Following a string of high profile data breaches, there has been a lot of debate about the actual cost of a breach and whether investments in improved cybersecurity are even worth the money. Benjamin Dean, a fellow at Columbia University’s School of International and Public Affairs, stirred the pot recently with interesting financial analysis of the cost of data breaches suffered by Target, Sony and Home Depot, concluding that the cost of these breaches is fairly insubstantial when factoring in payouts from cyberinsurance and breach-related tax deductions. While this may be true, and while all three companies were indeed able to offset their gross expenses resulting from these events, corporations should resist treating cyber episodes as cavalierly as cost of goods sold or incentivizing cyberinsurance and tax deductions over improved cybersecurity postures. Despite the short-term benefits of such a strategy, a longer-term view must enshrine cyberinsurance and other write-offs not as the first line of defense, but as the last and final safeguard of an overall risk management plan designed to fortify corporate reputation and customer privacy data as the imperative.
Cyberinsurance: not the first line of defense
As we have seen by the litany of recent cyber attacks and data breaches, the mere deployment of particular vendor sensors or other piecemeal strategies will not sufficiently reduce the probability of victimhood. While cyberinsurance can help offset the financial burden of an attack, it cannot cover all the associated tangible and intangible costs. For example, although Sony’s expected net payout is likely to be just a tiny fraction of its total revenue, the embarrassing disclosure of offensive personal emails and the privacy data of 47,000 current and former employees will still be a cost, even though it might not necessarily translate on the next quarterly financial statement. Employee trust, talents’ potential refusal to associate with the Sony brand and public avoidance in the future could all be the long-term fallout from this attack not covered by insurance and not felt by Sony in the near term. Consider too the issue of the consequences of stolen customer privacy data. While corporations may be elated that their net costs can be reduced through insurance and write-offs, such public statements provide little sensitivity to fuming customers left dealing with the residual fallout of their stolen identities in the hands of enterprising cybercriminals – the complications of which can persist long after the publication of the next corporate financial forecast.
Proper risk management with cyberinsurance
It’s generally not advised that medical doctors tap into medical malpractice insurance over purchasing newer medical equipment or receiving better training as a means to avoid a lawsuit. The same applies for corporations navigating the realities of evolving cyberthreats and how they confront these challenges. Cyberinsurance is critical in the transference of risk, but the real defense for companies begins with instituting a robust risk management program that is informed by a complete security assessment relative to their unique threat landscape. This, coupled with the integration of holistic cyber risk solutions, as well as the establishment of a strong cybersecurity culture inside an enterprise, is paramount. Such a plan must go beyond simply meeting acceptable minimum security standards or applicable compliance requirement. It must go deeper, establishing cybersecurity goals and incorporating security best practices while exceeding the traditional preoccupation with endpoint and perimeter defense at the expense of non-technical ingress points. As critical as legacy defenses are, and as evidenced by the vulnerabilities that enabled other catastrophic cyber events in recent months and years, equally dangerous scenarios can and do originate from improper vendor access management, maturity and enforcement of internal policies and procedures, insider threat behavioral precursors, and employee awareness of the evolving tradecraft used by phishers to deceive workforces into letting bad actors onto their networks. Interestingly, cyberinsurance vendors are becoming better informed and more knowledgeable of cyberthreats. As a consequence, insurers are denying insurance coverage to potential insureds if they are found to neglect minimum security safeguards or are failing to demonstrate cyber resilience. As insurance companies seek to minimize their risks, there is a growing trend to reward potential insureds with comprehensive cyberinsurance policies containing fewer exclusions if they are able to prove to underwriters the presence of mature security practices across their enterprise. This would include a means to continually assess and mitigate risks, as well as the ability to shorten an attack window and get back to business quickly through sound business continuity plans if a breach or attack were to occur.
Risk Assessment for the Cyber Era
In order to receive coverage, a collaborative relationship between the insurance company and the potential insured should be implemented and must begin early. As part of the process to receive coverage, there must be an accurate understanding of the insurability of the client. In order to do this, and because the cyberthreat is pervasive with no company impervious to victimhood, underwriters must focus on factors beyond historic risk to inform their decisions. If we accept the reality that every organization is susceptible to a cyberattack or breach, it is clear that prior incidents can’t serve as legitimate indicators of a company’s propensity for future risk. Similarly, stagnant security checklists currently used by many insurers, or other assessments devoid of non-technical risk factors are hardly representative of actual, ever-changing cyber risks. Traditional risk assessment methodologies that rely on these elements to determine insurability in the pre-binding phase are a disservice to both those underwriting the risk and the potential insured. This is where organizations can realize the benefits of holistic cyber risk assessment for the purposes of receiving cyber insurance. More often than not, sensitive data is found to have been exfiltrated after a breach or attack occurs, causing long-term value degradation and reputational harm. By implementing a proactive risk assessment before such an incident occurs, an organization can gain in-depth intelligence about its highest priority risks and what is needed to ensure protection in order to avoid future loss. A complete and thorough pre-binding assessment provides the right data at the right time to inform risk management decisions and align resources with an organization’s highest priority risks. Additionally, these assessments must be continuously adopted as part of ongoing risk mitigation in order to demonstrate mature security practices, which indicate an organization’s ability to return to regular operations faster following a cyber incident. For decades, the bargaining power has been with the insurer. With a revised approach, and in keeping with the demands of today’s cyber landscape, the relationship between insurance companies and the insured is now collaborative as both sides work together to identify and mitigate risks and prevent long-term revenue and reputational loss. By doing so, cyberinsurance becomes an avenue for companies to improve their cybersecurity, and not an excuse to avoid it.
Armond Caglar is a senior threat specialist at TSC Advantage and has more than 10 years of experience in public sector intelligence operations, private and international security and consulting. He is an expert in holistic security, including corporate espionage, insider and third-party threats.
