Cyber Insurance: A Pragmatic Approach to a Growing Necessity

Cybersecurity has become an increasing focus of financial regulators. Insurance companies are stepping up to help deal with the risk of cyber attacks.  Bruce Carton’s CyberSecurity Docket hosted a great webinar on cyber insurance. These are some of the highlights.

CD-large2.51

John Reed Stark is President of John Reed Stark Consulting LLC, a data breach incident response and digital compliance firm. 

David R. Fontaine is Executive Vice President, Chief Legal & Administrative Officer and Corporate Secretary of Altegrity, a privately held company that among other entities owns Kroll’s data breach response services. 

The industry has accumulated the actuarial data needed to underwrite the damages and likelihood of a cyberattack. But the market is still very new and evolving. There is no standard policy language.

One focus is what will be covered by the insurance. There are three areas of losses:

  1. liability (lawsuits from customers for the breach)
  2. breach response cost (notifying customers of the breach)
  3. government fines/penalties.

You also need to focus on what triggers the coverage: a lost laptop, internet intrusion, data sourced from the company.

The coverage will be based on some detailed reps and warranties. You need to make sure they are right and you understand them.

Here is an incident response workflow:

  1. Preserve. Assmble the team, unhook the infected machines
  2. Digital Forensic Analysis: figure out what happened to the machine
  3. Logging analysis: figure out how the machine was accessed
  4. Malware reverse engineering.
  5. Surveillance
  6. Remediation efforts
  7. Exfiltration analysis. Figure out what was taken.
  8. State regulatory analysis. There are 47 different regulatory schemes.
  9. Federal regulatory analysis. Everyone thinks they have jurisdiction.
  10. PCI Compliance, if credit card data was involved
  11. Law enforcement liaison.
  12. Customer notifications

It’s clear that every company is at risk for a cyber attack. If bad guys want to attack, you can’t stop them. Insurance may be able address some of the risk and damages.

Sources:

 

 

Author: Doug Cornelius

You can find out more about Doug on the About Doug page

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.