate insurance and general liability policies. Even if they have cyber policies, they may not cover all costs associated with a breach. Organizations need to be clear about what coverage they need. Input from those responsible for running organizations' information security systems and others in the IT department can be helpful when deciding on types of policies and scope of coverage. This is the critical issue with these policies, as business continuity and disaster recovery planning are still required for the organization, having a policy does not mean you don't have to plan for a disaster, or outage.

"The cyber insurance policies are expensive, cover a shockingly small part of the damage associated with most cyber attacks, and as soon as the insurance companies have to pay damages under one of them, those premiums will go up substantially. Despite those weaknesses, it may make sense to force - through contract language or regulation - cyber insurance to be acquired by organizations handling sensitive data. Insurance can force changes in cyber security that few other forces can enable.” said Alan Paller, Director of Research at the SANS Institute.

Read the fine print in the contracts and understand the role of Insurance in your business risk management strategy. Insurance is not an excuse to neglect, or skimp on robust IT and physical security, it is an attempt to provide some funds to endure an absolutely devastating event in your business history. Many people have the misguided idea that a payment from an Insurance company is like winning the lottery. If you ask a close friend of mine, who works as an adjuster for out provincial car insurance corporation, she says "The sense of entitlement that people have when making a claim is unbelievable!”

Most Insurance companies will reduce or reject coverage for criminal, willfully negligent, or reckless behavior. Just because you have the best cyber-breach insurance policy, does not mean you can open every port on your firewall, or not patch and update servers and workstations.

Having a cyber breach insurance policy may be a good idea, especially if you have been diligently executing IT and physical security bet practices. The insurance policy is really designed to deal with the unforeseen, such as a zero day attack, where the mitigation of the breach could not have been reasonably prevented. When making a claim on a cyber breach insurance policy your IT security and staff will have to do two investigations. One investigation to find out what happened and the second, to potentially prove to the insurance company that there was nothing you could have reasonably done to prevent the breach.


http://www.computerworld.com.au/article/413142/do_need_cyberumbrella_/