IBS Journal August 2017


6


by 2025. The insurance industry has designed several products to address specific types of risks. Some of the products are as follows:


• Data breach insurance • Network security liability insurance • Restoration costs for data and programs • Business interruption • Media liability • Hacker theft cover • E-payment liability • Crisis communication


Guidance on buying insurance cover


Despite the magnitude of risks from cyber threats, there is very low awareness at board level about the potential ways of mitigating cyber risks. This is partly due to the technical nature of the product, and partly due to the unavailability of standardised products. Cyber attacks that made global news headlines helped in raising the level of awareness of these risks. After the WannaCry attack in May 2017, which paralysed hospitals in the UK and disrupted transport networks, AIG Asia reported an 87% YoY increase in demand for cyber insurance compared to the same period last year.


insurance need close collaboration at board level


“


Cyber insurance tends to be a bespoke solution for every organisation. Business leaders should ask and review the following questions when selecting cyber risk cover:


• Does the insurance policy cover major areas of risk exposure for the organisation?


• Is the policy standalone or an extension to an existing policy? • Is the policy customised to the specific needs of the organisation?


• What are the deductibles? • What is the extent of coverage to first-party and third-party service providers?


• Does the policy cover malignant attacks by insiders and employees?


• Does it cover a suitable period between actual breach and the date of detection of the breach?


• Are the costs for recovery covered?


Such decisions require a close collaboration between the chief information officer (custodian of IT assets), chief risk officer (responsible for risk mitigation) and the chief financial officer (responsible for financial security). Getting a common view across the leadership team thus becomes a CEO-level agenda item.


An industry survey indicated that policy premium and the breadth of coverage were the two most important factors that determined


Decisions about cyber


Cyber crime on the rise: In January 2017 The Lloyds Banking Group was attacked by cyber criminals attempting to block access to 20 million accounts


the choice of cyber insurance coverage. However, cyber security insurance requires careful consideration of a much wider array of factors. If the organisation does not have internal skills to address these questions, it is advisable to engage a specialist insurance broker who can hand-hold the organisation from purchase of the policy to assistance in getting the claims paid.


Focus areas for underwriting cyber insurance


The unique nature of every client’s IT portfolio also poses a challenge for insurance companies to estimate the risk and underwrite a suitable cover. A cyber insurance provider, like any other insurance company, needs do a pre-assessment of the organisation in terms of its risk profile and risk governance.


• Maturity of IT project delivery, specifically for IT security • Adoption of best practices such as NIST/COBIT • Deployment of IT security management tools • Level of awareness among employees • Adherence to clearly defined policies for safeguarding IT security


• Governance processes e.g. periodic audits and vulnerability tests


By investing in the tools, processes and teams required for ensuring cyber resilience, business leaders can protect the organisation against catastrophe and prepare for a secure future.


www.ibsintelligence.com


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11