Companies with an online presence need to look beyond conventional insurance policies to ensure they are protected against more than just cyber attacks, a new report from the Centre for Internet Safety (CIS) has warned.
The University of Canberra-based thinktank warned in the report that many organisations are unprepared to manage risk from a variety of factors beyond simple cyber-attacks. Negligence and human factors accounted for 35% of data breaches in one recent Ponemon Institute-Symantec study, while 29% were due to system glitches and the remainder due to the stereotypical malicious attack.
“Traditional business insurance policies have tended to only cover ‘tangible’ assets such as PCs, laptops and other mobile devices,” the report warns.
“Developing exposures have highlighted that electronic data is not always considered to fall under the definition of tangible assets and is just one area where cyber insurance is designed to fill a gap. Some organisations have discovered gaps in what is and isn’t covered after an attack. Unfortunately for them, by then it is too late.”
The report identified five key issues organisations needed to consider in assessing their cyber risk:
- identifying the organisation’s tangible assets
- evaluating its ability to survive without them
- establishing whether it is principally a business-to-business or business-to-consumer operation
- evaluating the burden of managing fully automated IT systems
- assessing the privacy and data breach laws for the markets where it operates.
Companies need to make sure their insurance regimes also cover the ancillary effects of a data breach and its aftermath.
These include:
- cover for business interruption
- the cost of notifying customers
- the cost of regulatory investigations or actions in the event of a breach, “without the requirement for physical damage that is a standard trigger under property policies.”
Other expenses that should be included in cyber-insurance policies include:
- crisis management
- hiring a public relations firm to manage a data breach incident
- forensic analysis
- repairing and restoring computer systems
- the loss of business income resulting from the incident.
“An effective cyber insurance policy will include explicit wording which covers first party and third party claims,” the report advises, warning that the nature and scope of cyber-insurance policies must be managed at the business level and not just by the IT organisation.
The 2012 Data Breach Investigations Report found 570 of 855 recorded attacks were targeted at businesses with 11 to 100 employees.
To read more about this story, click here.